spring-securityoauth-2.0nimbus-jose-jwt

Oauth2 token with non-standard prefix for scopes

The 3rd party Oauth2 resources server that I am required to use returns the scopes in the JWT token with a prefix of scp as in "scp": "read_notifications.v1". When spring security parses the JWT it returns an empty set of scopes.

Does anyone know of a way to customize the parsing of the token to include scp as an alias for scope

Solution

  • Yes I know ways to customize the parsing of tokens.

    With Spring Boot Starters of mine

    Sample for a reactive OAuth2 client

    <dependency>
    <groupId>com.c4-soft.springaddons</groupId>
    <artifactId>spring-addons-webflux-jwt-client</artifactId>
    <version>6.1.11</version>
</dependency>
<dependency>
    <groupId>com.c4-soft.springaddons</groupId>
    <artifactId>spring-addons-webflux-jwt-test</artifactId>
    <version>6.1.11</version>
    <scope>test</scope>
</dependency>

    @Configuration
@EnableReactiveMethodSecurity
public class OAuth2SecurityConfig {
}

    scheme: http
gateway-uri: ${scheme}://localhost:${server.port}
origins: ${scheme}://localhost:4200
issuer: https://oidc.c4-soft.com/auth/realms/spring-addons
client-id: spring-addons
client-secret: change-me

server:
  port: 8888
  ssl:
    enabled: false

spring:
  security:
    oauth2:
      client:
        provider:
          c4-soft:
            issuer-uri: ${issuer}
        registration:
          c4-soft-authorization-code:
            authorization-grant-type: authorization_code
            client-id: ${client-id}
            client-secret: ${client-secret}
            provider: c4-soft
            scope: openid,profile,email,offline_access,roles

com:
  c4-soft:
    springaddons:
      security:
        issuers:
        - location: ${issuer}
          authorities:
          - path: $.scp
        client:
          client-uri: ${gateway-uri}
          security-matchers: /**
          permit-all:
          - /login/**
          - /oauth2/**
          - /
          - /v3/api-docs/**
          - /actuator/health/readiness
          - /actuator/health/liveness
          - /.well-known/acme-challenge/**
          csrf: cookie-accessible-from-js
          back-channel-logout-enabled: true

---
scheme: https

server:
  ssl:
    enabled: true

spring:
  config:
    activate:
      on-profile: ssl

    With com.c4-soft.springaddons.security.issuers[].authorities[] properties, you can configure an auto-wired authorities converter. Here, I just set scp as source for Spring Authorities, but you can also define a prefix (something like ROLE_ or SCOPE_) and force to upper or lower case.

    Browse the samples and tutorials for different use cases (servlets, resource servers, ...)

    With Spring Boot "official" starters

    The manual answers your question for: