CODEWITHSUNDEEP
spring-bootoauth-2.0okta
heisenberg
heisenberg

Reputation: 1954

Okta-Spring Boot keeps throwing 400 response using company provided okta registration information

Our company provided me with new okta registration information. Specifically, the following :

okta.oauth2.issuer=https://purpleid-test.oktapreview.com/oauth2/aaabbbbccc

okta.oauth2.audience=ABC12345

okta.oauth2.client-id=0oaSomeClientId

In my spring boot application, I have the following :

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.6.7</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    ....
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-config</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-client</artifactId>
            <version>3.1.4</version>
        </dependency>
        <dependency>
            <groupId>com.okta.spring</groupId>
            <artifactId>okta-spring-boot-starter</artifactId>
            <version>2.1.6</version>
        </dependency>
    </dependencies>
    ....
</project>

Main class

....
import java.security.Principal;

@SpringBootApplication
public class MessageConsumerApplication {

    public static void main(String[] args) {
        SpringApplication.run(MessageConsumerApplication.class, args);
    }

    @RestController
    @CrossOrigin
    static class RootEndpointRestController {
        @GetMapping("/test")
        String test(Principal principal){
            return "test";
        }
    }
}

application.properties

management.endpoints.web.exposure.include=env,health,info,beans,refresh,bus-refresh
management.endpoint.health.show-details=ALWAYS
management.endpoint.refresh.enabled=true

server.port=8080

okta.oauth2.issuer=https://ourcompanyid-test.oktapreview.com/oauth2/aaabbbbccc
okta.oauth2.audience=ABC12345
okta.oauth2.client-id=0oaSomeClientId

SecurityConfiguration class

import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.web.SecurityFilterChain;


@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.setProperty("https.proxyHost", "internet.proxy.ourcompany.com");
        System.setProperty("https.proxyPort", "5555");
        http.cors().and()
                .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
                .oauth2ResourceServer().jwt();
    }
}

Problem : Whenever I try to access url like localhost:8080/test or localhost:8080/actuator in the browser (Chrome/Edge), it always returns 400 Bad Request

In the browser URL, this is what shows up

https://ourcompanyid-test.oktapreview.com/oauth2/aaabbbbccc
v1/authorize?
response_type=code&
client_id=0oaSomeClientId&
scope=profile%20email%20openid&
state=I2VByus9KqEt_Zt0ivvG9j_IKtLBldoQrZg-a1SRsYM%3D&
redirect_uri=http://localhost:8080/login/oauth2/code/okta&
code_challenge_method=S256&
nonce=AISpoMaYWFKjp2ZdF_xncSd8LFw7FKTMK9D6G1xbP3o&
code_challenge=hi1EmraZOfOYsdn5rolIaRZO4-pbA8yHtMpIVxjcDP0

However, when I use my personal Okta Developer account registration, it succeeds and redirects me to okta login page when I try to access localhost:8080/test or localhost:8080/actuator in the browser (Chrome/Edge)

enter image description here

My personal Okta Developer account registration looks something like this :

okta.oauth2.issuer=https://dev-123456.okta.com/oauth2/default
okta.oauth2.client-id=0oaMyClientId
okta.oauth2.client-secret=MyClientSecret

I don't have any idea why it would work using my personal Okta registration info and why it would NOT work when I use the Okta registration provided by our company.

Basically, when I use my personal Okta, it redirects to Okta login page just fine. But when I use office provided Okta registration, it returns 400 Bad Request

Is this something to do with my SecurityConfiguration class? Is my configuration class good? Or, is this something that can be fixed by changing Okta configuration in Okta website?

NOTE: I was informed by the person who created the company okta registration that they created a Single-Page type of Okta registration.

I'd appreciate any comment, explanation or suggestion to fix this.

Thank you.

Upvotes: 0

Views: 384

Answers (2)

Sharat Sahoo
Sharat Sahoo

Reputation: 1

If you are using spring boot 3.0 or heigher version then add a defult "access policies" then it will work fine enter image description here

Upvotes: 0

ch4mp
ch4mp

Reputation: 12564

@RestControllers are OAuth2 resource-servers. Configure it as so. This can be as simple as:

<dependency>
    <groupId>com.c4-soft.springaddons</groupId>
    <artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
    <version>6.0.4</version
</dependency>

@EnableMethodSecurity
public static class WebSecurityConfig { }

com.c4-soft.springaddons.security.issuers[0].location=https://ourcompanyid-test.oktapreview.com/oauth2/aaabbbbccc
com.c4-soft.springaddons.security.issuers[0].authorities.claims=groups

com.c4-soft.springaddons.security.cors[0].path=/test

Follow link above for samples with more options (servlet VS reactive apps or JWT decoder VS access-token introspection, and last Spring default Authentictaion implementation VS custom ones), and also tips for testing (unit & integration) with mocked OAuth2 identities. Tutorials are providing with instructions for configuring resource-servers with just spring-boot-starter-oauth2-resource-server or spring-addons boot starters building on top of it (and much simplified Java configuration).

Upvotes: 0

Related Questions