Authentication not attempted
gaston-snap opened this issue · 5 comments
Following the instructions, setting a M2M API with 1 permission and applying all the changes I see no authentication nor error when I hit the endpoint /private-scoped.
Steps to reproduce
-
Create an API with 2 permission (
read:messages
andwrite:messages
) -
Assign only
read:messages
to a M2M Application -
Create a controller and setup the SecurityConfig with 4 endpoints
- /public (GET) with permitAll
- /private (GET) with authenticated
- /private-scoped (GET) with hasAuthority(
read:messages
) - /private-scoped (POST) with hasAuthority(
write:messages
)
-
Get the token, which includes:
scope:[read:messages]
-
Call /private-scoped (POST)
-
Getting successful response back (this should not happen)
Version
- SpringBoot 2.1.3
- Auth0 artifacts
- com.auth0.auth0-spring-security-api:1.2.4
Snippets
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors();
JwtWebSecurityConfigurer
.forRS256(apiAudience, issuer)
.configure(http)
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/public").permitAll()
.antMatchers(HttpMethod.GET, "/api/private").authenticated()
.antMatchers(HttpMethod.GET, "/api/private-scoped").hasAuthority("read:messages")
.antMatchers(HttpMethod.POST, "/api/private-scoped").hasAuthority("write:messages");
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://localhost:8443"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
configuration.setAllowCredentials(true);
configuration.addAllowedHeader("Authorization");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@ggamietea-snap hi! I see you mention in the repro steps that you create permissions with the values read:permission
and write:permission
. But then in the code, you show that the hasAuthority
call uses read:messages
and write:messages
instead. Are you sure you are setting the scope you have created there?
Sorry, typo... it's read:messages
and write:messages
, I'll change the post... either way it should fail right?
Hi @ggamietea-snap
I tried to reproduce using Spring Boot 2.1.3, and the following security configuration as you used:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors();
JwtWebSecurityConfigurer
.forRS256(apiAudience, issuer)
.configure(http)
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/public").permitAll()
.antMatchers(HttpMethod.GET, "/api/private").authenticated()
.antMatchers(HttpMethod.GET, "/api/private-scoped").hasAuthority("read:messages")
.antMatchers(HttpMethod.POST, "/api/private-scoded").hasAuthority("write:messages");
}
Your instructions state in Step 5 to make a POST
request to /api/private-scoped
using a token with only the read:messages
scope, but your antMatchers
specify the POST
route for the /api/private-scoped
endpoint. Perhaps a typo?
Either way, if I issue a POST
to /api/private-scoded
using a token with only the read:messages
scope, I receive a 403
as I'd expect:
{
"error": "Forbidden",
"message": "Forbidden",
"path": "/api/private-scoded",
"status": 403,
"timestamp": "2019-07-19T17:10:14.961+0000"
}
I get the same result if changing the antMatcher
handle POST requests to /api/private-scoped
:
.antMatchers(HttpMethod.POST, "/api/private-scoped").hasAuthority("write:messages")
Just to be sure the token has your expected scopes, try pasting it into https://jwt.io and verify that the token only has the read:messages
scope. If it does and you're still seeing this issue, perhaps something else is going on we can try and figure out.
Hi @jimmyjames ,
Not sure why, but after I've recreated the Postman collection it looks like it's working as you are describing.
Sorry for this...
Thanks to @lbalmaceda as well... I'll close this...
Ah!! Using Postman I used to run into a certificate error when hitting https
URLs from my computer (e.g. https://localhost:8080) and I had to turn off an SSL verification setting. Now I always test with curl