Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions support #36

Closed
4 of 5 tasks
skjolber opened this issue Sep 16, 2019 · 2 comments · Fixed by #40
Closed
4 of 5 tasks

Permissions support #36

skjolber opened this issue Sep 16, 2019 · 2 comments · Fixed by #40
Assignees
@jimmyjames

Comments

@skjolber
Copy link

Support API permissions.

Description

We're getting tokens with permissions from Auth0.

Replace scopes with permissions, in AuthenticationJsonWebToken.java.

{
  "iss": "https://x.y.z.org/",
  "sub": "u.i",
  "aud": [
    "https://my.dev.env.org",
    "https://my-dev.x.auth0.com/userinfo"
  ],
  "iat": 1568211075,
  "exp": 1568114275,
  "azp": "o.p.q",
  "scope": "openid profile email",
  "permissions": [
    "stuff:configure",
    "sop:configure",
    "settings:configure",
    "turnover:view",
    "admin:configure"
  ]
}

We would like to use these in method-based security in Spring.

Prerequisites

Environment

Latest master version.

Reproduction

Authenticate user with single page application.
@jimmyjames
Copy link
Contributor

Hi @skjolber,

I don't think we want to replace creating GrantedAuthority from scopes with permissions, as scopes still are valid. But I agree we do need to evaluate support for allowing APIs to be secured using the permissions claim.

Spring 5 does this by adding a prefix to the the GrantedAuthority, e.g., SCOPE_read:messages, and allows for creating custom extractors to enable using different claims, etc. We could consider following a similar pattern (while not breaking existing implementations by requiring the SCOPE_ prefix). I'm not yet sure how feasible it will be to enable custom Authority extractors here, but it's also something to consider.

@stale
Copy link

stale bot commented Dec 24, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

@stale stale bot added the closed:stale Issue or PR has not seen activity recently label Dec 24, 2019
@stale stale bot closed this as completed Dec 31, 2019
@jimmyjames jimmyjames reopened this Jan 23, 2020
@stale stale bot removed the closed:stale Issue or PR has not seen activity recently label Jan 23, 2020
@jimmyjames jimmyjames self-assigned this Jan 23, 2020
@jimmyjames jimmyjames mentioned this issue Jan 23, 2020
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jimmyjames jimmyjames

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Extract authorities from permissions claim jimmyjames/auth0-spring-security-api
2 participants
@jimmyjames @skjolber