I can’t repro the issue and it’s working fine. I followed this steps:
Created a new Client of Type “Regular Web Application” with Token Endpoint Authentication Method “POST”.
Added Callback URL http://localhost:3099/callback to the allowed callback URLs.
Added Logout URL http://localhost:3099/logout to the allowed logout URLs.
Checked the Algorithm used by the client to sign the tokens in “Advanced Settings” → “OAuth”. In my case it was HS256.
Pressed “SAVE CHANGES” button on the bottom of the page.
Created a new Rule that sets ROLE_USER and ROLE_ADMIN roles in the app_metadata property of the user profile. (Snippet found on the article you’ve shared).
Make sure I was logged in before clicking the Download Sample button, so the credentials get replaced automatically. Anyway, you should manually check in the auth0.properties file that the client_id, client_secret, domain, and algorithm are correct (as configured in your client).
Run the app. Try to open http://localhost:3099. I’m redirected to Auth0’s login page. Put my credentials and the /portal/home page is shown.
I’m pretty sure the error you’re having is that the role doesn’t match the one required by the security configuration. Start by commenting the antMatcher lines in order to discard other cases like allowed for everyone, requires authentication, and later requires authority. Another way to debug it is to put a breakpoint in Auth0UserDetails#setupGrantedAuthorities to understand how the roles are parsed from the profile. Lastly, you can always use the Chrome Web Tools to inspect the network requests and see if the info is valid or not.