Munish Bhatia
@venkatnagasai In the application.yml file for the SpringBootOAuthClient rename the property “redirect-uri-template” to “redirect-uri” and it should work.
Munish Bhatia
@venkatnagasai In the application.yml file for the SpringBootOAuthClient rename the property “redirect-uri-template” to “redirect-uri” and it should work.
Venkat naga Sai
Thanks Matt , it is working now for the default login page. For the custom login page, I am getting the below error for the following code
http.headers().frameOptions().deny()
.and()
.authorizeRequests()
.antMatchers("/login", “/oauth/authorize”).permitAll()
.antMatchers("/resources/").permitAll() .anyRequest().authenticated()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(newAntPathRequestMatcher("/oauth/authorize"))
.disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true") .loginPage("/login")
.and()
.logout().logoutSuccessUrl("/login?logout") .and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
2019-11-26 19:08:00.581 WARN 15452 — [nio-8082-exec-4] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.web.client.RestClientException, Could not extract response: no suitable HttpMessageConverter found for response type [interface java.util.Map] and content type [text/html;charset=UTF-8]
but it is working fine with the below code
http.requestMatchers()
.antMatchers("/login", “/oauth/authorize”)
.antMatchers("/resources/")
.and()
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login").permitAll()
.and()
/* .csrf().disable() */
.logout().logoutSuccessUrl("/login?logout")
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
is it happens because of not including requestmatchers() method?
Venkat naga Sai
Thanks Matt , it is working now for the default login page. For the custom login page, I am getting the below error for the following code
http.headers().frameOptions().deny()
.and()
.authorizeRequests()
.antMatchers("/login", “/oauth/authorize”).permitAll()
.antMatchers("/resources/").permitAll() .anyRequest().authenticated()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(newAntPathRequestMatcher("/oauth/authorize"))
.disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true") .loginPage("/login")
.and()
.logout().logoutSuccessUrl("/login?logout") .and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
2019-11-26 19:08:00.581 WARN 15452 — [nio-8082-exec-4] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.web.client.RestClientException, Could not extract response: no suitable HttpMessageConverter found for response type [interface java.util.Map] and content type [text/html;charset=UTF-8]
but it is working fine with the below code
http.requestMatchers()
.antMatchers("/login", “/oauth/authorize”)
.antMatchers("/resources/")
.and()
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login").permitAll()
.and()
/* .csrf().disable() */
.logout().logoutSuccessUrl("/login?logout")
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
is it happens because of not including requestmatchers() method?
Matt Raible
This is why you should just use Okta for your OAuth server. Friends don’t let friends write authorization servers.
praveen kumar r
Hi Andrew, thanks a ton for your contributions. The blogs are clear to be followed. I have gone through couple of your blogs, I am just getting started with security, could you throw some light on were exactly you another post (https://developer.okta.com/… fits in current blogs flow ?
Matt Raible
The other post you’re referring to is about Multi-Factor Authentication (aka, MFA). MFA is a feature that many OAuth providers offer, but it’s not a requirement of OAuth. MFA typically happens after a user has entered their credentials.
praveen kumar r
Thank you Matt.
M.I.
A few questions about this line that says “Rename the src/main/resources/application.properties to application.yml”.
- What is yml? Do we need to learn yml?
- Why cannot we use application.properties?
Thanks,
M. Chisty
Matt Raible
The yml extension is for YAML, which stands for Yet Another Markup Language. Spring Boot supports both properties and YAML files, so you can use whichever one you prefer.
bhavini dave
APPLICATION FAILED TO START
Description:
Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean of type ‘org.springframework.security.oauth2.client.registration.ClientRegistrationRepository’ that could not be found.
The following candidates were found but could not be injected:
- Bean method ‘clientRegistrationRepository’ in ‘OAuth2ClientRegistrationRepositoryConfiguration’ not loaded because OAuth2 Clients Configured Condition registered clients is not available
Action:
Consider revisiting the entries above or defining a bean of type ‘org.springframework.security.oauth2.client.registration.ClientRegistrationRepository’ in your configuration.
I am getting above error while starting Spring boot server
Matt Raible
My guess is you’re missing Okta settings in your src/main/resources/application.yml
file.
okta:
oauth2:
issuer: https://{yourOktaDomain}/oauth2/default
client-id: {yourClientId}
client-secret: {yourClientSecret}
Karthik Ramesh
How can I cache the details on a distributed server ? Like redis ?
Matt Raible
You should be able to use Spring Session to distribute session information via Redis.
Karthik Ramesh
@mattraible Thanks
Carlos Fernando Palma Roldan
Same here
Carlos Fernando Palma Roldan
shouldn’t okta be under
spring:
security:
?
Carlos Fernando Palma Roldan
I had to add
<dependency>
<groupid>com.okta.spring</groupid>
<artifactid>okta-spring-boot-starter</artifactid>
<version>1.4.0</version>
</dependency>
to my maven project. I also had to change the issuer, there was an admin part that I had to delete from the string, after that my project was able to start
Matt Raible
No, Okta has its own keys. You don’t need spring.security.*
keys when you’re using the Okta Spring Boot starter.
Matt Raible
The steps in the tutorial include this dependency when you create your app with Okta as a dependency on start.spring.io.
Carlos Fernando Palma Roldan
Sorry, my bad!