Using Authorization with Spring Boot 3.0.2

Get Help
,
1

I have a Spring Boot application with java 17, okta-starter and thymleaf running. My Problem is now to secure some parts of the website with scopes, like in this quick-start. I have added my audience in the application.yml but I only get 403 not authorized on the specific URL.

SecurityConfiguration:

@Configuration
@EnableMethodSecurity
@EnableWebSecurity
@Order(1)
public class SecurityController {

    @Value("${okta.oauth2.issuer}")
    private String issuer;
    @Value("${okta.oauth2.client-id}")
    private String clientId;

    @Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/api/ws").permitAll()
                        .requestMatchers(HttpMethod.GET,"/api/public/**").permitAll()
                        .requestMatchers(HttpMethod.POST,"/api/public/**").permitAll()
                        .requestMatchers("/test/blank").hasAuthority("SCOPE_access:devtest")
                        .anyRequest().authenticated()

                )
                .logout(logout -> {
                    logout.addLogoutHandler(logoutHandler());
                    logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
                })
                .cors().and()
                .oauth2ResourceServer((oauth2) ->
                        oauth2.jwt(withDefaults()));

        return http.build();
    }

application.yml:

# src/main/resources/application.yml
okta:
  oauth2:
    issuer: https://issuer.com
    client-id: longclientid
    client-secret: longclientsecret
    audience: https://api.customdomain.com/v1/api

server:
  port: 8080
  error:
    whitelabel:
      enabled: false

spring:
  messages:
    basename:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: longclientid
            client-secret: longclientsecret
            scope: openid, profile, email
      resourceserver:
        jwt:
          issuer-uri: https://issuer.com
          audiences: https://api.customdomain.com/v1/api
1 Like
2

Hello, have you got the solution for this

1 Like
4

Hi @joshua.s

Welcome to the Auth0 Community!

I am sorry about the delayed response to your post!

I would recommend to check the access token passed to the application in order to examine if the audience and scopes claims contain the actual permissions to access your application.

If you have found a solution yourself or have any other questions, feel free to leave a reply or post again on the community!

Kind Regards,
Nik

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.