I’m currently integrating my Angular front app + Spring Boot REST backend with Auth0. Everything works pretty well so far, I’m using Implicit Flow with accessToken for API authorization in the OIDC-conformant flow. However, one thing that is missing is the permission resolution.
In my Spring Security config I’ve used GitHub - auth0/auth0-spring-security-api: Spring Security integration with Auth0 to secure your API with JWTs library (version 1.2.3), which works fine when it comes to JWT decoding and endpoint protection as such. However, when I want in addition to use granted authorities for more fine-grained endpoint access restriction, e.g.:
.antMatchers(HttpMethod.GET,"/api/private-scoped").hasAuthority("entity:read");
the authority doesn’t get resolved. I’ve set this entity:read
permission on a user in Auth0 using OOTB functionality (no Authorization Extension installed): Mgmt Console → User → Permissions → Assign Permissions. Unfortunately, the assigned permission doesn’t get populated onto Spring Security granted authority. And I do know why: in line 42 of the Auth0 Spring Security API library auth0-spring-security-api/AuthenticationJsonWebToken.java at master · auth0/auth0-spring-security-api · GitHub the authority gets resolved from only the scope
claim. On the other hand, when I decode the JWT manually I see the permissions are correctly attached to JWT (without any running rule!), but they are placed under permissions
claim, like this:
"scope": "openid profile email",
"permissions": [
"entity:read",
"entity:write"
]
The Auth0 Spring Security API indeed captures openid
, profile
and email
as granted authorities, but nothing else. This is an open issue with the library and there even is an open Pull Request for that (Support additional OIDC Conformant scope claims by ryan-barker-zefr · Pull Request #12 · auth0/auth0-spring-security-api · GitHub), which seems to be dangling for quite a while.
So until the library gets fixed, I’ve tried a workaround to manually copy over the permissions into scope
claim. Unfortunately it seems I can’t access Auth0 permissions assigned to a user from either context
or user
object in a rule, I’ve searched all over using the debug code:
function (user, context, callback) {
console.log(user);
console.log(context);
}
My last resort was to implement a hook, which apparently has even a ready example for augmenting scope
claim with additional roles:
module.exports = function(client, scope, audience, context, cb) {
var access_token = {};
access_token.scope = scope;
// Modify scopes or add extra claims
// access_token['https://example.com/claim'] = 'bar';
access_token.scope.push('customRole');
console.log("hook OK");
cb(null, access_token);
};
But even with this hook being active I don’t see anything changed in the scope
claim, in fact I don’t even see any log message in the Realtime Web-task log viewer so I’m not sure if the hook is running.
Please kindly advise what could be other steps to take. Just to recap: I simply want to have my Spring Security Auth0 library properly recognising Auth0 user permissions and placing them as granted authorities.