Sorry, I have no understanding of all these suggestions. Looks like my question is totally different, and this is very difficult. I am java and angular developer
All I want to do is very simple - create API, SPA configure in my Angular and Spring.
(1)How to add more scopes/permissions? why user management >> user >> permissions are not coming to my backend service?
(2) Do I need to do anything in angular to tell Auth0, that I need scope? Eg - Do I need to use tokenOptions and use scope?
(3) If I have to specify, then I have to add to every endpoint (environment.ts) which is a nightmare
httpInterceptor: {
allowedList: [
{
uri: ‘/server/api/v1/todo//’,
tokenOptions: {
audience: ‘http://localhost:8080’,
scope: ‘view:something’,
},
}
To get the user permissions added to the Access Token for your backend service, you can update the token_dialect setting to access_token_authz for your API via the Management API. Documentation: Sample Use Cases: Rules with Authorization
If there is a scope that every user will need, you can request it in the tokenOptions
If you add the scope to the environment, then the scope should always be requested.
I can try to troubleshoot what might be the issue via a HAR file. Could you send me a HAR file in a private message? Generate and Analyze HAR Files Thanks!
The function is actually executed through an Auth0 Rule. Rules are Javascript functions that run after authentication which allow you to customize certain things such as adding custom claims to the Access Token/ID Token.
You can create a rule by going to Auth Pipeline > Rules in your Auth0 dashboard and clicking + CREATE RULE. Select Empty rule, and enter in the function and click Save.
That’s correct, that rule adds roles to the Access Token and ID Token. If you wanted to add permissions to the Access Token, you’d enable RBAC for your API and enable “Add Permissions in the Access Token” or enable RBAC via the Management API and set the Token Dialect to access_token_authz as described above.
http://demozero.net1 is an example custom namespace. It’s required so that claims don’t collide with and reserved claims.
Rules execute for every application in your tenant. You can check the application name if you’d prefer to only run a rule for a particular application:
The John Doe data is just example data that you can try with rules, but you may want to actually log into your application with a user who you have assigned permissions to. You can go to Getting started in the dashboard and click Try it out under “Try your Login box”.
Here are the docs for the Authorization Extension (although the Authorization Core as described in the earlier posts is recommended): Authorization Extension
Unfortunately, I’m not familiar with Spring at all, but I will try to help! Are you testing your API in Postman using the Access Token you receive after logging into the Angular app as the Bearer token in the Authorization header? Have you tried logging the token you are receiving in the API to see the entire token and decoding it at https://jwt.io/?
To clarify, In above scenario - Angular is out of scope. Postman is invoking endpoint, and Spring is scanning the token and printing all properties - claims, scopes permissions…
Once there was this object - AuthenticationJsonWebToken
May be it is now - @AuthenticationPrincipal OidcUser principal
The example doesn’t give enough logs to understand. I would be nice to write small example, which I think is part of unit testing, as Spring users is one huge community. Lots of ellipses in the example {…}
@DeleteMapping(“/{id}”) @PreAuthorize(“hasAuthority(‘delete:items’)”) // New line
public ResponseEntity delete(@PathVariable(“id”) Long id) {…}
@ExceptionHandler(MethodArgumentNotValidException.class)
public ResponseEntity<Map<String, String>> handleValidationExceptions(
MethodArgumentNotValidException ex) {...}
Too much forcing like -@EnableGlobalMethodSecurity(prePostEnabled = true) and endpoints @PreAuthorize(“hasAuthority(‘create:items’)”) is unwanted
Can anyone tell me - how can I print the claims using the above example.