How to override OktaJwtAuthenticationConverter

I’m using okta spring boot starter, but the roles are not under the scp, also the structure is different too. Therefore I want to write a custom OktaJwtAuthenticationConverter, to map the claims. Couln’t fina a way to override as it is a final class. If anyone can help with the approach?

Thanks for the question!

Do you have an example of how your token looks like? You can possibly try to extend JwtAuthenticationConverter instead and write your own mapping there.

My token looks like below

  "ver": 1,
  "jti": "xxxxxxxx",
  "iss": "",
  "aud": "api://default",
  "iat": 1111,
  "exp": 11111,
  "cid": "aaaaaaaaaa",
  "uid": "aaaaaaaaaa",
  "scp": [
  "sub": "",
  "user-permissions": [

Please note that “scp” values are of no use. Need to extract roles from “user-permissions” claim
“user-permissions” custom claim is added via Token Hook

I tried to extend JwtAuthenticationConverter via WebSecurityConfig,

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

protected void configure(HttpSecurity http) throws Exception {

private Converter<Jwt, ? extends AbstractAuthenticationToken> convert() {
    JwtAuthenticationConverter converter = new CustomAuthenticationConverter();
    converter.setJwtGrantedAuthoritiesConverter(jwt -> ImmutableList.of(new 
                     SimpleGrantedAuthority("TEMPTEMPTMEP")));  // For testing purposes
    return converter;


public class CustomAuthenticationConverter extends JwtAuthenticationConverter {
    private Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter = new CustomJwtGrantedAuthorityConverter();

public void setJwtGrantedAuthoritiesConverter(Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter) {
        Assert.notNull(jwtGrantedAuthoritiesConverter, "jwtGrantedAuthoritiesConverter cannot be null");
        this.jwtGrantedAuthoritiesConverter = jwtGrantedAuthoritiesConverter;

Even though I have this implementation, what I guess is since I’m using okta spring boot starter, OktaJwtAuthenticationConverter is engaged, not my custom implementation

To extract “user-permissions” you could simply use the stock OktaJwtAuthenticationConverter like below (without requiring a custom converter):

def authorities = new OktaJwtAuthenticationConverter("user-permissions").extractAuthorities(jwt)

and the authorities will contain the below items you need:

assertThat authorities, hasItems(
            new SimpleGrantedAuthority("courseId:24,uniId:1,role:STUDENT"),
            new SimpleGrantedAuthority("courseId:12,uniId:3,role:INSTRUCTOR"))