Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom JWT authentication converter is ignored #508

Open
1 of 2 tasks
Draudastic26 opened this issue Dec 22, 2022 · 6 comments
Open
1 of 2 tasks

Custom JWT authentication converter is ignored #508

Draudastic26 opened this issue Dec 22, 2022 · 6 comments
Assignees

Comments

@Draudastic26
Copy link

I'm submitting a

  • bug report
  • feature request

Background info

With okta-spring-boot-starter it is not possible to use a custom JwtAuthenticationConverter like described in this tutorial: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

Expected behavior

A custom converter is used (Converter<Jwt, AbstractAuthenticationToken>).

What went wrong?

Configuration is ignored.

Steps to reproduce

See chapter 8 here: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

SDK Version

Spring Boot: 2.7.5
okta-spring-boot-starter: 2.1.6

@Draudastic26
Copy link
Author

When I use spring-boot-starter-oauth2-resource-server and remove okta-spring-boot-starter dependency, it works as expected.
Of course you have to move issuer uri from okta.oauth2.issuer to spring.security.oauth2.resourceserver.jwt.issuer-uri

@arvindkrishnakumar-okta
Copy link
Contributor

@Draudastic26 Thanks for posting!

I'd like to understand a bit more about your use case and the need for a custom JWT Authentication Converter. The Okta Springboot starter provides a converter that automatically takes care of converting claims in tokens to authorities.

Are you sure you are adding your custom JwtAuthenticationConverter bean to the SecurityChain in your oauth2ResourceServer config?

@Draudastic26
Copy link
Author

Draudastic26 commented Dec 22, 2022

Our customer has their own Okta instance and the required info for our backend is just available in the id_token via the okta userinfo endpoint. Also the authorities (RACF and AD groups) are just available in the id_token via custom claims. This setup is fix and can't be configured. My idea was to convert the JWT into an extended version of the JwtAuthenticationToken with the required fields from the userinfo endpoint. With that, I could also use the handy @PreAuthorize annotation. Everything works as expected, but only with the spring-boot-starter-oauth2-resource-server dependency and not with this okta lib.

The security chain looks like this:

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
        oauth2ResourceServer {
            jwt {
                jwtAuthenticationConverter = CustomJwtConverter()
            }
        }
    }
    return http.build()
}

EDIT: I use Kotlin

@arvindkrishnakumar-okta
Copy link
Contributor

@Draudastic26 Can you please check if this is still an issue with 3.0.3?

@egulias
Copy link

egulias commented May 29, 2024

Hi @arvindkrishnakumar-okta , I'm facing the same use case with the latest version and it still happens.
In fact, while debugging I saw it set Okta's converter twice.
Ideally I'd like to be able to extend Okta's so create my custom principal for convenience methods.

@PudgeXD
Copy link

PudgeXD commented Nov 22, 2024

encounter same problem, for custom converter, i step back to adopt spring security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants