Reputation: 1597
Oauth2 token with non-standard prefix for scopes
The 3rd party Oauth2 resources server that I am required to use returns the scopes in the JWT token with a prefix of scp as in "scp": "read_notifications.v1". When spring security parses the JWT it returns an empty set of scopes.
Does anyone know of a way to customize the parsing of the token to include scp as an alias for scope
Upvotes: 0
Views: 657
Answers (1)
Reputation: 12564
Yes I know ways to customize the parsing of tokens.
With Spring Boot Starters of mine
Sample for a reactive OAuth2 client
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-addons-webflux-jwt-client</artifactId>
<version>6.1.11</version>
</dependency>
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-addons-webflux-jwt-test</artifactId>
<version>6.1.11</version>
<scope>test</scope>
</dependency>
@Configuration
@EnableReactiveMethodSecurity
public class OAuth2SecurityConfig {
}
scheme: http
gateway-uri: ${scheme}://localhost:${server.port}
origins: ${scheme}://localhost:4200
issuer: https://oidc.c4-soft.com/auth/realms/spring-addons
client-id: spring-addons
client-secret: change-me
server:
port: 8888
ssl:
enabled: false
spring:
security:
oauth2:
client:
provider:
c4-soft:
issuer-uri: ${issuer}
registration:
c4-soft-authorization-code:
authorization-grant-type: authorization_code
client-id: ${client-id}
client-secret: ${client-secret}
provider: c4-soft
scope: openid,profile,email,offline_access,roles
com:
c4-soft:
springaddons:
security:
issuers:
- location: ${issuer}
authorities:
- path: $.scp
client:
client-uri: ${gateway-uri}
security-matchers: /**
permit-all:
- /login/**
- /oauth2/**
- /
- /v3/api-docs/**
- /actuator/health/readiness
- /actuator/health/liveness
- /.well-known/acme-challenge/**
csrf: cookie-accessible-from-js
back-channel-logout-enabled: true
---
scheme: https
server:
ssl:
enabled: true
spring:
config:
activate:
on-profile: ssl
With com.c4-soft.springaddons.security.issuers[].authorities[] properties, you can configure an auto-wired authorities converter. Here, I just set scp as source for Spring Authorities, but you can also define a prefix (something like ROLE_ or SCOPE_) and force to upper or lower case.
Browse the samples and tutorials for different use cases (servlets, resource servers, ...)
With Spring Boot "official" starters
The manual answers your question for:
Upvotes: 1
Related Questions
- OAuth2 Authentication server access token form JWT token to OAuth Token
- spring security oauth2 login and resource server in same application how generate jwt token
- Customize Oauth2+JWT token response with spring boot
- Using scopes as roles in Spring Security OAuth2 (provider)
- JWT bearer exchange for access token request using Spring Security OAuth2
- "Access is denied (user is not anonymous)" with spring-security-oauth2