You can use this sample project to learn how to secure a simple SpringBoot API server using Auth0.
The starter branch offers a working API server that exposes three public endpoints. Each endpoint returns a different type of message: public, protected, and admin.
The goal is to use Auth0 to only allow requests that contain a valid access token in their authorization header to access the protected and admin data. Additionally, only access tokens that contain a read:admin-messages permission should access the admin data, which is referred to as Role-Based Access Control (RBAC).
Check out the add-authorization branch to see authorization in action using Auth0.
Check out the add-rbac branch to see authorization and Role-Based Access Control (RBAC) in action using Auth0.
The only dependency is having java installed. You can install like this on OS X:
brew install openjdk@11There's a go script that you can use to execute the different tasks.
Use:
./go runUse:
./go testThere are two additional targets, ./go build and ./go containerize, in case you want to package the app in a Docker container.
The API server defines the following endpoints:
GET /api/messages/publicStatus: 200 OK{
"message": "The API doesn't require an access token to share this message."
}You need to protect this endpoint using Auth0.
GET /api/messages/protectedStatus: 200 OK{
"message": "The API successfully validated your access token."
}You need to protect this endpoint using Auth0 and Role-Based Access Control (RBAC).
GET /api/messages/adminStatus: 200 OK{
"message": "The API successfully recognized you as an admin."
}Status: Corresponding 400 status code{
"message": "Message that describes the error that took place."
}Status: 500 Internal Server Error{
"message": "Message that describes the error that took place."
}