Decorating a authenticated user with authorities from my own database

Using Spring boot, I am creating a user from the JWT token using a NimbusJwtDecoder on the REST request. That all works well and I have the SCOPE authorities from my setup in AuthO. I would now like to decorate the user with further details and authorities from my database. Any hints or examples where it is best to do this?

Kind regards

Malcolm .


I solved this issue, and I am pasting the code here in case anyone else needs it.

I created a filter that is configured after the BearerTokenAuthenticationFilter in the FilterChain. This filter loads the user details from the database using the “sub” claim as the username.

A new JwtAuthenticationToken is then built using the data stored in the database and the data in the JWT.

public class AuthorisationFilter implements Filter {

    UserDetailsServiceImpl userDetailsService;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {
        if (SecurityContextHolder.getContext().getAuthentication() != null &&
                SecurityContextHolder.getContext().getAuthentication() instanceof JwtAuthenticationToken) {
            Jwt token = ((JwtAuthenticationToken)SecurityContextHolder. getContext().getAuthentication()).getToken();
            List<GrantedAuthority> authorities = new ArrayList<>();
            UserDetails userDetails = userDetailsService.loadUserByUsername(token.getClaims().get("sub").toString());
            userDetails.getAuthorities().forEach(authority -> authorities.add(authority));
                    .forEach(ga -> authorities.add(ga));
            Jwt newToken = new Jwt(token.getTokenValue(),
                    token.getHeaders(), token.getClaims());
            JwtAuthenticationToken jwtAuthenticationToken = new JwtAuthenticationToken(newToken, authorities);

        filterChain.doFilter(servletRequest, servletResponse);


If anyone has any suggestions or improvements or needs further clarification, feel free to contact me.

Kind regards


Hi @jj.mmallia

Thank you for the code. One question: who is the issuer for the new JWT?

What are you using the JWT for? Is it an ID token or an Access Token?


Hello John,

I have an Angular SPA which authenticates, then obtains an access token to call my Spring boot API.

This code is of the filter on the API, where I wanted to add my own roles and authorities and other information which I retrieve from my DB. I use the new JWT just to rebuild the token stored in the SecurityContext as it is immutable.

Kind regards