okta-spring-boot icon indicating copy to clipboard operation
okta-spring-boot copied to clipboard

Published 20 hours ago verified publisher icon okta

Custom JWT authentication converter is ignored

Open Draudastic26 opened this issue 2 years ago • 5 comments

I'm submitting a

  • [X] bug report
  • [ ] feature request

Background info

With okta-spring-boot-starter it is not possible to use a custom JwtAuthenticationConverter like described in this tutorial: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

Expected behavior

A custom converter is used (Converter<Jwt, AbstractAuthenticationToken>).

What went wrong?

Configuration is ignored.

Steps to reproduce

See chapter 8 here: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

SDK Version

Spring Boot: 2.7.5 okta-spring-boot-starter: 2.1.6

Draudastic26 avatar Dec 22 '22 05:12 Draudastic26

When I use spring-boot-starter-oauth2-resource-server and remove okta-spring-boot-starter dependency, it works as expected. Of course you have to move issuer uri from okta.oauth2.issuer to spring.security.oauth2.resourceserver.jwt.issuer-uri

Draudastic26 avatar Dec 22 '22 05:12 Draudastic26

@Draudastic26 Thanks for posting!

I'd like to understand a bit more about your use case and the need for a custom JWT Authentication Converter. The Okta Springboot starter provides a converter that automatically takes care of converting claims in tokens to authorities.

Are you sure you are adding your custom JwtAuthenticationConverter bean to the SecurityChain in your oauth2ResourceServer config?

arvindkrishnakumar-okta avatar Dec 22 '22 11:12 arvindkrishnakumar-okta

Our customer has their own Okta instance and the required info for our backend is just available in the id_token via the okta userinfo endpoint. Also the authorities (RACF and AD groups) are just available in the id_token via custom claims. This setup is fix and can't be configured. My idea was to convert the JWT into an extended version of the JwtAuthenticationToken with the required fields from the userinfo endpoint. With that, I could also use the handy @PreAuthorize annotation. Everything works as expected, but only with the spring-boot-starter-oauth2-resource-server dependency and not with this okta lib.

The security chain looks like this:

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
        oauth2ResourceServer {
            jwt {
                jwtAuthenticationConverter = CustomJwtConverter()
            }
        }
    }
    return http.build()
}

EDIT: I use Kotlin

Draudastic26 avatar Dec 22 '22 12:12 Draudastic26

@Draudastic26 Can you please check if this is still an issue with 3.0.3?

arvindkrishnakumar-okta avatar Apr 05 '23 16:04 arvindkrishnakumar-okta

Hi @arvindkrishnakumar-okta , I'm facing the same use case with the latest version and it still happens. In fact, while debugging I saw it set Okta's converter twice. Ideally I'd like to be able to extend Okta's so create my custom principal for convenience methods.

egulias avatar May 29 '24 15:05 egulias