I’m looking for a way to delegate permissions granted to a user into the access token.
This works just fine with client credentials, the permissions get parsed out in spring security and added to a SCOPE_perm:action. I’m receiving empty permissions when using authorization code flow. Am I missing something here? Seems weird since you can assign permissions to specific users. The goal is to do RBAC on a per-user basis - since they aren’t in the JWT, Spring Boot is not parsing them out creating a relevant authority.
Will this have to be implemented with a custom rule/hook?
I understand that you have encountered issues using the Authorization Code Flow to get permissions.
After testing the Authorization Code Flow, I was able to get a specific user’s permissions in the access token and can confirm that everything works as expected.
Given that, could you please make sure that you have:
Added API permissions
Assigned permissions to users
Ensured that the audience and scope parameters correspond to the API and permission(s) for the user in your /authorize request
Thanks! I was blindly assuming postman was behaving with the audience parameter since it was set but it wasn’t being passed, had to explicitly add the query param to the /authorize URL. Opaque tokens are gone from postman and now I have the solution for Spring. Much appreciated.
You’re most welcome! I’m happy to hear that it’s working now.
And yes, great observation, that’s correct; Opaque tokens are issued whenever the audience parameter is not provided as described in our Get Access Tokens docs.
Please don’t hesitate to let me know if there’s anything else I can do to help.
Actually, I have some recommendations for the Getting Started with Webflux API guide. I’ve done a full implementation from a purely backend standpoint.
First, there is an error in the properties added to application.properties/yml and the @Value in SecurityConfig.java
...
spring
security:
oauth2:
resourceserver:
jwt: # <----- Right here, it is jwk in the guide.
jwk-set-uri: https://YOUR_DOMAIN/.well-known/jwks.json
issuer-uri: https://YOUR_DOMAIN/
The dependencies added to build.gradle can be reduced to:
A purely backend approach that is stateless with logging authorization failures. The proxyTargetClass is important. In order to actually test security it is required. Any test using @WebFluxTest needs to exclude ReactiveSecurityAutoConfiguration.class and @Import(SecurityConfig.class). See here