Assistance with Custom JWT Converter in Spring Security for Auth0

I am currently working on integrating Auth0 with a Spring Security application and have encountered some challenges with customizing JWT conversion. I have attempted to introduce a custom Converter<Jwt, AbstractAuthenticationToken> in my Spring Security configuration. However, despite ensuring that it is correctly injected, it never gets invoked — the default JwtGrantedAuthoritiesConverter seems to be used instead.

Here is a brief overview of what I’ve tried:

  • Created a custom converter implementation and injected it into the HttpSecurity OAuth2 resource server configuration.
  • Verified that the bean is correctly configured and no other beans are conflicting.
  • Enabled debugging to confirm that the custom converter is not being called, with the default one being used each time.

Given this situation, I am considering an alternative approach where I let the default converter process the JWT and then use a custom filter that runs after BearerTokenAuthenticationFilter to extract additional details from the JWT and store them as needed.

My questions to the community are:

  1. Is this approach acceptable from an Auth0 integration standpoint?
  2. Does it comply with best practices for JWT token handling in conjunction with Auth0?
  3. Is there a better or more standard way to achieve this functionality that I might have overlooked?

I would greatly appreciate any insights, recommendations, or shared experiences that could guide me toward the best implementation strategy.

Thank you in advance for your support!

Hi @it19 and welcome to the Auth0 Community!

One of my examples has the following for configuring a custom Converter<Jwt, AbstractAuthenticationToken> in its SecurityConfiguration.java. This code uses Spring Boot 3.2.0.

@Bean
public SecurityFilterChain filterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
    http
        // other configuration
        .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(authenticationConverter())))
        .oauth2Client(withDefaults());
    return http.build();
}

Converter<Jwt, AbstractAuthenticationToken> authenticationConverter() {
    JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
    jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new JwtGrantedAuthorityConverter());
    jwtAuthenticationConverter.setPrincipalClaimName(PREFERRED_USERNAME);
    return jwtAuthenticationConverter;
}

The JwtGrantedAuthorityConverter is as follows:

@Component
public class JwtGrantedAuthorityConverter implements Converter<Jwt, Collection<GrantedAuthority>> {

    public JwtGrantedAuthorityConverter() {
        // Bean extracting authority.
    }

    @Override
    public Collection<GrantedAuthority> convert(Jwt jwt) {
        return SecurityUtils.extractAuthorityFromClaims(jwt.getClaims());
    }
}

FWIW, this is from a JHipster-generated app.

Also, if you’re trying to convert roles to granted authorities or do audience validation, you can use the Okta Spring Boot starter to do that for you. See the following blog post for more information.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.