While yesterday I was very happy to share the good developper experience I got recently with Auth0, today I am feeling frustrated by something I was expecting to be easy and which finally isn’t.
I am sharing my experience here, with the hope it can help someone else to have the same headache….
The context is very simple:
A Spring Boot application (latest 2.4.x) needs to connect to a REST service protected with a JWT Token using Auth0
I was expecting to implement in five minutes… It was more 5 hours.. :-/
While I like the large ecosystem which is proposed by Spring and the reference documentations which are (in general) of good quality it’s often very hard to figure out for a given use case what is the correct way to implement it due to variety of resources and the lack of up-to-date tutorial.
Googling about it is a big challenge because the terms are generic and the Spring stack evolved especially with Spring Security 5 and it’s “native” support for Oauth.
In general “How to” articles which are very useful are more on @baeldung website than on Spring docs :-/
Maybe I missed a better solution to do it but what I found is that to add this audience in the request I have to create a Converter<OAuth2ClientCredentialsGrantRequest, RequestEntity<?>>.
But I cannot reuse OAuth2ClientCredentialsGrantRequestEntityConverter which is not extensible.
Thus I ended with 100 lines of copy/paste (BEURK) to just add one useful line: formParameters.add("audience", this.audience);
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
And a big method to configure correctly the WebClient
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I probably missed a lost of things and it could be done differently but it works. It’s just very frustrating to not have to concrete tutorials to handle something which is supposed to be “basic”. I could probably blame Auth0 to need this extra audience field but sooo much code for 1 line to add, I am very sad..