I have a spring boot (2.x) backend application which currently handles SSO login and serves
protected resources to a UI. Our team is exploring the possibility of migrating
our roles and permissions over to Auth0’s RBAC, but aren’t seeing the roles or permissions in
the access token as we would expect.
Current state:
-
An API:
a. Defined permissions
b. RBAC enabled
c. “Add Permissions in the Access Token” enabled
-
An Auth0 client application:
a. Using organizations
b. Using Enterprise SAML connection
-
Users configured with:
a. Roles assigned directly
b. Roles assigned via Organization
-
Spring boot application:
a. Using okta-spring-boot-starter
b. With an application.yml configured with:
okta.oauth2.client-id
okta.oauth2.client-secret
okta.oauth2.issuer
okta.oauth2.audience
c. Using authorization code flow
d. A SecurityConfig.java like
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.oauth2Login()
.and()
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/api/public").permitAll()
.requestMatchers("/api/private").authenticated()
.requestMatchers("/api/private-scoped").hasAnyAuthority("SCOPE_read:messages")
)
.cors(Customizer.withDefaults())
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(Customizer.withDefaults())
)
.build();
}
Is it reasonable to expect that the defined roles and permissions would show up in the resultant access token?
Is it required that roles and permissions be added via a custom Action?
Is it required that permissions defined on APIs be explicitly defined as scopes
in the application.yml?
Are there limitations with using organizations and APIs? (e.g., the available
grant types states that the “client credentials” flow is prohibited with
organizations) Would this impact my application’s ability to read roles and
permissions from the auth0 API?
After reading https://developer.auth0.com/resources/code-samples/api/spring/basic-role-based-access-control I’m expecting the access token I receive to include a permissions claim, but this is not the case when I inspect the received token and requests to “/api/private-scoped” result in HTTP 403 responses.
Hi @richard.clay,
Welcome to the Auth0 Community!
Yes, the roles and permissions should show in your access token if you have configured them to do so. For example, you could include permissions to your access token if you switched on the “Add permissions in the Access Token” toggle.
For roles, you would need to use a Post-Login action script to add them as a custom claim.
It’s not required to define the permissions as scopes since it will only return the permissions assigned to the user. While it’s not required, it could help with readability when making these requests.
You should be able to use Organizations and APIs without impacting your app’s ability to read roles and permissions.
Let me know if you have any questions.
Thanks,
Rueben
Yep. We have those settings enabled. Any ideas as to what else I can check?
Here’s what the Auth0 section of my application.yml looks like:
okta:
oauth2:
issuer: https://${AUTH0_ISSUER_URI}/
client-id: ${AUTH0_CLIENT_ID}
client-secret: ${AUTH0_CLIENT_SECRET}
audience: ${AUTH0_API}
If it helps, we have a spring-boot application created in Auth0 (used for SAML authentication) and an API created for authorization. When I manually request an access token using
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=YOUR_CLIENT_ID \
--data client_secret=YOUR_CLIENT_SECRET \
--data audience=YOUR_API_IDENTIFIER
Using the client credentials of my spring-boot application, I receive a 403 error that says:
{"error":"unauthorized_client","error_description":"Grant type 'client_credentials' not allowed for the client.","error_uri":"https://auth0.com/docs/clients/client-grant-types"}
When I visit my spring-boot application’s settings I see this restriction about allowed grant types and organizations:
- Is it correct for me to use the spring-boot application’s
client_id, and client_secret to get an access token this way? (I assume this is what my application is doing when I authenticate, except with the authorization code flow)
- Assuming I’m using my application’s credentials correctly in my test CURL request, is the restriction on allowed grant types preventing the spring-boot application from getting an access token from my API via client credentials grant type?
- When I use the credentials from my API’s test application (machine to machine) in the CURL request, I get back an access token which includes permissions. This makes me suspicious of some limitation between the organizations feature and API permissions in access tokens.
HI @richard.clay,
Thanks for the update.
The error you shared states that your application does not allow for the client credentials grant.
In this case, make sure that your application is set to the machine-to-machine application type.
Let me clarify that the client credentials grant is typically used to get an access token for an API.
If you need the user’s permissions and roles, you will need to use the authorization code flow. This flow is interactive and prompts the user to log in with their credentials. Moreover, you would be using a Single-Page Application, Regular web app, or native application type for this scenario. See our Call Your API Using the Authorization Code Flow documentation for more info.
Let me know if you have any questions.
Thanks,
Rueben
