You can use this sample project to learn how to secure a simple SpringBoot API server using Auth0.
The starter
branch offers a working API server that exposes three public endpoints. Each endpoint returns a different type of message: public, protected, and admin.
The goal is to use Auth0 to only allow requests that contain a valid access token in their authorization header to access the protected and admin data. Additionally, only access tokens that contain a read:admin-messages
permission should access the admin data, which is referred to as Role-Based Access Control (RBAC).
Check out the add-authorization
branch to see authorization in action using Auth0.
Check out the add-rbac
branch to see authorization and Role-Based Access Control (RBAC) in action using Auth0.
The only dependency is having java
installed. You can install like this on OS X:
brew install openjdk@11
There's a go
script that you can use to execute the different tasks.
Use:
./go run
Use:
./go test
There are two additional targets, ./go build
and ./go containerize
, in case you want to package the app in a Docker container.
The API server defines the following endpoints:
GET /api/messages/public
Status: 200 OK
{
"message": "The API doesn't require an access token to share this message."
}
You need to protect this endpoint using Auth0.
GET /api/messages/protected
Status: 200 OK
{
"message": "The API successfully validated your access token."
}
You need to protect this endpoint using Auth0 and Role-Based Access Control (RBAC).
GET /api/messages/admin
Status: 200 OK
{
"message": "The API successfully recognized you as an admin."
}
Status: Corresponding 400 status code
{
"message": "Message that describes the error that took place."
}
Status: 500 Internal Server Error
{
"message": "Message that describes the error that took place."
}