I have the following…
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.oauth2Login(AbstractHttpConfigurer::disable)
.oauth2ResourceServer(AbstractHttpConfigurer::disable)
.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests((authz) -> authz
.requestMatchers(
new AntPathRequestMatcher("/actuator/**")
).hasAuthority("SCOPE_read:actuators")
.anyRequest().authenticated()
);
return http.build();
}
And the following config…
auth0:
audience: ...
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ...
I am trying to call the endpoint with curl http://localhost:8080/actuator -v -H "Authorization: Bearer ..."
and curl http://localhost:8080/actuator -v -H "Authorization: OAuth ..."
I have confirmed the access token has
{
"iss": "...",
"sub": "...",
"aud": [
"...",
"..."
],
"iat": ...,
"exp": ...,
"azp": "...",
"scope": "openid profile email",
"permissions": [
"read:actuators"
]
}
The aud and iss match but when I go to the site I get a 403. If I make it permit-all then it works fine.
What am I missing here?