I am currently working on integrating Auth0 with a Spring Security application and have encountered some challenges with customizing JWT conversion. I have attempted to introduce a custom Converter<Jwt, AbstractAuthenticationToken> in my Spring Security configuration. However, despite ensuring that it is correctly injected, it never gets invoked — the default JwtGrantedAuthoritiesConverter seems to be used instead.
Here is a brief overview of what I’ve tried:
Created a custom converter implementation and injected it into the HttpSecurity OAuth2 resource server configuration.
Verified that the bean is correctly configured and no other beans are conflicting.
Enabled debugging to confirm that the custom converter is not being called, with the default one being used each time.
Given this situation, I am considering an alternative approach where I let the default converter process the JWT and then use a custom filter that runs after BearerTokenAuthenticationFilter to extract additional details from the JWT and store them as needed.
My questions to the community are:
Is this approach acceptable from an Auth0 integration standpoint?
Does it comply with best practices for JWT token handling in conjunction with Auth0?
Is there a better or more standard way to achieve this functionality that I might have overlooked?
I would greatly appreciate any insights, recommendations, or shared experiences that could guide me toward the best implementation strategy.
One of my examples has the following for configuring a custom Converter<Jwt, AbstractAuthenticationToken> in its SecurityConfiguration.java. This code uses Spring Boot 3.2.0.
Also, if you’re trying to convert roles to granted authorities or do audience validation, you can use the Okta Spring Boot starter to do that for you. See the following blog post for more information.