Hi everyone,
I am writing because our development team is having problems with the following micro-services situation:
We want to implement an Authorization/Authentication service, for example, in this case it’s Auth0.
But before we move to a paying plan, we would like to be able to see how it would work and how it would be to setup by UI the following situation:
User authenticates by credentials (ex. login) → Gets JWT Bearer token with the user information and the roles/permissions he has → Makes a request to API A with Bearer token he got from the authentication → API A verifies that the token contains a permission X and a role Y → API A return a response because user is authorized and authenticated → User wants to make a request to API B → Uses the same token got in the second step → API B verifies the same token for permission XY and role ZY → returns a response because he is authenticated and authorized.
Basically, the user, with a single token can make requests in all APIs, because they will check the permissions and roles inside of the token.
The problem here is the following: We are using the Spring Framework (Java), and we tried using .antMatchers().hasRoles and .hasAuthority(), and it works if the token is a machine-to-machine token. But when we try to use the token gotten from the User login, we get a 403 HTTP error, because it does not have “scope”:“read:messages”.
The JWT I get at the moment is the following:
{
"xxxxxxxxxx": {
"groups": [],
"roles": [
"ROLE_MainUser"
],
"permissions": [
"read:messages"
]
},
"iss": "xxxxxxxxxx/",
"sub": "xxxxxxxxxx",
"aud": [
"xxxxxxxxxx",
"xxxxxxxxxx"
],
"iat": xxxxxxxxxx,
"exp":xxxxxxxxxx,
"azp": "xxxxxxxxxx",
"scope": "openid profile email", <--- read:messages should be here?
"permissions": [
"read:messages"
]
}
How can we implement a flow that will work like I described in the 3rd paragraph? At the moment I can get an answer from the APIs for only authentication requests, for the other ones that request authorization (roles, permissions) I can’t get it to work.
Any help will be appreciated!
Thanks!
King Regards,
Dany