Auth0 Home Blog Docs

Authorization Issue while accessing Auth0 roles for spring security @PreAuthorize hasRole

Hi,

I am using a spring boot(version 2.0.6) project in which I am configuring the Auth0.
Have used Auth0 sdk used by importing the dependency below

groupId - com.auth0
artifactId - auth0
version - 1.14.1

Basically, spring-security authorization works considering the roles of the user. Therefore, I have configured a rule in auth0 which adds the custom claim ‘roles’ in the access token. Auth0 allowed me to add the custom claim when i prepend the role with the namespace (client application’s domain used). However, spring-security only considers the key “roles” without considering the pre-pended namespace
because of which the authorization gets failed.

The below-mentioned spring security code fails with the error 403(access denied)
@PreAuthorize(“hasRole( ROLE_ADMIN )”)

I tried using auth0 rules adding the roles to the scopes in the access token but still couldn’t succeed in the authorization.

How to tackle this issue? Is there any possibility to add the custom claim “roles” without namespace prepended?
How to make spring security @PreAuthorize work with auth0 access token?

It’s not possible at the moment to add roles as root claim to the access token, only permissions. Not sure if that would help as a workaround to assign a permission with the same name as the role and then use hasPermission instead (not sure about the details on this with Spring).

Alternatively, would a custom security expression work?

I would like to know the Auth0 preferred/recommended way of implementing spring security along with the sample code. can I get it?

Sure, the quickstarts for Spring and Java,

and for the client side: