Auth0 Home Blog Docs

Authorization Extension not working with Spring Security

jwt
authorization-extens

#1

I am trying to use the authorization extensions, however, I don’t see the roles getting passed to the JWT token. Here is the decoded token…

Header
{"typ":"JWT","alg":"RS256","kid":"<Removed>"}
Body
{"iss":<Removed>,"sub":<Removed>,"aud":<removed>,"iat":<removed>,"exp":<removed>}

Also Claim rolesClaim = jwt.getClaim("https://access.control/roles"); comes back null.

So I don’t see the role at all. How do I find the role?


#2

I tried debugging the rule and it seems to be getting added correctly…

function saveToMetadata(user, groups, roles, permissions, cb) {
     console.log("Roles are:"+roles);

10:26:05 AM: Roles are:Admin

So this part looks correct so why can’t I see it in Spring security?


#4

@jakiegleason, there is a bug in the authorization extension now that will not add the roles to the JWT. You can add a rule to follow the authorization extension rule that does this:

function (user, context, callback) {
  // OIDC-Conformant pipeline will not return JWT tokens
  // with the non-namespaced "roles", "permissions" and/or "groups" custom claims
  // so let's add them manually

  context.idToken['https://mycustomdomain.com/claims/authorization/roles'] = user.roles;
  context.idToken['https://mycustomdomain.com/claims/authorization/permissions'] = user.permissions;
  context.idToken['https://mycustomdomain.com/claims/authorization/groups'] = user.groups;
  callback(null, user, context);
}

I have filed a bug with that extension to fix this problem.


#5

Thanks yeah this is basically what I did too. Now I am getting the permissions and seeing the Authority but Spring is still messing up somewhere. Thanks for the help if you get a chance see if you can help here… https://stackoverflow.com/questions/50586078/auth0-with-authorization-extension-not-passing-roles-to-spring-security-jwt-obje