Spring Security OAUTH2 - How to restrict access to APIs based on client ID?

Question

Hi I am new to Spring Security. I have a controller with a few endpoints. These endpoints are from the resource server.

POST /secured/user/create
POST /secured/user/update
GET /secured/user/{id}

Before accessing these APIs, client will have to get a token from my authorization server, then use it when calling the APIs above. However, I want to restrict the user to only access the GET api depending on his client ID. The client should not be able to call the create or update API.

Is there any way to do this? And how to do it in code? I am assuming the following

1. Something must be added in the JWT token in the Authorization server. Im guessing scope?
2. When API of Resource server is hit, it will validate the token. If the scope does not allow the API, then the server will return HTTP 401 Unauthorized

Any resources or links would be appreciated!

Answer 1

1. You can configure the Authorization Server to add any claims to the token, which you will eventually need to properly authorize requests. This can be a scope claim, a client_id claim, or something more granular, like can_read_user_data: true.

You can read a lot about claims, scopes, how they relate and what are some best practices around scopes and claims in articles found here: https://curity.io/resources/claims/

2. You can have a look at this article to see how to implement validation of JWT claims in Spring: https://curity.io/resources/tutorials/howtos/writing-apis/spring-boot-api/