I'm currently working an a project where I have two internal roles with permissions what users are allowed to do, which correspond to the membership of two groups in LDAP. When I login via /oauth/token?grant_type=passwort... I get correctly my LDAP entry with parsed groups as roles. But now if I want to refresh my token on this endpoint (via /oauth/token?grant_type=refresh_token...) I do not get any authories. I still get a valid access and refreshtoken pair, but with wrong permissions now because I do not have these authorities.
Is there something special to know about LDAP or Spring Boot that this should happen or why this wont work? What I also found is that the groups are slightly different when I compare my obtained authentication from initial login (there all ou/dc shortcuts are lowercased) vs the authentication from refresh (all OU shortcuts are uppercased). Does spring/ldap here use different ldap queries for refreshing vs logging in?
I'm using the normal LdapUserDetailsService and an InMemoryTokenStore.
I hope its clear what I mean...
Okay, it seems that there was as Default LdapAuthoritiesPopulator the NullAuthoritiesPopulator in my LdapUserDetailsService and no DefaultLdapAuthoritiesPopulator or a Custom one. So I provided a DefaultLdapAuthoritiesPopulator and it works now.
For login the ProviderManager is using the LdapAuthenticationProvider which had an DefaultAuthoritiesPopulator which was correctly configured but for refresh it used the PreAuthenticatedAuthenticationProvider which had a NullAuthoritiesPopulator...