TechQA.

authorize post request without scope in Spring Boot

74 views Asked by At

I implementing a server that authenticates and authorizes using tokens obtained from "Sign in with Apple" using Spring Boot. I was able to authorize the GET request by ID token, but I cannot authorize the post request. ID Token is used instead of access token because, as stated in this issue, the access token returned by Apple is only to indicate that the verification was successful and does not contain any other information.

There is no concept of role or scope in the application that I am implementing, it is just a matter of confirming that it is the person in question. I am aware that Scope must be specified for requests that make changes to resources such as POST, PATCH, and DELETE, but is it possible to authorize POST requests without Scope as well as GET requests?

response of server:

Status = 403
Headers = [WWW-Authenticate:"Bearer error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."...

my security filter chain

@Configuration
@EnableWebSecurity
class SecurityConfig(
    private val tokenService: TokenService,
) {
    @Bean
    fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
        http.csrf { it.disable() }
        http.authorizeHttpRequests {
            it.requestMatchers(
                "/api/auth/token",
                "/api/compatible-version",
                "/api/webhook/*",
            ).permitAll()

            it.requestMatchers(
                "/api/user/register",
                "/api/project/*",
            ).authenticated()
        }
        http.oauth2ResourceServer { oauth2 ->
            oauth2.jwt { }
        }
        http.authenticationManager { auth ->
            val bearerToken = auth as BearerTokenAuthenticationToken
            val user = tokenService.parseToken(bearerToken.token) ?: throw InvalidBearerTokenException("Invalid token")
            UsernamePasswordAuthenticationToken(user, "", listOf(SimpleGrantedAuthority("USER")))
        }
        return http.build()
    }
}

my application.yml

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: https://appleid.apple.com/auth/keys

What I have already tried

  • Write GET and POST requests separately and explicitly
it.requestMatchers(HttpMethod.GET, "/api/user/register", "/api/project/*").authenticated()
it.requestMatchers(HttpMethod.POST, "/api/project/*").authenticated()
spring-boot spring-security jwt apple-sign-in sign-in-with-apple
Original Q&A
0

There are 0 answers

Related Questions in SPRING-BOOT

Related Questions in SPRING-SECURITY

Related Questions in JWT

Related Questions in APPLE-SIGN-IN

Related Questions in SIGN-IN-WITH-APPLE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions