Spring Tutorial-4/Auth-II - Group PreAuthorization mysteriously fails with valid Group ID claims in ID Token.

[ehogeweg]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

4. Spring Framework Web App Tutorial/3-Authorization-II -

1. Run application and log in.
2. Observe ID Token Details and confirm that groups claim contains the AdminGroupId and the UserGroupId.
3. Confirm that PreAuthorization annotations have the 'correct' Group IDs
4. Click Admins Only.

Any log messages given by the failure

None observed

Expected/desired behavior

Expected: "Excellent! ..."
Observed: "Sorry! ..."

OS and Version?

macOS Big Sur

Versions

Java version 11

Mention any other details that might be useful

@GetMapping(path = "/admin_only")
@PreAuthorize("hasAuthority('48ca69cc-8f4f-4bd2-b12f-xxxxxxxxxxxx')")

Does not work.

Changing the PreAuthorization to hasRole() and Prefixing the group id with "ROLE_" as documented here appears to be working:

The roles example works as expected.

---

Thanks! We'll be in touch soon.

[FahdKhaja]

Thank you! I was stuck on this problem for far longer than what i would like to admit but you solved it. Thanksss

[exaptations]

Fixed this issue using the following - turning on debugging in the application.yaml

logging:
level:
root: DEBUG
org.springframework.web: DEBUG

Then seeing [[ROLE_2bd128d1-1981-44d7-852a-70f7a40e in the debug logs:

Change the controller code to have ROLE_ prefix

@PreAuthorize("hasAnyAuthority('ROLE_

[exaptations]

Starting with Spring Security 4, the ‘ROLE_‘ prefix is automatically added (if it’s not already there) by any role-related method.

use the following to see which version you are referencing:

mvn dependency:tree