using Okta principal groups and metadata in Spring Boot with Okta Spring Boot - Stack Overflow

I have an OIDC app in Okta that I am using to authenticate and authorize my webapp where I am using:

• spring-boot-starter-parent 3.3.3
• okta-spring-boot-starter 3.0.7
• thymeleaf-extras-springsecurity6 3.1.2.RELEASE

This comment lead me to believe that adding a groups claim to my Authorization Server in Okta would result in groups being turned into roles automatically when using okta-spring-boot-starter. That is not what I am experiencing.

I was under the impression that requesting the authorities from the principal would result in a list of groups prepended by ROLE_

My user belongs to a single group in Okta called App-User. If I ask for:

<div sec:authentication="principal.authorities">Roles</div>

what I get back is:

[App-User, Everyone, OIDC_USER, SCOPE_email, SCOPE_openid, SCOPE_profile]

This does not work:

<div sec:authorize="hasRole('App-User')">You have the role</div>

but this does:

<div sec:authorize="hasAuthority('App-User')">You have the authority</div>

I also find it strange that this works:

<div sec:authentication="principal.email"></div>

but doing this:

<div sec:authentication="principal.name"></div>

returns what appears to be the client ID of the app in Okta instead of the user's name

00umarbvfdDvDofPu5d7

trying to get principal.firstName throws an error claiming it doesn't exist.

I have an OIDC app in Okta that I am using to authenticate and authorize my webapp where I am using:

• spring-boot-starter-parent 3.3.3
• okta-spring-boot-starter 3.0.7
• thymeleaf-extras-springsecurity6 3.1.2.RELEASE

This comment lead me to believe that adding a groups claim to my Authorization Server in Okta would result in groups being turned into roles automatically when using okta-spring-boot-starter. That is not what I am experiencing.

I was under the impression that requesting the authorities from the principal would result in a list of groups prepended by ROLE_

My user belongs to a single group in Okta called App-User. If I ask for:

<div sec:authentication="principal.authorities">Roles</div>

what I get back is:

[App-User, Everyone, OIDC_USER, SCOPE_email, SCOPE_openid, SCOPE_profile]

This does not work:

<div sec:authorize="hasRole('App-User')">You have the role</div>

but this does:

<div sec:authorize="hasAuthority('App-User')">You have the authority</div>

I also find it strange that this works:

<div sec:authentication="principal.email"></div>

but doing this:

<div sec:authentication="principal.name"></div>

returns what appears to be the client ID of the app in Okta instead of the user's name

00umarbvfdDvDofPu5d7

trying to get principal.firstName throws an error claiming it doesn't exist.

• spring-boot
• okta

Share Improve this question Follow edited 22 hours ago dur 16.9k2626 gold badges8888 silver badges141141 bronze badges asked yesterday Steve MaringSteve Maring 17511 gold badge44 silver badges1111 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

I found that this will give me a list of all the attributes available on the principal:

<div sec:authentication="principal.attributes">Attributes</div>

From that, I found that I could do all of these:

<div th:text="${#authentication.getPrincipal().getAttribute('name')}"></div>
<div th:text="${#authentication.getPrincipal().getAttribute('given_name')}"></div>
<div th:text="${#authentication.getPrincipal().getAttribute('family_name')}"></div>
<div th:text="${#authentication.getPrincipal().getAttribute('email')}"></div>
<div th:text="${#authentication.getPrincipal().getAttribute('groups')}"></div>

That serves my purpose and I can live with using hasAuthority() instead of hasRole() for display purposes