← 返回 Skills 市场
auth0

Auth0 Springboot Api

作者 Auth0 · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
35
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install auth0-springboot-api
功能描述
Use when securing Spring Boot API endpoints with JWT Bearer token validation, scope-based authorization, or DPoP proof-of-possession - integrates com.auth0:a...
使用说明 (SKILL.md)

Auth0 Spring Boot API Integration

Protect Spring Boot API endpoints with JWT access token validation using com.auth0:auth0-springboot-api. Features auto-configuration, scope-based authorization, and built-in DPoP (RFC 9449) support.

Agent instruction: Before providing SDK setup instructions, fetch the latest release version by running:

gh api repos/auth0/auth0-auth-java/releases/latest --jq '.tag_name'

Use the returned version in all dependency lines instead of any hardcoded version below. If the API call fails (e.g., no releases yet), use 1.0.0-beta.1.

Prerequisites

  • Java 17+ and Spring Boot 3.2+
  • Maven 3.6+ or Gradle 7+
  • Auth0 API configured (not Application — must be API resource)
  • If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

Use Case Recommended Skill
Server-rendered web applications (Spring MVC with sessions) Use auth0-java for Spring Boot web apps with login UI
Single Page Applications Use auth0-react, auth0-vue, or auth0-angular for client-side auth
Mobile applications Use auth0-android or auth0-swift for native mobile
Non-Spring Java APIs Use auth0-spring-security-api for plain Spring Security

Quick Start Workflow

Agent instruction: If the user's prompt already provides Auth0 credentials (domain, audience), use them directly — skip the bootstrap script and credential questions. Only offer setup options when credentials are missing.

1. Install SDK

Gradle (build.gradle):

implementation 'com.auth0:auth0-springboot-api:1.0.0-beta.1'

Maven (pom.xml):

\x3Cdependency>
    \x3CgroupId>com.auth0\x3C/groupId>
    \x3CartifactId>auth0-springboot-api\x3C/artifactId>
    \x3Cversion>1.0.0-beta.1\x3C/version>
\x3C/dependency>

2. Create Auth0 API

You need an API (not Application) in Auth0.

STOP — ask the user before proceeding.

Ask exactly this question and wait for their answer before doing anything else:

"How would you like to create the Auth0 API resource?

  1. Automated — I'll run Auth0 CLI scripts that create the resource and write the values to your application.yml automatically.
  2. Manual — You create the API yourself in the Auth0 Dashboard (or via auth0 apis create) and provide me the Domain and Audience.

Which do you prefer? (1 = Automated / 2 = Manual)"

Do NOT proceed to any setup steps until the user has answered. Do NOT default to manual.

If the user chose Automated, follow the Setup Guide for complete CLI scripts. The automated path writes application.yml for you — skip Step 3 below and proceed directly to Step 4.

If the user chose Manual, follow the Setup Guide (Manual Setup section). Then continue with Step 3.

Quick reference for manual API creation:

# Using Auth0 CLI
auth0 apis create \
  --name "My Spring Boot API" \
  --identifier https://my-springboot-api

Or create manually in Auth0 Dashboard → Applications → APIs

3. Configure application.yml

auth0:
  domain: "your-tenant.auth0.com"
  audience: "https://my-springboot-api"

Important: Domain must NOT include https://. The library constructs the issuer URL automatically.

Or use application.properties:

auth0.domain=your-tenant.auth0.com
auth0.audience=https://my-springboot-api

4. Configure Spring Security

@Configuration
@EnableMethodSecurity
public class SecurityConfig {

    @Bean
    SecurityFilterChain apiSecurity(
            HttpSecurity http,
            Auth0AuthenticationFilter authFilter
    ) throws Exception {
        return http
            .csrf(csrf -> csrf.disable())
            .sessionManagement(session ->
                session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/public").permitAll()
                .requestMatchers("/api/protected").authenticated()
                .requestMatchers("/api/admin/**").hasAuthority("SCOPE_admin")
                .anyRequest().authenticated())
            .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class)
            .build();
    }
}

5. Protect Endpoints

@RestController
@RequestMapping("/api")
public class ApiController {

    @GetMapping("/public")
    public ResponseEntity\x3CMap\x3CString, Object>> publicEndpoint() {
        return ResponseEntity.ok(Map.of("message", "Public endpoint - no token required"));
    }

    @GetMapping("/protected")
    public ResponseEntity\x3CMap\x3CString, Object>> protectedEndpoint(Authentication authentication) {
        Auth0AuthenticationToken token = (Auth0AuthenticationToken) authentication;
        return ResponseEntity.ok(Map.of(
            "user", authentication.getName(),
            "email", token.getClaim("email"),
            "scopes", token.getScopes()
        ));
    }
}

6. Test API

Agent instruction: After writing all code, verify the build succeeds:

./gradlew bootRun

or ./mvnw spring-boot:run. If build fails, diagnose and fix. After 5-6 failed attempts, use AskUserQuestion to get help.

