Spring Security Authorization to an url based on Claim Value

spring
java

#1

HI,
I am a newbee to Spring Security. I am developing my web app based on OIDC using spring boot.
i am trying to authorize an url based on the claim value returned from okta. Here is my case.

I have an admin url - /admin, and have a custom claim along with default claims, setup in the okta . I am getting authenticated and after that from the userInfo url I will get the claim values and it contains the list of Groups (Like prov1, prov2, ProvAdmin).
from the above claim- Groups, I have to authorize the user to my /admin usl if the above list contains ProvAdmin group. so basically if the user contains the group - ProvAdmin, then only the user will be authorized to the /admin url

below is my springSecurity config

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().mvcMatchers("/admin")
.anyRequest().authenticated()
.and()
.oauth2Login()
.loginPage("/customOAuth2Login_Okta").permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/performLogOut")).permitAll()
}

any help is appreciated


#2

Hi Marc,
I’ve a similar implementation. on the front end we have a react app, and we use the Okta SignInWidget for the login and store the (JWT) token.

  1. On the Okta side we generate the token with the groups claim in it.

  2. Under our SPA Okta application sign on setup, I’ve setup a group claim filter under OpenID Connect ID Token.

  3. That claim token is named as authorities (instead of groups). By default Spring Security Oauth expects that name. but you can customize it.

  4. On the Spring boot here’s an example configuration from my project

    @ Configuration
    @ EnableResourceServer
    @ EnableGlobalMethodSecurity(prePostEnabled = true)
    public class SecurityConfig extends ResourceServerConfigurerAdapter {

     /**
     * Okta client id to validate the jwt token against
     */
     @ Value("[The client id that your SPA application setup shows in Okta]")
     String resourceId;
    
     /**
     * Jason Web Keys that our resource server will lookup keys to validate the signature against
     */
     @ Value("${your okta base-url}/oauth2/v1/keys}") // this would correspond to your default authorization server I believe
     String jwksUrl;
    
     @ Override
     public void configure(HttpSecurity http) throws Exception{
         http
             .httpBasic().disable()
             .authorizeRequests()
                 // OPEN ENDPOINTS
                 .antMatchers( "your url path").hasAuthority("Admin")
             .and()
             .csrf().disable() //not needed with oauth2
             ;
     }
    
     @ Override
     public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
         resources.tokenServices(tokenServices()).resourceId(resourceId);
     }
    
     @Bean
     @Primary
     public DefaultTokenServices tokenServices() throws Exception {
         DefaultTokenServices tokenServices = new DefaultTokenServices();
         tokenServices.setTokenStore(tokenStore());
         return tokenServices;
     }
    
    
     @Bean
     public TokenStore tokenStore() throws Exception {
         return new JwkTokenStore(jwksUrl); //
     }
    

    }

Hope this helps!
-Amit