TechQA.

Oauth2 token with non-standard prefix for scopes

434 views Asked by At

The 3rd party Oauth2 resources server that I am required to use returns the scopes in the JWT token with a prefix of scp as in "scp": "read_notifications.v1". When spring security parses the JWT it returns an empty set of scopes.

Does anyone know of a way to customize the parsing of the token to include scp as an alias for scope

spring-security oauth-2.0 nimbus-jose-jwt
Original Q&A
1

There are 1 answers

4
ch4mp On BEST ANSWER

Yes I know ways to customize the parsing of tokens.

With Spring Boot Starters of mine

Sample for a reactive OAuth2 client

<dependency>
    <groupId>com.c4-soft.springaddons</groupId>
    <artifactId>spring-addons-webflux-jwt-client</artifactId>
    <version>6.1.11</version>
</dependency>
<dependency>
    <groupId>com.c4-soft.springaddons</groupId>
    <artifactId>spring-addons-webflux-jwt-test</artifactId>
    <version>6.1.11</version>
    <scope>test</scope>
</dependency>

@Configuration
@EnableReactiveMethodSecurity
public class OAuth2SecurityConfig {
}

scheme: http
gateway-uri: ${scheme}://localhost:${server.port}
origins: ${scheme}://localhost:4200
issuer: https://oidc.c4-soft.com/auth/realms/spring-addons
client-id: spring-addons
client-secret: change-me

server:
  port: 8888
  ssl:
    enabled: false

spring:
  security:
    oauth2:
      client:
        provider:
          c4-soft:
            issuer-uri: ${issuer}
        registration:
          c4-soft-authorization-code:
            authorization-grant-type: authorization_code
            client-id: ${client-id}
            client-secret: ${client-secret}
            provider: c4-soft
            scope: openid,profile,email,offline_access,roles

com:
  c4-soft:
    springaddons:
      security:
        issuers:
        - location: ${issuer}
          authorities:
          - path: $.scp
        client:
          client-uri: ${gateway-uri}
          security-matchers: /**
          permit-all:
          - /login/**
          - /oauth2/**
          - /
          - /v3/api-docs/**
          - /actuator/health/readiness
          - /actuator/health/liveness
          - /.well-known/acme-challenge/**
          csrf: cookie-accessible-from-js
          back-channel-logout-enabled: true

---
scheme: https

server:
  ssl:
    enabled: true

spring:
  config:
    activate:
      on-profile: ssl

With com.c4-soft.springaddons.security.issuers[].authorities[] properties, you can configure an auto-wired authorities converter. Here, I just set scp as source for Spring Authorities, but you can also define a prefix (something like ROLE_ or SCOPE_) and force to upper or lower case.

Browse the samples and tutorials for different use cases (servlets, resource servers, ...)

With Spring Boot "official" starters

The manual answers your question for:

Related Questions in SPRING-SECURITY

Related Questions in OAUTH-2.0

Related Questions in NIMBUS-JOSE-JWT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions