Hi All,
I’m really hoping someone can help me out here.
So we have to separate Tenants on Auth0 and I have a Spring Boot API (v2.5.4) which both tenants need access to.
Looking at the spring doc’s its easy to add multiple issuer’s by doing the following in the spring security config:
@Override
protected void configure(HttpSecurity http) throws Exception {
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver
("https://tenant1-dev.eu.auth0.com/", "https://tenant2-dev.eu.auths0.com/");
see: Redirecting...
And this works fine for me. However I want to be able to validate the aud in the JWT and looking at the Auth0 docs they suggest the following:
@Bean
@Primary
JwtDecoder jwtDecoder() {
/*
By default, Spring Security does not validate the "aud" claim of the token, to ensure that this token is
indeed intended for our app. Adding our own validator is easy to do:
*/
NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
JwtDecoders.fromOidcIssuerLocation(issuer);
OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
jwtDecoder.setJwtValidator(withAudience);
return jwtDecoder;
}
Now how can I use this JwtDecoder when there are multiple issuer’s?
Thanks and hoping someone can help me here!