Auth0 Angular with proxy config settings

hantsy · May 2, 2021, 12:56pm

Auth0 Angular 1.4.1
NodeJS 16
Angular 11

The code codes can be found from my Github account, the codes are based on this auth0 blog.

Check my example from the following repo:

I am trying to use a proxy config to bypass the cors issue, it worked well in the past years.

The proxy config file is here.

When I tried to create a post, the browser raised a 401 error.

Status401
Unauthorized
VersionHTTP/1.1
Transferred1.40 KB (0 B size)
Referrer Policystrict-origin-when-cross-origin

In the backend API, the console printed the following logs.

2021-05-02 20:45:02.097 DEBUG 18068 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Securing POST /posts
2021-05-02 20:45:02.097 DEBUG 18068 --- [io-8080-exec-10] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-05-02 20:45:02.099 DEBUG 18068 --- [io-8080-exec-10] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2021-05-02 20:45:02.099 DEBUG 18068 --- [io-8080-exec-10] o.s.s.w.session.SessionManagementFilter  : Request requested invalid session id b908a19252e9509245bebb463418
2021-05-02 20:45:02.100 DEBUG 18068 --- [io-8080-exec-10] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [POST /posts] with attributes [hasAuthority('SCOPE_write:posts')]
2021-05-02 20:45:02.100 DEBUG 18068 --- [io-8080-exec-10] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

Note: the backend API is tested by JUnit and Spring Boot test utilities.

stephanie.chamblee · May 4, 2021, 2:32pm

Hi @hantsy,

Welcome to the Community!

From the error, it looks like the scope of the bearer Access Token does not contain the expected scope:

hasAuthority('SCOPE_write:posts')

If you decode the Access Token that your app is sending in the request, does it look like the correct scope is set? https://jwt.io/

It looks like the Angular app is using write:posts (spring-security-auth0-sample/app.module.ts at f9351c6b04c3ff9b6fa062e93c8d45f1662727f2 · hantsy/spring-security-auth0-sample · GitHub), but the API is expecting SCOPE_write:posts (spring-security-auth0-sample/SecurityConfig.java at f9351c6b04c3ff9b6fa062e93c8d45f1662727f2 · hantsy/spring-security-auth0-sample · GitHub), but there could be some parsing going on in the API that I’m not seeing.

hantsy · May 5, 2021, 5:55am

@stephanie.chamblee Thanks, added allowedList and scope to the angular application to fix this problem.

Now my example is working well.

(personally, I think the allowedList is a bad naming there, in my first impression, it is the list of bypass token checking)

I think the spring security will convert scopes to its authority with a SCOPE_ prefix.

stephanie.chamblee · May 5, 2021, 11:13am

That’s great! Glad your example is working now

system · May 20, 2021, 11:14am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.