Permissions support

[skjolber]

Support API permissions.

Description

We're getting tokens with permissions from Auth0.

Replace scopes with permissions, in AuthenticationJsonWebToken.java.

{
  "iss": "https://x.y.z.org/",
  "sub": "u.i",
  "aud": [
    "https://my.dev.env.org",
    "https://my-dev.x.auth0.com/userinfo"
  ],
  "iat": 1568211075,
  "exp": 1568114275,
  "azp": "o.p.q",
  "scope": "openid profile email",
  "permissions": [
    "stuff:configure",
    "sop:configure",
    "settings:configure",
    "turnover:view",
    "admin:configure"
  ]
}

We would like to use these in method-based security in Spring.

Prerequisites

• I have checked the Auth0 Community for related posts.
• I have checked for related or duplicate Issues and PRs.
• I have read the Auth0 general contribution guidelines.
• I have read the Auth0 Code of Conduct.
• I am reporting this to the correct repository [Add links to other related].

Environment

Latest master version.

Reproduction

Authenticate user with single page application.

[jimmyjames]

Hi @skjolber,

I don't think we want to replace creating GrantedAuthority from scopes with permissions, as scopes still are valid. But I agree we do need to evaluate support for allowing APIs to be secured using the permissions claim.

Spring 5 does this by adding a prefix to the the GrantedAuthority, e.g., SCOPE_read:messages, and allows for creating custom extractors to enable using different claims, etc. We could consider following a similar pattern (while not breaking existing implementations by requiring the SCOPE_ prefix). I'm not yet sure how feasible it will be to enable custom Authority extractors here, but it's also something to consider.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️