I’ll start with our final goal : we want to have user context when calling our API using the machine2machine method (we don’t have a web app) + having the ability to configure scopes and permissions for USERS.
So far we did the following:
Created a web application and defined a login flow for users and obtained token for the user.
We configured manually permissions and roles for the user-application-api accordingly
However, the token obtained in (1) doesn’t have “scopes” field in it whatsoever, hence we are unable to access the api which is protected by “hasAuthority” of the requires permissions.
We followed spring mvc exmaples.
Please let me know if any more information regarding our issue is required.
These two contradict each other, don’t they? Can you give us some idea about your use case first without using the implementation details? For eg. is it a single page app? do you have a backend api? do the user login to the application and then retrieve data by calling the api? etc.
Hi @ashish, thanks for your quick reply
I’ll elaborate on our use case - we have a spring boot application which exposes APIs. We currently doesn’t have a web interface (UI), we want to allow users to use our APIs without UI (via their own clients).
We want to have the ability to define scopes for USERS to use our API, not via a web interface (other clients - curl,postman,swagger,etc). I hope It’s clearer now.
Actually I used both of the documentation you have sent. I’ve implmeneted the login-callback flow and currently using this method for the jwt configuration: @EnableWebSecurity(debug = true)
public class Auth0SecurityConfig extends WebSecurityConfigurerAdapter {
When tried to add “.antMatchers(”/v1/customers/*“).hasAuthority(“read:customers”)”, and gave my user the required permission, I get “forbidden”. When I look at the token I get from auth0 I see I have “permission” section but not “scope” section.
