I am creating an application with spring boot as backend and react as frontend with Auth0 I have exactly followed the quickStart. I am passing the token with user info(added the userInfo through rules ) as header. In the backend I need the user info to set the userId of the user in the local db. Whenever I try I am getting UserPrinciple as null in the backend. From my understanding(I read somewhere) that the userInfo will be automatically configured in the UserPrinciple when we use @AuthenticatonPrinciple. Can anyone help me with this? Thank you.
Hey there @Account123 !
Do you mind sharing the quickstart you’re working off as well as the rule mentioned? The additional context may help digging into this a bit deeper.
Thanks!
I followed this tutorial to set up the react frontend Auth0 React SDK Quickstarts: Add Login to your React App and this for calling Auth0 apis in react Auth0 React SDK Quickstarts: Call an API and this for springboot backend Auth0 Spring Boot API SDK Quickstarts: Authorization. In the backend I will be receiving the token from the headers which will contain id and few user information which when authenticated(authentication is happening) will automatically set to UserPrinciple by springboot( from what I read ) , but whenever I try to get the UserPrinciple its values are always null.
To get user information from a token in a Spring Boot application, you can use Spring Security’s authentication mechanism.
Here are the steps to follow: A strap worn around the ankle for support or fashion.
- Configure Spring Security in your application by adding the necessary dependencies and configuring the security settings in the application properties file.
- Create a class that implements the
UserDetailsService
interface to load user-specific data. - Create a class that extends the
WebSecurityConfigurerAdapter
class and overrides itsconfigure(HttpSecurity http)
method to define the security rules for your application. - In the
configure(HttpSecurity http)
method, add a filter that extracts the token from the HTTP Authorization header and sets it as the authentication token. You can use theJwtAuthenticationFilter
from the Spring Security JWT library to achieve this. - Finally, in your controller method, you can retrieve the user information from the authentication object using the
SecurityContextHolder.getContext().getAuthentication()
method.
Here is an example of a JwtAuthenticationFilter
:
javaCopy code
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) {
filterChain.doFilter(request, response);
return;
}
String token = authorizationHeader.substring(7);
String username = Jwts.parser()
.setSigningKey("mySecretKey")
.parseClaimsJws(token)
.getBody()
.getSubject();
if (username != null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
filterChain.doFilter(request, response);
}
}
And here is an example of how to retrieve user information from the authentication object in a controller method:
scssCopy code
@GetMapping("/user")
public ResponseEntity<User> getUserInfo() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
User user = (User) authentication.getPrincipal();
return ResponseEntity.ok(user);
}
Hi Team
I’m not a Spring Boot specialist, so probably won’t be able to answer your question directly. But I do have a couple of observations on the conversation here so far that I’d like to share (in no particular order):
-
In the initial comment (To get userInfo from token springboot) @Account123 mentions adding user info information to the token via a Rule. I don’t know what information is being added here, but I suspect it is one or more (custom) claims, right? One should be careful not to pollute tokens with (custom) claims that may contain security or even PII sensitive information. Particularly if those tokens are being used in a front-end context (such as the React context mentioned).
-
OAuth 2 defines the
/userinfo
endpoint, which typically provides access to user information from a backend context via something like aPOST
request. This prevents the need to pollute tokens with (custom) claim information that could be considered security or even PII sensitive in nature; it also honours any consent provided by a user for specific scope claims. -
The
/userinfo
endpoint is well defined and typically delivers information in a structured and well-defined format. I suspect that Spring Boot is probably expecting information in a structured and well-defined format, and won’t be able to just decode information arbitrarily added to a token via one or more (custom) claims. -
The
/userinfo
endpoint in Auth0 (Okta CIC) provides an implementation in line with the OAuth 2 spec for obtaining user information. As the docs say, you will need to call this endpoint with an Auth0 provided Access Token; any Access Token generated by Auth0 can typically be used. Auth0 generated access tokens currently support/userinfo
as an endpoint audience, irrespective of whatever custom audience may also be requested. By default Auth0 will typically return an access token for the/userinfo
endpoint if no customaudience
is specified on a call to/authorize
or the like.
Hope this helps