CODEWITHSUNDEEP
spring-bootauth0rbacspring-authorization-serverrole-based-access-control
navodsamu
navodsamu

Reputation: 13

Role Based Access Control With Auth0 and SpringBoot

I have a problem with assigning role-based access control on my SpringBoot application. I created a new API in Auth0 and assigned permissions to the API and enabled RBAC in the API. And authorized the API on the application. The application was assigned for SSO.

I have created the SecurityConfig.java as this

    public SecurityConfig(JwtAuthConverterConfig jwtAuthConverterConfig) {
        this.jwtAuthConverterConfig = jwtAuthConverterConfig;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize

                        .requestMatchers("/", "/login", "/styles.css", "/templates/**", "/logout").permitAll()  // allow public access
                        .requestMatchers("/download-report").hasAuthority("SCOPE_download:report")
                        .anyRequest().authenticated()  // other pages require authentication
                )
                .oauth2Login(oath2Login -> oath2Login
                        .loginPage("/login")  // custom login page
                        .defaultSuccessUrl("/submit-form", true) // redirect after successful login
                )
                .logout(logout -> logout
                        .logoutUrl("/logout")
                        .logoutSuccessUrl("/logout")  // after logout, redirect to home page
                        .invalidateHttpSession(true)
                        .deleteCookies("JSESSIONID")
                )
                .cors(withDefaults())
                .oauth2ResourceServer(oauth2 -> oauth2
                        .jwt(jwt -> jwt
                                .jwtAuthenticationConverter(jwtAuthConverterConfig.customJwtAuthenticationConverter())
                        )
                );

        return http.build();
    }
}

Although I have kept the settings in Auth0, it will not authorize the user to connect to the API. It gives a 403 error.

Could I need to form rules on implementing Role Based Access Control with Auth0?

Please help me to resolve this. Where I have got the error on the code. or on the Auth0 dashboard.

Upvotes: 1

Views: 118

Answers (1)

rsa
rsa

Reputation: 102

You must use the audience parameter to get a JWT access token from Auth0 that you can use to call from your regular web application built with Java Spring Boot.

Make sure to add your API audience as explained on the reference sample here.

Upvotes: 0

Related Questions