Ertai87
Ertai87

Reputation: 1326

OAuth2 (Okta): How to set authorization

I'm writing an application using Oauth2 using Okta, and I'm running into a problem:

What I would like to do is have Okta (or some other method) to automatically set up and provide authorization details of my user. I already have Okta able to support authentication of the user, I am specifically looking for help regarding authorization. In particular, what I would like to do is divide authorization of my APIs into 3 segments:

1) A group of APIs which are available to any user, even ones who are not authenticated.

2) A group of APIs which are only available to authenticated users.

3) A group of APIs which are locked under permission-based (authorization) requirements.

It's the 3rd group I'm having trouble with. I have my security context set up as follows:

@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends OAuth2SsoDefaultConfiguration {

    public SecurityConfig(ApplicationContext applicationContext) {
        super(applicationContext);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/anyaccess/**").permitAll()
                .antMatchers("/credential/**").hasRole("ADMIN");
        super.configure(http);
        http.logout().logoutSuccessUrl("/");
    }
}

So /anyaccess can be accessed by anyone, and anything else except /credential can be accessed by any authenticated user.

When I log into my application through Okta, I get an Authentication and Principal object which seem to be automatically generated somewhere, somehow (it's this somewhere, somehow that I'm mostly looking for clarification on). However, those objects do not have any set permissions, nor do they appear to provide a way to add additional permissions for future requests. How can I:

1) Set up these Authentication and Principal objects to contain the permissions I want per user?

2) Make sure that these are set up automatically on user sign-in through Okta and don't require an additional API call?

3) Persist changes to this configuration and make that part of my application authorization service?

4) Is there any way I can manage this through Okta configuration, or so I need to have a separate service set up to manage this and tack that onto my Okta authentication service?

Thanks.

Upvotes: 0

Views: 452

Answers (1)

Matt Raible
Matt Raible

Reputation: 8634

You can add user's groups to a "groups" claim and the Okta Spring Boot starter will automatically convert those to Spring Security authorities.

From the top menu, go to API and click on Authorization Servers.

Click on the default authorization server.

Click on the Claims tab.

Click the Add Claim button.

Update the popup form to match the image below.

Note that the Filter Regex is .*.

enter image description here

Then you can use @PreAuthorize("role_name") on your methods.

This blog post has more information.

Upvotes: 1

Related Questions