User Authorization, I am very confused

pgoudman · September 17, 2019, 9:03am

Hi Everyone,

I am new to Auth0, but am finding the user authorization somewhat confusing.

I have a SPA that is connecting to two API’s (Spring & NodeJS). I have configured both API’s and secured them using the examples. I can log in with a user account I created and access the API’s sucessfully from my SPA.

However, the examples always use trivial examples. Such as 'Everyone that successfully logs in has access to the global ‘Tasks’. And can read or write to them.

But… what if as is usually the case, the User has some private assets in your API? I am unable to check who the logged in user is to fetch is private assets and to ensure only he has access to them.

I am sure I have missed some hidden tutorial or example because after 4 days of setting up tutorials, successfully running them I am still unable to identify a User or his permissions in a Spring controller?

Have I got all this wrong? Very confused about why you would want to protect assets only for a group of users. What about users Application profile data??

Perhaps someone can provide me the information I am missing.

Thank you in advance.

pgoudman · September 17, 2019, 12:34pm

Finally Answered My Own Question.

A lot of searching, googling, oauth0 tutorials, nothing of any use to solve this problem. I did find a post on stack overflow that suggested trying this.

public String getName(Authentication authentication, Principal principal) {
        System.out.println(authentication.getName());
        System.out.println("-----------------");
        System.out.println(principal.getName());
        return "";

But this returned empty strings…

Solution…

After setting a break point in my Spring Boot controller I was able to work out the following code which prints out the authentication claims for the user.

 @GetMapping
    public List<Task> getTasks(AuthenticationJsonWebToken authentication) {
        logger.debug("getTasks called.");
        DecodedJWT jwt = JWT.decode(authentication.getToken());
        Map<String, Claim> claims = jwt.getClaims();
        for (Object key: claims.keySet()) {
            logger.debug("key: {}, value: {}", key.toString(),  claims.get(key).asString());
        }

        return taskRepository.findAll();
    }

This printed out…

c.a.s.s.api.JwtAuthenticationProvider    : Authenticated with jwt with scopes [openid, profile, email]
2019-09-17 13:27:55.307 DEBUG 15238   : getTasks called.
2019-09-17 13:27:58.599 DEBUG 15238   : key: sub, value: auth0|5d7f7fbceca46c0de35cab84
2019-09-17 13:28:04.217 DEBUG 15238   : key: aud, value: null
2019-09-17 13:28:07.710 DEBUG 15238   : key: azp, value: Q4SsvJPvdIIgkIuiO7RsF8qpCtmGEsMu
2019-09-17 13:28:10.078 DEBUG 15238   : key: permissions, value: null
2019-09-17 13:28:11.692 DEBUG 15238   : key: scope, value: openid profile email
2019-09-17 13:28:14.200 DEBUG 15238   : key: iss, value: <SNIP>
2019-09-17 13:28:16.411 DEBUG 15238   : key: exp, value: null
2019-09-17 13:28:18.467 DEBUG 15238   : key: iat, value: null

The Claim with key ‘sub’ contains the Auth0 user id, this can be found in the Users profile on the Auth0 user management console as shown on this screen clip.

auth0Claims

So upon registration I will save the users Auth0 id and check it when my controller is called to enable private resources for the user. And not global tasks as per examples.

Hope it helps someone, and save you a few days figuring out what is going on…

konrad.sopala · September 17, 2019, 1:36pm

So sorry for the inconvenience and really appreciate you sharing it with the rest of community!

Would you share with us the feedback on why you found our docs and content not helpful, so we can make it better? Feel free to either share it here or via DM. Thank you!

pgoudman · September 17, 2019, 2:01pm

Hi Konrad,

the docs were helpful for getting started. My use case was.

Angular 7 SPA (quite complex)
Spring Boot Business API
Node JS Media Server API

Each user will upload assets to his account, e.g some project, with more assets associated, etc…

So when I get the tutorials for securing my web apps working all good and well, i.e. the Tasks example for Spring boot. But the tutorials only show securing endpoints where those that have access to an endpoint can see all the assets presented and edit them in a global context. I.E. All authorised users can see all the tasks.

I wanted to filter further so using the Tasks example, I wanted users to have a private task collections, and in the controller, after being authorised and verifying the calling users Id I would fetch only his tasks.

There were no examples on how to access Claims inside a Spring Boot controller so as to filter according to user.

However I must say all the examples, SPA, Spring Boot, NodeJS were easy to follow and worked when I completed them. But they only showed global contexts for users getting access and no further examples of how to access the Tokens claims on the API server side.

Regards
Peter

konrad.sopala · September 17, 2019, 2:40pm

Gotchya! Really appreciate all the feedback! Will make sure to relay it to appropriate teams!

system · October 2, 2019, 2:48pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.