0

I have a Micronaut rest endpoint which is secured by @Secured(SecurityRule.IS_AUTHENTICATED)

@Secured(SecurityRule.IS_AUTHENTICATED)
@Controller("/product")
@Secured({"Admin"})
public record ProductController(IProducer iProducer) {
    @Get(uri = "/{text}")
    public Single<String> get(String text){
        return iProducer.sendText(text);
    }
}

I am using the Validation with remote JWKS https://micronaut-projects.github.io/micronaut-security/latest/guide/#jwks

Application.yml

micronaut:
  security:
    enabled: true
    token:
      jwt:
        enabled: true
        signatures:
          jwks:
            okta:
              url: 'https://xxx-xxxxxx.okta.com/oauth2/default/v1/keys'

Decode JWT

{
  "jti": "AT.Y4r-Hu9ss5FXJRomosJlJRSGSsv4vscLeGI5seM2BJA",
  "iss": "https://dev-6271510.okta.com/oauth2/default",
  "aud": "api://default",
  "iat": 1608187083,
  "exp": 1608190683,
  "cid": "0oa2lezagQ4wrRUnW5d6",
  "uid": "00u2kavl6tQtJ7NNj5d6",
  "scp": [
    "openid"
  ],
  "sub": "anandjaisy@gmail.com",
  "Admin": "anandjaisy@gmail.com"
}

Questions

  1. Since I am using Validation with remote JWKS, is this is the only way to validate the OKTA JWT token. How can I validate the OKTA JWT without remote JWKS.
  2. In the token I have a claim ADMIN, how can I secure my controller route with ADMIN claim.I tried @Secured({"Admin"}) it give me 403 forbidden
  3. Is there a way to create security requirement and handler for the requirement
San Jaisy
  • 15,327
  • 34
  • 171
  • 290
  • I think part of what you are trying to do requires you to use the JWT as a bearer token. For that to work your application will need to know the secret with which the JWT was signed. This tutorial (https://guides.micronaut.io/micronaut-oauth2-okta/guide/index.html) might help some. In the example the JWT is generated by the user login in to Okta, this could be in a frontend service that passes the JWT to a backend service to do some work. – Gavin Dec 17 '20 at 07:54
  • @Gavin - I can't have a login in the same application, the Angular front-end does the login to the OKTA and requests the end end-point with the Bearer token. The JWT validation is working fine, but I have two routes inside the controller, both routes should work based on the Claim, is there a way to create security requirement and handler for each route. – San Jaisy Dec 17 '20 at 08:00
  • Sorry, I might not have been clear, you do not need the creation of the JWT to be in the same application. To be able to "decode" the JWT without caling to Okta you will need to set up the encoding secret in the Micronaut properties, as demonstrated in the above linked article. While the tutorial has the login flow in the same application this need not be the case, it is simply a convenience to demonstrate one method of integrating with Okta. – Gavin Dec 17 '20 at 08:09
  • @Gavin - Yeah makes sense to me, the JWT validation is working fine now, Is there a way to create security requirement and handler for each controller routes based on the claim ? – San Jaisy Dec 17 '20 at 08:13
  • There should be, I have never done this with Micronaut. I would look into the `Security` annotation see what is available on there, and perhaps have a look to see if Micronaut has any security filters in the same vein that Spring does. My experience with Micronaut suggests that in general it requires less "effort" than Spring, so I wouldnt be surprised if they havent found a nice way to say "This endpoint requires claim x with value y" – Gavin Dec 17 '20 at 08:37
  • As I was curious I did a little googling, this https://ruuben.medium.com/managing-jwt-auth-with-micronaut-v2-part-2-53ed984c48e seems to secure endpoints with claims (ADMIN, ADMIN and? or? VIEW). I am not sure how the claims are being extracted from the JWT, looking at the previous part of the tutorial I think it only needs the jwt to have a `roles` claim. Perhaps when you have solved your problem, you can provide an answer here? Good luck. – Gavin Dec 17 '20 at 08:57
  • @Gavin thanks for that, any idea on this issue https://stackoverflow.com/questions/65338291/custom-security-rules-not-working-micronaut-2-2-1 – San Jaisy Dec 17 '20 at 09:52
  • @Gavin I found the blog https://blog.wick.technology/micronaut-security-rule/ to implement custom security rule, but due to some reason it is not working, don't know why https://stackoverflow.com/questions/65338291/custom-security-rules-not-working-micronaut-2-2-1 – San Jaisy Dec 17 '20 at 12:28
  • Sorry, that is way outside of my experience. What I would say is, do you need a custom claim? can you dont just add a role to the role claim of the JWT? – Gavin Dec 17 '20 at 12:56

0 Answers0