Reputation: 1326
OAuth2 (Okta): How to set authorization
I'm writing an application using Oauth2 using Okta, and I'm running into a problem:
What I would like to do is have Okta (or some other method) to automatically set up and provide authorization details of my user. I already have Okta able to support authentication of the user, I am specifically looking for help regarding authorization. In particular, what I would like to do is divide authorization of my APIs into 3 segments:
1) A group of APIs which are available to any user, even ones who are not authenticated.
2) A group of APIs which are only available to authenticated users.
3) A group of APIs which are locked under permission-based (authorization) requirements.
It's the 3rd group I'm having trouble with. I have my security context set up as follows:
@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends OAuth2SsoDefaultConfiguration {
public SecurityConfig(ApplicationContext applicationContext) {
super(applicationContext);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/anyaccess/**").permitAll()
.antMatchers("/credential/**").hasRole("ADMIN");
super.configure(http);
http.logout().logoutSuccessUrl("/");
}
}
So /anyaccess can be accessed by anyone, and anything else except /credential can be accessed by any authenticated user.
When I log into my application through Okta, I get an Authentication and Principal object which seem to be automatically generated somewhere, somehow (it's this somewhere, somehow that I'm mostly looking for clarification on). However, those objects do not have any set permissions, nor do they appear to provide a way to add additional permissions for future requests. How can I:
1) Set up these Authentication and Principal objects to contain the permissions I want per user?
2) Make sure that these are set up automatically on user sign-in through Okta and don't require an additional API call?
3) Persist changes to this configuration and make that part of my application authorization service?
4) Is there any way I can manage this through Okta configuration, or so I need to have a separate service set up to manage this and tack that onto my Okta authentication service?
Thanks.
Upvotes: 0
Views: 452
Answers (1)
Reputation: 8634
You can add user's groups to a "groups" claim and the Okta Spring Boot starter will automatically convert those to Spring Security authorities.
From the top menu, go to API and click on Authorization Servers.
Click on the default authorization server.
Click on the Claims tab.
Click the Add Claim button.
Update the popup form to match the image below.
Note that the Filter Regex is .*.
Then you can use @PreAuthorize("role_name") on your methods.
This blog post has more information.
Upvotes: 1
Related Questions
- How to generate Okta access token programmatically?
- Problems using Spring Security with an Okta OIDC JWT
- The requested feature is not enabled in this environment
- Jhipster OAuth 2.0 / OIDC Authentication Authorization header with bearer token
- Spring okta oauth2 properties using spring cloud vault
- Spring Boot 2 + OAuth2: Configure Exchange of Auth Code for Token
- Authentication with Spring oAuth2.0
- Spring Oauth2 Authorization Server
- spring boot oaut2 properties
- How to configure spring oauth?