Skip to content

Non-Standard Scope Claim Name in servlet/spring-boot/java/jwt/login/src/main/java/example/web/TokenController.java #408

Description

@gvisoc

Unless I am understanding the code and the intent wrong, I believe there is a bug in one of the examples.

In the class servlet/spring-boot/java/jwt/login/src/main/java/example/web/TokenController.java the name of the "scope" claim is not the standard scp, but scope -- see line 50:

		JwtClaimsSet claims = JwtClaimsSet.builder()
				.issuer("self")
				.issuedAt(now)
				.expiresAt(now.plusSeconds(expiry))
				.subject(authentication.getName())
				.claim("scope", scope)
				.build();

This would create a token such as:

{
  "iss": "self",
  "sub": "etrovador",
  "scope": "LIST_CUSTOMERS READ_CUSTOMER WRITE_CUSTOMER FACTOR_PASSWORD",
  "exp": 1783060519,
  "iat": 1783060099
}

This claim name makes the Spring Security annotation like @PreAuthorize("hasAuthority('SCOPE_LIST_CUSTOMERS')") fail, as it works by splitting the scp content (missing) and then attaching to all of the substrings the prefix SCOPE_.

By changing the scope name to scp, an annotation like the above would work as it will receive the following token:

{
  "iss": "self",
  "sub": "etrovador",
  "scp": "LIST_CUSTOMERS READ_CUSTOMER WRITE_CUSTOMER FACTOR_PASSWORD",
  "exp": 1783060519,
  "iat": 1783060099
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions