Auth0 Integration Samples for Java Spring Security MVC
Home Page: https://auth0.com/docs/quickstart/webapp/java-spring-security-mvc
License: MIT License
After i've logged in using 01-Login sample, i've got this:
The Authentication object initialized from the idToken doesn't contain any granted authority by default because it looks for https://access.control/roles claims which is non-standard, I guess (at least, my vanilla Auth0 doesn't show roles in this claim).
Start the provided sample app and set a breakpoint at: https://github.com/auth0-samples/auth0-spring-security-mvc-sample/blob/master/01-Login/src/main/java/com/auth0/example/mvc/CallbackController.java#L49
Roles can be retrieved via another call to the management API that unfortunately adds latency:
AuthAPI authAPI = new AuthAPI(domain, clientId, clientSecret);
AuthRequest authRequest = authAPI.requestToken("https://" + domain + "/api/v2/");
TokenHolder holder = authRequest.execute();
ManagementAPI mgmt = new ManagementAPI(domain, holder.getAccessToken());
List<Role> roles = mgmt.roles()
.list(new RolesFilter())
.execute()
.getItems();but this in turn requires that the default Auth0 Management API is authorized and granted all relevant grants (for example via Dashboard > Machine to machine Applications).
Another option is adding the roles to the claim via a custom rule, but that should be documented somewhere because developing rules for Auth0 is very cumbersome and definitely not a beginner task (while on the other hand getting roles is a fundamental necessity for Auth0 users).
Quickstart instructions are missing the 'Allowed Logout URL: http://localhost:3000/login' in the instructions (when downloading the zip within the dashboard > Application(s) > Quick Start), though it's needed.
(Also seems to be the case in the other Java (regular webapps) quick starts.)
Custom login sample is using auth0-7.2.1.js while page tutorial is showing auth0-6.8.js
View of the tutorial page:
View of the file loginCustom.jsp
If 09-MFA don't need code changes, then probably better if there will be unchanged code.
01-Login, 02-Custom-Login have no readme at all
After login, the message shown to welcome the user is not formatted properly and it is not clear if this is an error or is intended.
Greetings,
The error controller redirects to /login for all kinds of errors (like 404...)
Why is this? Shouldn't it redirect to /login for 403 only....and for the other types of errors just show a custom error page etc.
am I missing something ?
There are a few things missing in this quick start (but actually in all Java quick starts), so that it's not as illustrative as for example the SPA quick starts (Vue.js, etc.):
Something like this should be added to the CallbackController / handle method I suppose (not sure if it's best practice and all methods used optimal):
String authorizeUrl = controller.buildAuthorizeUrl(req, redirectUri)
//.withAudience(String.format("https://%s/userinfo", appConfig.getDomain())) // I don't think is actually needed here
.withScope("openid profile email email_verified") // but this should be used to show "real" user profile info like email, username, etc.
.build();
and
DecodedJWT jwt = JWT.decode(tokens.getIdToken());
// do something with jwt.getPayload();
// ....
try {
JwkProvider provider = new UrlJwkProvider("https://<tenant>.eu.auth0.com/.well-known/jwks.json");
Jwk jwk = provider.get(jwt.getKeyId());
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(),null);
algorithm.verify(jwt);
// or ...?
Verification verifier = JWT.require(algorithm);
verifier.build().verify(jwt);
} catch (JWTVerificationException exception){
exception.printStackTrace();
//Invalid signature/claims
} catch (JwkException e) {
e.printStackTrace();
}
Hi, I get the following error message when I run mvn spring-boot:run
Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project auth0-spring-security-mvc-sample: Fatal error compiling: invalid target release: 1.8 -> [Help 1]
Maven version is 3.3.9. Could you please advise accordingly? Thanks.
spring-boot-starter-redis is deprecated as of 1.4 in favor of spring-boot-starter-data-redis.
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-redis
The README.md files contained in the project do not contain any instructions.
Quickstart not working with JDK 11 (Oracle).
(AUTH-3595)
As discussed here #5, first samples don't need to use authentication through roles. Possible fix: #9
Samples using lock v10.0 when up-to-date version is 10.10. (AUTH-3751)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.