1

I'm trying to make security using oauth2 resource server with google as authentication provider and add custom roles from database by getting email from JWT token and searching for it in database.

This is my configuration

    @Bean
    public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/csrf").permitAll()
                .anyRequest().authenticated()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .oauth2ResourceServer().jwt().decoder(jwtDecoder()).jwtAuthenticationConverter(jwtAuthenticationConverter())
                .and()
                .and()
                .cors().and()
                .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
        return http.build();
    }

JWT decoder and authentication converter

    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuerUri);

        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuerUri);

        MappedJwtClaimSetConverter converter = MappedJwtClaimSetConverter.withDefaults(Collections.singletonMap("roles", customClaim -> getUserRolesFromDatabase()));
        jwtDecoder.setClaimSetConverter(converter);

        jwtDecoder.setJwtValidator(withIssuer);

        return jwtDecoder;
    }
    @Bean
    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        grantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
        grantedAuthoritiesConverter.setAuthoritiesClaimName("roles");
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
        return jwtAuthenticationConverter;
    }

    public List<String> getUserRolesFromDatabase() {
        return Collections.singletonList("USER");
    }

How do I get email claim from bearer token to use it in getUserRolesFromDatabase() and search for roles in database?

dur
  • 15,689
  • 25
  • 79
  • 125
Salav
  • 11
  • 2
  • `withDefaults(Collections.singletonMap("roles"` here you are saying get the custom claim `roles` from the JWT and then you call some function... shouldn't this be `email` and then pass it to your function to search in the database – Toerktumlare Jul 09 '22 at 21:12
  • @Toerktumlare Sorry for not making this example more clear. `withDefaults(Collections.singletonMap("roles"` creates new claim in JWT token. There should be parameter email passed to `getUserRolesFromDatabase()` which then search for list of roles assigned to this email. My problem is to access claim "email" of not changed token. – Salav Jul 09 '22 at 22:17
  • according to the documentation that is not true. A `MappedJwtClaimSetConverter` converts a claim to a Java object. It does not `create new claim in Token` it takes a claim and converts. So you should do something like `MappedJwtClaimSetConverter.withDefaults(Collections.singletonMap("email", email -> getUserRolesFromDatabase(email)))` docs for ref https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-claimsetmapping – Toerktumlare Jul 09 '22 at 22:24
  • @Toerktumlare thank you for answering. Thanks to your comments I looked into it from different point of view and with documentation I was able to resolve this issue by doing adapter similar to one included in docs. – Salav Jul 09 '22 at 23:23

0 Answers0