Add roles to loged user from external service using Spring Security and JWT authentication

Our application use third party system to authenticate users. Having JWT token, UI calls the API server. The problem is that the JWT do not contains user roles. To fix that our
Java backend needs to call another external system and organise authorisation – very slow, buggy and verbose.

Is there a way with Java Spring Security to handle this situation?

  1. We can’t rewrite JWT, so this is not an option.
  2. Can we add roles in Security context and use it as cache? Not optimal but progress.
  3. Is it acceptable to organise “second” login to the backend system and send to the UI
    another JWT with roles? The problem with the different time of expiration exist …
  4. Are there any customisers, filters that could be used?
  5. Is the JwtAuthenticationConverter suitable?

Any kind of help is welcome: ideas, suggestions, links, articles or books.
Thank you in advance

  • i think 5 is appropriate

    – 

The answer here is quite simple, use the JWT correcly and make sure that whatever scopes/roles are included into the signed JWT.

If this can’t be done, then the entire JWT “solution” should be removed as it doesn’t fit the security model.

I will ignore the fact that the question asker is laying out ground rules of what can or can not be done. Because the question basically asks us “how can i store items in a sequential collection, but it can not be a list”. The question makes no sense, and the solution is crystal clear.

Leave a Comment