UchihaItachi1209
Hi Okta team,
I have been working with Okta as authorization server in my application. I added groups claim to the default auth server and able to see a list of groups the user is part of in the access token under the added claim at the resource server (Springboot app, 2.3.4.RELEASE, Spring Security 5.3.4). Next, I am unable to see the Role getting validated with below approaches:
1. Security config by modifying SecurityWebFilterChain bean to include both Scope and Role based check in ServerHttpSecurity. The security config is already having Scope based authorization working. Tried with hasAuthority, hasRole:
http.authorizeExchange()
.pathMatchers("/api/ast/projects/**").hasAuthority(“SCOPE_project.read”)
.pathMatchers( “/api/ast/projects” ).hasRole( “ROLE_ASTLead” )
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
2. Enabling @EnableGlobalMethodSecurity(prePostEnabled = true) and using @PreAuthorize as given in this article or directly on the method at controller. Here I am required to add “spring-security-oauth2-autoconfigure” dependency to be able to access EnableGlobalMethodSecurity annotation. As per Spring Security 5’s this is a bridge between old OAuth and new (OAuth2.0), so not sure if this is really the right approach now.
Appreciate some guidance here in achieving Role Based Authorization wrt Spring Security 5’s. Sorry for being more verbose!