Test public endpoint:

curl http://localhost:8080/api/public

Test protected endpoint (requires access token):

curl http://localhost:8080/api/protected \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Get a test token via Client Credentials flow or Auth0 Dashboard → APIs → Test tab.

Common Mistakes

Mistake Fix
Domain includes https:// Use your-tenant.auth0.com format only — no scheme prefix
Audience doesn't match API Identifier Must exactly match the API Identifier set in Auth0 Dashboard
Created Application instead of API in Auth0 Must create API resource in Auth0 Dashboard → Applications → APIs
Missing addFilterBefore in SecurityConfig Auth0AuthenticationFilter must be added before UsernamePasswordAuthenticationFilter
Using ID token instead of access token Must use access token for API auth, not ID token
Checking scope claim in wrong format Scopes map to SCOPE_ prefixed authorities: use hasAuthority("SCOPE_read:data")
Spring Boot env var binding Use AUTH0_DOMAIN not AUTH0_DOMAIN with underscores inside property names; Spring removes dashes and is case-insensitive

Scope-Based Authorization

See Integration Guide for defining and enforcing scope-based access control via filter chain, @PreAuthorize, or programmatic checks.

DPoP Support

Built-in proof-of-possession token binding per RFC 9449. See Integration Guide for configuration modes (DISABLED, ALLOWED, REQUIRED).

Related Skills

  • auth0-quickstart — Basic Auth0 setup and account creation
  • auth0-java — Spring Boot web apps with login UI (Regular Web Application)

Quick Reference

Configuration Properties (application.yml):

  • auth0.domain — Auth0 tenant domain, no https:// prefix (required)
  • auth0.audience — API Identifier from Auth0 API settings (required)
  • auth0.dpop-mode — DPoP mode: DISABLED, ALLOWED (default), REQUIRED
  • auth0.dpop-iat-offset-seconds — DPoP proof time window (default: 300)
  • auth0.dpop-iat-leeway-seconds — DPoP proof time leeway (default: 30)

User Claims (via Auth0AuthenticationToken):

  • authentication.getName() — User ID (subject / sub claim)
  • token.getClaim("email") — Any specific claim by name
  • token.getClaims() — All JWT claims as Map\x3CString, Object>
  • token.getScopes() — Scopes as Set\x3CString>

Common Use Cases:

  • Protect routes → requestMatchers("/path").authenticated() (see Step 4)
  • Scope enforcement → hasAuthority("SCOPE_read:data") or @PreAuthorize (see Integration Guide)
  • DPoP token binding → Integration Guide
  • Complete API reference → API Reference

Detailed Documentation

  • Setup Guide — Auth0 CLI automation, environment configuration, secret management
  • Integration Guide — Scope policies, DPoP, controller patterns, error handling
  • API Reference — Complete configuration options, claims reference, testing checklist

References

安全使用建议
This skill appears purpose-aligned for adding Auth0 JWT protection to a Spring Boot API. Before using the automated setup, verify your active Auth0 CLI tenant and review any project files the agent will change. Treat token and client-secret snippets as placeholders, and pin reviewed dependency versions for production.
功能分析
Type: OpenClaw Skill Name: auth0-springboot-api Version: 1.0.1 The skill bundle provides legitimate instructions and documentation for integrating Auth0 authentication into a Spring Boot API. It includes agent-specific instructions to fetch the latest SDK version via the GitHub CLI and automate resource creation using the Auth0 CLI, which are consistent with the stated purpose. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found across the files (SKILL.md, setup.md, api.md, integration.md).
能力标签
requires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
The artifacts consistently describe securing Spring Boot API endpoints with Auth0 JWT validation, scope checks, and DPoP support.
Instruction Scope
The skill instructs the agent to run read-only GitHub CLI checks, Auth0 CLI setup commands, and project build commands. These are disclosed and related to the stated setup workflow.
Install Mechanism
There is no install spec or code package, but the documentation includes user/setup commands such as installing Auth0 CLI and adding Maven/Gradle dependencies. This is expected for an instruction-only integration skill.
Credentials
The automated path may use the user's existing Auth0 CLI login to list tenants and create an API resource, and may write application configuration. This is purpose-aligned but should be reviewed for the correct Auth0 tenant and project path.
Persistence & Privilege
The skill can guide persistent local project changes such as dependency additions and application.yml updates, but it does not show hidden background persistence or self-running code.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install auth0-springboot-api
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /auth0-springboot-api 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Initial publish
元数据
Slug auth0-springboot-api
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Auth0 Springboot Api 是什么?

Use when securing Spring Boot API endpoints with JWT Bearer token validation, scope-based authorization, or DPoP proof-of-possession - integrates com.auth0:a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 35 次。

如何安装 Auth0 Springboot Api?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install auth0-springboot-api」即可一键安装,无需额外配置。

Auth0 Springboot Api 是免费的吗?

是的,Auth0 Springboot Api 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Auth0 Springboot Api 支持哪些平台?

Auth0 Springboot Api 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Auth0 Springboot Api?

由 Auth0(@auth0)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论