A Quick Guide to OAuth 2.0 with Spring Security

Munish Bhatia

@venkatnagasai In the application.yml file for the SpringBootOAuthClient rename the property “redirect-uri-template” to “redirect-uri” and it should work.

Venkat naga Sai

Thanks Matt , it is working now for the default login page. For the custom login page, I am getting the below error for the following code

http.headers().frameOptions().deny()
.and()
.authorizeRequests()
.antMatchers("/login", “/oauth/authorize”).permitAll()
.antMatchers("/resources/").permitAll() .anyRequest().authenticated()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(newAntPathRequestMatcher("/oauth/authorize"))
.disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true") .loginPage("/login")
.and()
.logout().logoutSuccessUrl("/login?logout") .and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

2019-11-26 19:08:00.581 WARN 15452 — [nio-8082-exec-4] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.web.client.RestClientException, Could not extract response: no suitable HttpMessageConverter found for response type [interface java.util.Map] and content type [text/html;charset=UTF-8]

but it is working fine with the below code

http.requestMatchers()
.antMatchers("/login", “/oauth/authorize”)
.antMatchers("/resources/
")
.and()
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login").permitAll()
.and()
/* .csrf().disable() */
.logout().logoutSuccessUrl("/login?logout")
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

is it happens because of not including requestmatchers() method?

Venkat naga Sai

Thanks Matt , it is working now for the default login page. For the custom login page, I am getting the below error for the following code

http.headers().frameOptions().deny()
.and()
.authorizeRequests()
.antMatchers("/login", “/oauth/authorize”).permitAll()
.antMatchers("/resources/").permitAll() .anyRequest().authenticated()
.and()
.exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(newAntPathRequestMatcher("/oauth/authorize"))
.disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true") .loginPage("/login")
.and()
.logout().logoutSuccessUrl("/login?logout") .and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

2019-11-26 19:08:00.581 WARN 15452 — [nio-8082-exec-4] o.s.b.a.s.o.r.UserInfoTokenServices : Could not fetch user details: class org.springframework.web.client.RestClientException, Could not extract response: no suitable HttpMessageConverter found for response type [interface java.util.Map] and content type [text/html;charset=UTF-8]

but it is working fine with the below code

http.requestMatchers()
.antMatchers("/login", “/oauth/authorize”)
.antMatchers("/resources/
")
.and()
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and().exceptionHandling()
.accessDeniedPage("/login?authorization_error=true")
.and()
.csrf().requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
.formLogin()
.loginProcessingUrl("/login")
.failureUrl("/login?authentication_error=true")
.loginPage("/login").permitAll()
.and()
/* .csrf().disable() */
.logout().logoutSuccessUrl("/login?logout")
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);

is it happens because of not including requestmatchers() method?

Matt Raible

This is why you should just use Okta for your OAuth server. Friends don’t let friends write authorization servers. :wink:

praveen kumar r

Hi Andrew, thanks a ton for your contributions. The blogs are clear to be followed. I have gone through couple of your blogs, I am just getting started with security, could you throw some light on were exactly you another post (https://developer.okta.com/… fits in current blogs flow ?

Matt Raible

The other post you’re referring to is about Multi-Factor Authentication (aka, MFA). MFA is a feature that many OAuth providers offer, but it’s not a requirement of OAuth. MFA typically happens after a user has entered their credentials.

praveen kumar r

Thank you Matt.

M.I.

A few questions about this line that says “Rename the src/main/resources/application.properties to application.yml”.

- What is yml? Do we need to learn yml?
- Why cannot we use application.properties?

Thanks,
M. Chisty

Matt Raible

The yml extension is for YAML, which stands for Yet Another Markup Language. Spring Boot supports both properties and YAML files, so you can use whichever one you prefer.

bhavini dave


APPLICATION FAILED TO START

Description:

Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean of type ‘org.springframework.security.oauth2.client.registration.ClientRegistrationRepository’ that could not be found.

The following candidates were found but could not be injected:
- Bean method ‘clientRegistrationRepository’ in ‘OAuth2ClientRegistrationRepositoryConfiguration’ not loaded because OAuth2 Clients Configured Condition registered clients is not available

Action:

Consider revisiting the entries above or defining a bean of type ‘org.springframework.security.oauth2.client.registration.ClientRegistrationRepository’ in your configuration.

I am getting above error while starting Spring boot server

Matt Raible

My guess is you’re missing Okta settings in your src/main/resources/application.yml file.


okta:
oauth2:
issuer: https://{yourOktaDomain}/oauth2/default
client-id: {yourClientId}
client-secret: {yourClientSecret}

Karthik Ramesh

How can I cache the details on a distributed server ? Like redis ?

Matt Raible

You should be able to use Spring Session to distribute session information via Redis.

Karthik Ramesh

@mattraible Thanks

Carlos Fernando Palma Roldan

Same here

Carlos Fernando Palma Roldan

shouldn’t okta be under
spring:
security:
?

Carlos Fernando Palma Roldan

I had to add
<dependency>
<groupid>com.okta.spring</groupid>
<artifactid>okta-spring-boot-starter</artifactid>
<version>1.4.0</version>
</dependency>
to my maven project. I also had to change the issuer, there was an admin part that I had to delete from the string, after that my project was able to start

Matt Raible

No, Okta has its own keys. You don’t need spring.security.* keys when you’re using the Okta Spring Boot starter.

Matt Raible

The steps in the tutorial include this dependency when you create your app with Okta as a dependency on start.spring.io.

Carlos Fernando Palma Roldan

Sorry, my bad!