The Authentication object initialized from the idToken doesn't contain any granted authority by default because it looks for https://access.control/roles claims which is non-standard, I guess (at least, my vanilla Auth0 doesn't show roles in this claim).

Start the provided sample app and set a breakpoint at: https://github.com/auth0-samples/auth0-spring-security-mvc-sample/blob/master/01-Login/src/main/java/com/auth0/example/mvc/CallbackController.java#L49

Roles can be retrieved via another call to the management API that unfortunately adds latency:

AuthAPI authAPI = new AuthAPI(domain, clientId, clientSecret);
AuthRequest authRequest = authAPI.requestToken("https://" + domain + "/api/v2/");
TokenHolder holder = authRequest.execute();
ManagementAPI mgmt = new ManagementAPI(domain, holder.getAccessToken());
List<Role> roles = mgmt.roles()
		.list(new RolesFilter())
		.execute()
		.getItems();

but this in turn requires that the default Auth0 Management API is authorized and granted all relevant grants (for example via Dashboard > Machine to machine Applications).

Another option is adding the roles to the claim via a custom rule, but that should be documented somewhere because developing rules for Auth0 is very cumbersome and definitely not a beginner task (while on the other hand getting roles is a fundamental necessity for Auth0 users).

Quickstart not working with JDK 11 (Oracle).

There are a few things missing in this quick start (but actually in all Java quick starts), so that it's not as illustrative as for example the SPA quick starts (Vue.js, etc.):

• No example how payload from ID token is retrieved.
• No example how to verify a token.
• No example how to pass scopes to the authorization request.

Something like this should be added to the CallbackController / handle method I suppose (not sure if it's best practice and all methods used optimal):

    String authorizeUrl = controller.buildAuthorizeUrl(req, redirectUri)
        //.withAudience(String.format("https://%s/userinfo", appConfig.getDomain()))  // I don't think is actually needed here
        .withScope("openid profile email email_verified")  // but this should be used to show "real" user profile info like email, username, etc.
        .build();

and

    DecodedJWT jwt = JWT.decode(tokens.getIdToken());
    // do something with jwt.getPayload();
    // ....

    try {
        JwkProvider provider = new UrlJwkProvider("https://<tenant>.eu.auth0.com/.well-known/jwks.json");
        Jwk jwk = provider.get(jwt.getKeyId());
        Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(),null);
        algorithm.verify(jwt);

        // or ...? 

        Verification verifier = JWT.require(algorithm);
        verifier.build().verify(jwt);

    } catch (JWTVerificationException exception){
        exception.printStackTrace();
        //Invalid signature/claims
    } catch (JwkException e) {
        e.printStackTrace();
    }

Samples using lock v10.0 when up-to-date version is 10.10. (AUTH-3751)

Greetings,

The error controller redirects to /login for all kinds of errors (like 404...)
Why is this? Shouldn't it redirect to /login for 403 only....and for the other types of errors just show a custom error page etc.

am I missing something ?

If 09-MFA don't need code changes, then probably better if there will be unchanged code.

spring-boot-starter-redis is deprecated as of 1.4 in favor of spring-boot-starter-data-redis.

https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-redis

Hi, I get the following error message when I run mvn spring-boot:run
Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project auth0-spring-security-mvc-sample: Fatal error compiling: invalid target release: 1.8 -> [Help 1]

Maven version is 3.3.9. Could you please advise accordingly? Thanks.

(AUTH-3595)
As discussed here #5, first samples don't need to use authentication through roles. Possible fix: #9

The README.md files contained in the project do not contain any instructions.

Quickstart instructions are missing the 'Allowed Logout URL: http://localhost:3000/login' in the instructions (when downloading the zip within the dashboard > Application(s) > Quick Start), though it's needed.
(Also seems to be the case in the other Java (regular webapps) quick starts.)

After login, the message shown to welcome the user is not formatted properly and it is not clear if this is an error or is intended.

Custom login sample is using auth0-7.2.1.js while page tutorial is showing auth0-6.8.js

View of the tutorial page:

View of the file loginCustom.jsp

After i've logged in using 01-Login sample, i've got this:

01-Login, 02-Custom-Login have no readme at all