Custom JWT authentication converter is ignored

okta / okta-spring-boot

Okta Spring Boot Starter

321 stars 136 forks source link

Custom JWT authentication converter is ignored #508

Open Draudastic26 opened 1 year ago

Draudastic26 commented 1 year ago

I'm submitting a

[X] bug report
[ ] feature request

Background info

With okta-spring-boot-starter it is not possible to use a custom JwtAuthenticationConverter like described in this tutorial: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

Expected behavior

A custom converter is used (Converter<Jwt, AbstractAuthenticationToken>).

What went wrong?

Configuration is ignored.

Steps to reproduce

See chapter 8 here: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

SDK Version

Spring Boot: 2.7.5 okta-spring-boot-starter: 2.1.6

Draudastic26 commented 1 year ago

When I use spring-boot-starter-oauth2-resource-server and remove okta-spring-boot-starter dependency, it works as expected. Of course you have to move issuer uri from okta.oauth2.issuer to spring.security.oauth2.resourceserver.jwt.issuer-uri

arvindkrishnakumar-okta commented 1 year ago

@Draudastic26 Thanks for posting!

I'd like to understand a bit more about your use case and the need for a custom JWT Authentication Converter. The Okta Springboot starter provides a converter that automatically takes care of converting claims in tokens to authorities.

Are you sure you are adding your custom JwtAuthenticationConverter bean to the SecurityChain in your oauth2ResourceServer config?

Draudastic26 commented 1 year ago

Our customer has their own Okta instance and the required info for our backend is just available in the id_token via the okta userinfo endpoint. Also the authorities (RACF and AD groups) are just available in the id_token via custom claims. This setup is fix and can't be configured. My idea was to convert the JWT into an extended version of the JwtAuthenticationToken with the required fields from the userinfo endpoint. With that, I could also use the handy @PreAuthorize annotation. Everything works as expected, but only with the spring-boot-starter-oauth2-resource-server dependency and not with this okta lib.

The security chain looks like this:

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeRequests {
            authorize(anyRequest, authenticated)
        }
        oauth2ResourceServer {
            jwt {
                jwtAuthenticationConverter = CustomJwtConverter()
            }
        }
    }
    return http.build()
}

EDIT: I use Kotlin

arvindkrishnakumar-okta commented 1 year ago

@Draudastic26 Can you please check if this is still an issue with 3.0.3?

egulias commented 3 months ago

Hi @arvindkrishnakumar-okta , I'm facing the same use case with the latest version and it still happens. In fact, while debugging I saw it set Okta's converter twice. Ideally I'd like to be able to extend Okta's so create my custom principal for convenience methods.