1

I am using App ID as an Identity Provider and Authorization Server to protect some back-end spring-boot applications. I have managed to set up the whole OAuth 2.0 Authorization Code flow to work but cannot manage to include custom scopes into the access token. The only scopes that appear in the access token are the App ID default ones: "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated"

I have configured an appropriate role with the desired custom scopes and associated this role to the user profile. Furthermore I have associated these custom scopes to the client application. Everything seems fine in the App ID dashboard. However when I call the token endpoint either programmatically or via curl I always get the same default scopes in the access token.

Reading the Swagger , I should be able to specify the scopes for the password flow and bearer token but I am in an OAuth 2.0 Authorization Code flow. Furthermore, even with password credentials flow, I do not manage to get these custom scopes although I specify them in the request.

Has anyone encountered these problems? Any help would be much appreciated.

Many Thanks, Chris

data_henrik
  • 16,724
  • 2
  • 28
  • 49
chcortes
  • 11
  • 1

3 Answers3

1

In order to see the application configured scopes in the token, you need to authenticate with the application that you configured scopes to and with the user you assigned the role to.

Meaning you should use username : client ID and password : secret of the application in the request authorization header, and authenticate with the user you assigned the matching role (which contains the scopes wanted).

The steps to add access control to your application:

  1. Go to Applications and define the application that you want to protect by adding scopes.
  2. Create your roles by going to Roles and profiles > Roles > Create role.
  3. Assign the roles to specific users by going to Roles and profiles > User profiles. Then, choose the user that you want to assign the role to and click the More options menu > Assign role.

For more information see AppID Access control docs: https://cloud.ibm.com/docs/services/appid?topic=appid-access-control

Shiran Yosef
  • 11
  • 2
0

I have an App ID instance in us-south, and scopes are working fine for me with default Cloud Directory.

  1. create a new application (define your scopes)
  2. create a role and associate your application scope
  3. assign the role to a user
  4. call /token endpoint
Jeff Sloyer
  • 4,899
  • 1
  • 24
  • 48
Robin Sun
  • 81
  • 2
0

It happened to me before, I found that one way to solve it would be to inject the roles into the token claim and then instruct Spring Security to extract them. I wrote about it here in detail. The documentation explains the first part, but the gist is this cURL snippet :

curl -X PUT "https://$REGION.appid.cloud.ibm.com/management/v4/$TENANT_ID/config/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer $IAM_TOKEN" -d '{
   "access": {
         "expires_in": 3600
   },
   "refresh": {
         "enabled": true,
         "expires_in": 2592001
   },
   "anonymousAccess": {
         "enabled": false
   },
   "accessTokenClaims": [
         {
         "source": "roles"
         }
   ],
   "idTokenClaims": [
         {
         "source": "saml",
         "sourceClaim": "attributes.uid"
         }
   ]
}'

You can also do it in the Swagger UI. Note however that this is a PUT request, so it's going to overwrite any configuration you had beforehand. Ideally, run a GET request to get the current configuration, then add the claims into it to avoid issues.

Then, in the SecurityConfiguration, add this JWT converter :

protected void configure(HttpSecurity http) throws Exception {
    http
        //...
        .oauth2ResourceServer()
        .jwt()
        .jwtAuthenticationConverter(jwtAuthenticationConverter());
}

Converter jwtAuthenticationConverter() {
    JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
    converter.setAuthoritiesClaimName("authorities");
    converter.setAuthorityPrefix(""); //so that the role has the same name as the one that comes from App ID
    JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
    jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(converter);
    return jwtAuthenticationConverter;
}

Now that Spring Security recognizes the roles, you can protect endpoints with annotations or with an antMatcher configuration :

.antMatchers("/api/admin").hasRole("ADMIN")
Hassan
  • 609
  • 4
  • 9