Using this starter with Auth0 results in an opaque access token with oauth2Login() #596
Description
I'm submitting a
- bug report
- feature request
Background info
If I use this starter in a Spring Boot 3.1.3 app, I don't get a JWT as an access token. I believe this is because it doesn't send the audience parameter to the /authorize endpoint. With Okta, I do get an access token as a JWT. Here's how I'm testing it:
package com.example.apigateway;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.event.ContextRefreshedEvent;
import org.springframework.context.event.EventListener;
import org.springframework.core.env.AbstractEnvironment;
import org.springframework.core.env.EnumerablePropertySource;
import org.springframework.core.env.Environment;
import org.springframework.core.env.MutablePropertySources;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import java.security.Principal;
import java.util.Arrays;
import java.util.stream.StreamSupport;
@SpringBootApplication
public class ApiGatewayApplication {
private static final Logger LOGGER = LoggerFactory.getLogger(ApiGatewayApplication.class);
public static void main(String[] args) {
SpringApplication.run(ApiGatewayApplication.class, args);
}
@EventListener
public void handleContextRefresh(ContextRefreshedEvent event) {
final Environment env = event.getApplicationContext()
.getEnvironment();
LOGGER.info("Active profiles: {}", Arrays.toString(env.getActiveProfiles()));
final MutablePropertySources sources = ((AbstractEnvironment) env).getPropertySources();
StreamSupport.stream(sources.spliterator(), false)
.filter(ps -> ps instanceof EnumerablePropertySource)
.map(ps -> ((EnumerablePropertySource) ps).getPropertyNames())
.flatMap(Arrays::stream)
.distinct()
.filter(prop -> !(prop.contains("credentials") || prop.contains("password")))
.forEach(prop -> LOGGER.info("{}: {}", prop, env.getProperty(prop)));
}
}
@RestController
class HomeController {
private final OAuth2AuthorizedClientService clientService;
public HomeController(OAuth2AuthorizedClientService clientService) {
this.clientService = clientService;
}
@GetMapping("/")
public String howdy(@AuthenticationPrincipal OidcUser user) {
return "Hello, " + user.getFullName();
}
@GetMapping("/print-token")
public String printAccessToken(Principal principal) {
OAuth2AuthorizedClient authorizedClient =
this.clientService.loadAuthorizedClient(
"okta", principal.getName());
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
System.out.println("Access Token Value: " + accessToken.getTokenValue());
System.out.println("Token Type: " + accessToken.getTokenType().getValue());
System.out.println("Expires At: " + accessToken.getExpiresAt());
return "Access token printed";
}
}If you start an app with this configuration, log in, then go to http://localhost:8080/print-token, you'll see the access token in your console. Copy and paste it into jwt.io. It will work for Okta, but not for Auth0.
Expected behavior
I thought by defining OKTA_OAUTH2_AUDIENCE as an environment variable, it'd be used for validation and fetching JWTs.
Steps to reproduce
See above.
SDK Version
3.0.5