auth0-samples/auth0-spring-security-api-sample

Authentication not attempted

gaston-snap opened this issue · 5 comments

gaston-snap commented

Following the instructions, setting a M2M API with 1 permission and applying all the changes I see no authentication nor error when I hit the endpoint /private-scoped.

Steps to reproduce

  1. Create an API with 2 permission (read:messages and write:messages)

  2. Assign only read:messages to a M2M Application

  3. Create a controller and setup the SecurityConfig with 4 endpoints

    1. /public (GET) with permitAll
    2. /private (GET) with authenticated
    3. /private-scoped (GET) with hasAuthority(read:messages)
    4. /private-scoped (POST) with hasAuthority(write:messages)

  4. Get the token, which includes: scope:[read:messages]

  5. Call /private-scoped (POST)

  6. Getting successful response back (this should not happen)

Version

  • SpringBoot 2.1.3
  • Auth0 artifacts
    • com.auth0.auth0-spring-security-api:1.2.4

Snippets

@Override
  protected void configure(HttpSecurity http) throws Exception {
    http.cors();
    JwtWebSecurityConfigurer
            .forRS256(apiAudience, issuer)
            .configure(http)
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/api/public").permitAll()
            .antMatchers(HttpMethod.GET, "/api/private").authenticated()
            .antMatchers(HttpMethod.GET, "/api/private-scoped").hasAuthority("read:messages")
            .antMatchers(HttpMethod.POST, "/api/private-scoped").hasAuthority("write:messages");
  }
  
  @Bean
  CorsConfigurationSource corsConfigurationSource() {
      CorsConfiguration configuration = new CorsConfiguration();
      configuration.setAllowedOrigins(Arrays.asList("http://localhost:8443"));
      configuration.setAllowedMethods(Arrays.asList("GET","POST"));
      configuration.setAllowCredentials(true);
      configuration.addAllowedHeader("Authorization");
      UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
      source.registerCorsConfiguration("/**", configuration);
      return source;
  }
lbalmaceda commented

@ggamietea-snap hi! I see you mention in the repro steps that you create permissions with the values read:permission and write:permission. But then in the code, you show that the hasAuthority call uses read:messages and write:messages instead. Are you sure you are setting the scope you have created there?

gaston-snap commented

Sorry, typo... it's read:messages and write:messages, I'll change the post... either way it should fail right?

jimmyjames commented

Hi @ggamietea-snap 👋!

I tried to reproduce using Spring Boot 2.1.3, and the following security configuration as you used:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors();
        JwtWebSecurityConfigurer
                .forRS256(apiAudience, issuer)
                .configure(http)
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/api/public").permitAll()
                .antMatchers(HttpMethod.GET, "/api/private").authenticated()
                .antMatchers(HttpMethod.GET, "/api/private-scoped").hasAuthority("read:messages")
                .antMatchers(HttpMethod.POST, "/api/private-scoded").hasAuthority("write:messages");
    }

Your instructions state in Step 5 to make a POST request to /api/private-scoped using a token with only the read:messages scope, but your antMatchers specify the POST route for the /api/private-scoped endpoint. Perhaps a typo?

Either way, if I issue a POST to /api/private-scoded using a token with only the read:messages scope, I receive a 403 as I'd expect:

{
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/api/private-scoded",
    "status": 403,
    "timestamp": "2019-07-19T17:10:14.961+0000"
}

I get the same result if changing the antMatcher handle POST requests to /api/private-scoped:

.antMatchers(HttpMethod.POST, "/api/private-scoped").hasAuthority("write:messages")

Just to be sure the token has your expected scopes, try pasting it into https://jwt.io and verify that the token only has the read:messages scope. If it does and you're still seeing this issue, perhaps something else is going on we can try and figure out.

gaston-snap commented

Hi @jimmyjames ,
Not sure why, but after I've recreated the Postman collection it looks like it's working as you are describing.
Sorry for this...
Thanks to @lbalmaceda as well... I'll close this...

lbalmaceda commented

Ah!! Using Postman I used to run into a certificate error when hitting https URLs from my computer (e.g. https://localhost:8080) and I had to turn off an SSL verification setting. Now I always test with curl 💁‍♂ (or https://httpie.org/).