This repository has been deprecated and is no longer maintained.
See the Spring Boot 2 Login Samples to see how to add authentication to your Spring Boot 2 application.
Auth0 Integration Samples for Java Spring Security MVC
Home Page: https://auth0.com/docs/quickstart/webapp/java-spring-security-mvc
License: MIT License
This repository has been deprecated and is no longer maintained.
See the Spring Boot 2 Login Samples to see how to add authentication to your Spring Boot 2 application.
01-Login, 02-Custom-Login have no readme at all
After i've logged in using 01-Login sample, i've got this:
Samples using lock v10.0 when up-to-date version is 10.10. (AUTH-3751)
spring-boot-starter-redis is deprecated as of 1.4 in favor of spring-boot-starter-data-redis.
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-redis
(AUTH-3595)
As discussed here #5, first samples don't need to use authentication through roles. Possible fix: #9
If 09-MFA don't need code changes, then probably better if there will be unchanged code.
Greetings,
The error controller redirects to /login for all kinds of errors (like 404...)
Why is this? Shouldn't it redirect to /login for 403 only....and for the other types of errors just show a custom error page etc.
am I missing something ?
Hi, I get the following error message when I run mvn spring-boot:run
Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project auth0-spring-security-mvc-sample: Fatal error compiling: invalid target release: 1.8 -> [Help 1]
Maven version is 3.3.9. Could you please advise accordingly? Thanks.
The Authentication
object initialized from the idToken doesn't contain any granted authority by default because it looks for https://access.control/roles
claims which is non-standard, I guess (at least, my vanilla Auth0 doesn't show roles in this claim).
Start the provided sample app and set a breakpoint at: https://github.com/auth0-samples/auth0-spring-security-mvc-sample/blob/master/01-Login/src/main/java/com/auth0/example/mvc/CallbackController.java#L49
Roles can be retrieved via another call to the management API that unfortunately adds latency:
AuthAPI authAPI = new AuthAPI(domain, clientId, clientSecret);
AuthRequest authRequest = authAPI.requestToken("https://" + domain + "/api/v2/");
TokenHolder holder = authRequest.execute();
ManagementAPI mgmt = new ManagementAPI(domain, holder.getAccessToken());
List<Role> roles = mgmt.roles()
.list(new RolesFilter())
.execute()
.getItems();
but this in turn requires that the default Auth0 Management API is authorized and granted all relevant grants (for example via Dashboard > Machine to machine Applications).
Another option is adding the roles to the claim via a custom rule, but that should be documented somewhere because developing rules for Auth0 is very cumbersome and definitely not a beginner task (while on the other hand getting roles is a fundamental necessity for Auth0 users).
Quickstart not working with JDK 11 (Oracle).
There are a few things missing in this quick start (but actually in all Java quick starts), so that it's not as illustrative as for example the SPA quick starts (Vue.js, etc.):
Something like this should be added to the CallbackController
/ handle
method I suppose (not sure if it's best practice and all methods used optimal):
String authorizeUrl = controller.buildAuthorizeUrl(req, redirectUri)
//.withAudience(String.format("https://%s/userinfo", appConfig.getDomain())) // I don't think is actually needed here
.withScope("openid profile email email_verified") // but this should be used to show "real" user profile info like email, username, etc.
.build();
and
DecodedJWT jwt = JWT.decode(tokens.getIdToken());
// do something with jwt.getPayload();
// ....
try {
JwkProvider provider = new UrlJwkProvider("https://<tenant>.eu.auth0.com/.well-known/jwks.json");
Jwk jwk = provider.get(jwt.getKeyId());
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(),null);
algorithm.verify(jwt);
// or ...?
Verification verifier = JWT.require(algorithm);
verifier.build().verify(jwt);
} catch (JWTVerificationException exception){
exception.printStackTrace();
//Invalid signature/claims
} catch (JwkException e) {
e.printStackTrace();
}
Quickstart instructions are missing the 'Allowed Logout URL: http://localhost:3000/login' in the instructions (when downloading the zip within the dashboard > Application(s) > Quick Start), though it's needed.
(Also seems to be the case in the other Java (regular webapps) quick starts.)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.