How to override OktaJwtAuthenticationConverter

Questions
1

I’m using okta spring boot starter, but the roles are not under the scp, also the structure is different too. Therefore I want to write a custom OktaJwtAuthenticationConverter, to map the claims. Couln’t fina a way to override as it is a final class. If anyone can help with the approach?

2

Thanks for the question!

Do you have an example of how your token looks like? You can possibly try to extend JwtAuthenticationConverter instead and write your own mapping there.

3

My token looks like below

{
  "ver": 1,
  "jti": "xxxxxxxx",
  "iss": "https://dev-1111.okta.com/oauth2/default",
  "aud": "api://default",
  "iat": 1111,
  "exp": 11111,
  "cid": "aaaaaaaaaa",
  "uid": "aaaaaaaaaa",
  "scp": [
    "openid",
    "profile",
    "email"
  ],
  "sub": "test@test.com",
  "user-permissions": [
    "courseId:24,uniId:1,role:STUDENT",
    "courseId:12,uniId:3,role:INSTRUCTOR"
  ]
}

Please note that “scp” values are of no use. Need to extract roles from “user-permissions” claim
“user-permissions” custom claim is added via Token Hook

I tried to extend JwtAuthenticationConverter via WebSecurityConfig,

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
      ...
      ...
     .oauth2ResourceServer().jwt().jwtAuthenticationConverter(convert());
}

private Converter<Jwt, ? extends AbstractAuthenticationToken> convert() {
    JwtAuthenticationConverter converter = new CustomAuthenticationConverter();
    converter.setJwtGrantedAuthoritiesConverter(jwt -> ImmutableList.of(new 
                     SimpleGrantedAuthority("TEMPTEMPTMEP")));  // For testing purposes
    return converter;
}

}

public class CustomAuthenticationConverter extends JwtAuthenticationConverter {
    private Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter = new CustomJwtGrantedAuthorityConverter();

public void setJwtGrantedAuthoritiesConverter(Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter) {
        Assert.notNull(jwtGrantedAuthoritiesConverter, "jwtGrantedAuthoritiesConverter cannot be null");
        this.jwtGrantedAuthoritiesConverter = jwtGrantedAuthoritiesConverter;
    }
}

Even though I have this implementation, what I guess is since I’m using okta spring boot starter, OktaJwtAuthenticationConverter is engaged, not my custom implementation

4

To extract “user-permissions” you could simply use the stock OktaJwtAuthenticationConverter like below (without requiring a custom converter):

def authorities = new OktaJwtAuthenticationConverter("user-permissions").extractAuthorities(jwt)

and the authorities will contain the below items you need:

assertThat authorities, hasItems(
            new SimpleGrantedAuthority("courseId:24,uniId:1,role:STUDENT"),
            new SimpleGrantedAuthority("courseId:12,uniId:3,role:INSTRUCTOR"))
5

I’ve noticed that as well.
This comes from the fact that the OktaOauth2Configurer overwrites it no matter what has been configured:

While @akrishnakumar has a workaround for @sajhak problem,
it does not work for me.
I need to actually convert Authority names. (stripping a prefix).
Is there any way to get this done?

Thanks,
Marco

6

Anyone? :slightly_frowning_face:

Here’s a Haiku to overcome the minimum message requirement.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.