While yesterday I was very happy to share the good developper experience I got recently with Auth0, today I am feeling frustrated by something I was expecting to be easy and which finally isn’t.
I am sharing my experience here, with the hope it can help someone else to have the same headache….
The context is very simple:
A Spring Boot application (latest 2.4.x) needs to connect to a REST service protected with a JWT Token using Auth0
I was expecting to implement in five minutes… It was more 5 hours.. :-/
While I like the large ecosystem which is proposed by Spring and the reference documentations which are (in general) of good quality it’s often very hard to figure out for a given use case what is the correct way to implement it due to variety of resources and the lack of up-to-date tutorial.
Googling about it is a big challenge because the terms are generic and the Spring stack evolved especially with Spring Security 5 and it’s “native” support for Oauth.
In general “How to” articles which are very useful are more on @baeldung website than on Spring docs :-/
But then, to come back to my need, I discovered that @auth0 requirement to pass an “audience” to get the JWT token isn’t considered as very standard ( https://github.com/spring-projects/spring-security/issues/7379 ).
Hopefully we can find some resources like https://github.com/spring-projects/spring-security/issues/6569 to explain how to customise the behaviour but it’s based on an old version of Spring Security and a part of this is deprecated. (I also discovered on SO that the well known RestTemplate is deprecated and I should move to the WebClient – https://stackoverflow.com/questions/58982286/spring-security-5-replacement-for-oauth2resttemplate )
Maybe I missed a better solution to do it but what I found is that to add this audience in the request I have to create a
But I cannot reuse
which is not extensible.
Thus I ended with 100 lines of copy/paste (BEURK) to just add one useful line:
And a big method to configure correctly the WebClient
I probably missed a lost of things and it could be done differently but it works. It’s just very frustrating to not have to concrete tutorials to handle something which is supposed to be “basic”. I could probably blame Auth0 to need this extra audience field but sooo much code for 1 line to add, I am very sad..