I am trying to get an out-of-the box Swagger UI client to work with Spring Boot and Auth0. I am able to successfully authenticate and make calls via Swagger UI but my custom scopes are not included in the access token, so APIs that require additional permissions are unusable via Swagger.
spring: security: oauth2: resourceserver: jwt: issuer-uri: https://my-tenant.eu.auth0.com/ client: registration: auth0: client-id: XXX client-secret: YYY scope: "openid, email, profile, view:users" provider: auth0: # trailing slash is important! issuer-uri: https://my-tenant.eu.auth0.com/
I am aware that there is no way to set an audience with using this config, so I have set a default audience for the whole tenant. Requesting a token on behalf of the Swagger UI application works (custom scopes included) via cURL if I specify the grant type as client credentials! But I can’t get it to work via the browser (where it defaults to authorization code). I have played around with removing openid/email/profile and I can see them included/omitted from the access token, so I know the mechanism works to some extent.
I should point out that the client config here corresponds to the
org.springframework.boot:spring-boot-starter-oauth2-client library, but I’m willing to swap it out for something else if someone has one that works with Spring Boot/Auth0/Swagger UI.
Any ideas? Thanks!
Note: I have previously asked this question (with different wording) on Stack Overflow, but have had no answers.