Authorities for rest client service

Hi Guys,

I am creating service clients for our 3rd party user apps to authenticate via client credentials on our app(okta client).
I want to secure our rest api interfaces in springboot with groups/role based auth via preAuthorize.

basically I want to add the non user client apps to user group and ensure that they have the correct rights when calling specific rest apis.

How can I achieve something of the sorts with Okta?
I was hoping that maybe the app can be added to a group and then have role based validation on it.
but some other app specific fields that can be checked via access_token would be fine as well.

regards

Hey @derikvlog I think I understand what you are asking, but if I’m missing something let me know!

For a client credentials example take a look at this post: https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot#comment-4058490606

From that point using preAuthorize is pretty easy, but instead of groups/roles you can use a custom OAuth scope (also shown in the above post) Similar to how this resource server example works:

I want to point out the two steps needed in order to enable the scope checks when using preAuthorize

Enable it: https://github.com/okta/samples-java-spring/blob/master/resource-server/src/main/java/com/okta/spring/example/ResourceServerExampleApplication.java#L36-L42

Use it: https://github.com/okta/samples-java-spring/blob/master/resource-server/src/main/java/com/okta/spring/example/ResourceServerExampleApplication.java#L61

IIRC, future versions of Spring Security are going to remove the need for the first step (and the second would be “hasAuthority” call), but for now, it is two steps.

Keep us posted!

Hi bdemers,

I think I am missing something here.

I did use your sample before I asked this question and it works nicely for the example (thanks and 2 thumbs up for the example)

But not sure how it will work in a real world scenario.
the scope is setup in the auth server, not on the applicationso how would I tighten up access in a real world setup by changing app rights?

for instance:
I have 2 rest Calls - RestCallA() and RestCallB()
I have scope: 3rdPartyclientRestApp

lets say app Y had access to both calls but due to some inter company business agreement change we now want to prevent client Y from accessing our RestCallA interface but still have access to RestCallB.
how would I now prevent client Y from accessing RestCallA?

Thanks

Hey @derikvlog!

There are a few things you could do, one of the easiest might be to add additional information into the token such as group membership (you can see an example in this post)
Then you can use this groups as Spring authorities. In your case each of your restCallX() methods would be annotated with the appropriate group.