I am currently working on integrating Auth0 with a Spring Security application and have encountered some challenges with customizing JWT conversion. I have attempted to introduce a custom
Converter<Jwt, AbstractAuthenticationToken> in my Spring Security configuration. However, despite ensuring that it is correctly injected, it never gets invoked — the default
JwtGrantedAuthoritiesConverter seems to be used instead.
Here is a brief overview of what I’ve tried:
- Created a custom converter implementation and injected it into the
HttpSecurityOAuth2 resource server configuration.
- Verified that the bean is correctly configured and no other beans are conflicting.
- Enabled debugging to confirm that the custom converter is not being called, with the default one being used each time.
Given this situation, I am considering an alternative approach where I let the default converter process the JWT and then use a custom filter that runs after
BearerTokenAuthenticationFilter to extract additional details from the JWT and store them as needed.
My questions to the community are:
- Is this approach acceptable from an Auth0 integration standpoint?
- Does it comply with best practices for JWT token handling in conjunction with Auth0?
- Is there a better or more standard way to achieve this functionality that I might have overlooked?
I would greatly appreciate any insights, recommendations, or shared experiences that could guide me toward the best implementation strategy.
Thank you in advance for your support!