Unable to get role information back in JWT using Java 2.x APIs

ericblue76 · January 22, 2024, 4:38am

Hi,

I recently updated a java web app using the Spark framework. Looking at some of the Java examples, and specifically the servlet one, much of this code appears to be using an older project using auth0-java-mvc-common and the 1.x APIs.

Since I needed to make this work with Spark controllers, I decided to use the new 2.x APIs (GitHub - auth0/auth0-java: Java client library for the Auth0 platform). I have everything working end-end and endpoints configured for login, logout and callback.

For the callback, I am getting back an ID and access token. And able to extract the JWT which contains all of the info I would expect given the authorization url scope of openid, profile and email.

However, I am not getting back any role information. I have a user configured, a role created and the user is assigned to the role.

Is there potentially an issue with the way I’m calling any of the APIs, or are there extra steps involved to get role information back? I have seen previous posts about needing to add custom Rules to support custom claims. And also some posts on the new Flows feature. I’ve attempted to do this with no luck.

// For login
String authorizeUrl = auth.authorizeUrl(config.getAuth0CallbackURL())
.withScope(“openid profile email roles”)
.build();
response.redirect(authorizeUrl);

I’m assuming roles scope is ignored. And on the callback:

String code = request.queryParams(“code”);

TokenRequest tokenRequest = auth.exchangeCode(code, config.getAuth0CallbackURL());

… after getting the Id token

DecodedJWT decodedToken = JWT.decode(idToken);
decodedToken.getClaims().forEach((k,v) → logger.info("key: " + k + " value: " + v));

I can confirm all expected claims are there (sub, iss, sid, aud, iat, exp, gravatar picture value, etc).

Full code for this is available at GitHub - ericblue/spark-starter-auth0: Spark Starter Auth0

Any guidance on this would be appreciated! I’ve spent a good bit of time trying to get this working, and looked at various posts and documentation and the answer isn’t clear, unless I’m missing something obvious.

Thanks!

mraible · January 22, 2024, 3:18pm

You have to create and deploy an action to get roles added to your ID and access token. Here’s an example from our Spring Role Based Access Control (RBAC) lab:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://spring-boot.example.com";
  if (event.authorization) {
    api.idToken.setCustomClaim("preferred_username", event.user.email);
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
};

ericblue76 · January 22, 2024, 8:16pm

Hi Matt,

Thanks for the quick response. A few questions:

Is the namespace arbitrary and does this need to be added to any of the approaching API calls?
Do these actions and flow features supersede previous examples for adding custom Rules?
Lastly, this might be an expectation mismatch, but given Roles are configured and setup in the UI, i would except this to ‘just work’ and come back in the JWT. Are there future plans to have this become automatically available without extra steps?

In the meantime, I’ll give this a try. For the time being I was able to implement follow-up calls to get this data via the manaagement API, but it will be good to have in one round trip if possible.

Also, I recognized your name right away. I remember AppFuse from the earliest days and a fan of JHipster. Glad to see you involved here as well.

Thanks,

Eric

mraible · January 22, 2024, 10:42pm

The namespace is arbitrary, you can use whatever you like. I know names like groups and roles won’t work. I wish they did. The only place you might specify the claim is in your own backend app when converting it to something your chosen framework understands.
Yes, Actions are the replacement for Rules, which will eventually go away.
I’d like it if there was a toggle to add a groups token in one step. I don’t think it’s in our roadmap.

Thanks for trying AppFuse and JHipster! It’s nice to virtually meet you.

ericblue76 · January 23, 2024, 2:04am

Thanks Matt! This worked like a charm.

And yes, I think some sort of toggle or other option to automatically include these claims would be ideal. One of the things that impressed me with Auth0 is the simple, but very useful Role setup in the UI. I had assumed since these features were part of the UI now that this data would just automagically be there in the JWT response. If there’s any way to funnel this suggestion back to the product team, that would be appreciated.

Also, if there’s any interest in Auth0 having a Spark example as part of your example projects feel free to pull anything useful from GitHub - ericblue/spark-starter-auth0: Spark Starter Auth0.

The Java servlet example and docs felt a little dated and because most of the controller logic and code was under the hood in auth0-java-mvc-common the flows weren’t entirely obvious. And, with Spring/Spring Security stuff it is very plug n’ play. The main thing I wanted to accomplish with this example was a fairly simple implementation and using the new 2.x SDK.

Spark has not had a lot of activity recently since 2.9.4, but seems like a lot of folks are still using it. And while I tend to personally favor Spring and Micronaut these days, it is a good lightweight alternative in some situations.

At any rate, thanks for quick support and easy fix!