Hi Oleg Nenashev. So maybe it's indeed a bad idea.
I'm working on an OAuth plugin, and when a user connects we gather the GrantedAuthorities which are composed of Authenticated and Groups coming from the OAuth/OIDC server. When I have those details about the user's groups, I add them to the user through a property on the User object and they then end up serialized by Jenkins, which is what I want so that I can retrieve them afterwards in like `loadUserByUsername` where I need to rebuild the user. So now, I have 3 things coming to my mind about this:
- I add org.acegisecurity.GrantedAuthorityImpl in the whitelist and thus I can serialize it
- But maybe doing so is a bad idea, so I could serialize just the user groups retrieved from the OAuth/OIDC server and proceed to transformation as GrantedAuthorityImpl on demand
- But maybe this is also a bad idea and then I should Re-Query the OAuth/OIDC server everytime `loadUserByUsername` is hit, the problem being that I (as the current user) am not allowed to query for other users on this server. So maybe I should just not give user groups from users which are not my current user and not fulfill the `getGrantedAuthorities()` contract for those ?
- Maybe you have another idea ?
Thanks for your help !