Add Authentication to Play Framework with OIDC and Okta
Play Framework is a key component of Lightbend’s Lagom microservices framework. This article shows you how to integrate play-pac4j and use its OIDC support to authenticate with Okta.
James Higgins
This does not seem to be working for me. I get the following error when I go to localhost:9000
Execution exception
[CompletionException: org.pac4j.core.exception.TechnicalException: com.nimbusds.jose.RemoteKeySourceException: Couldn’t parse remote JWK set: Invalid JSON: Unexpected duplicate key:kty at position 88.]
Matt Raible
Hello James,
Make sure you have “/oauth2/default” in your discoveryUri. Otherwise, you’re using your Okta org’s authorization server, which is meant for internal use only. Here’s mine:
oidc.discoveryUri = "https://dev-737523.oktapreview.com/oauth2/default/.well-known/openid-configuration”
Another common problem is having “-admin” in your URL. Make sure to take that part out.
Leah
Hello,
are there ways to add register feature to this?
Gabriel Patricio
Hi,
I’m having the compilation error “cannot access org.pac4j.core.util.InitializableWebObject” this class is parent of the class “org.pac4j.oidc.config.OidcConfiguration” which I’m using for OidcConfiguration…
I’m trying to integrate your example with Keycloak btw 
Matt Raible
Make sure you’re using the same version of dependencies that I’m using. https://github.com/oktadeve…
Gabriel Patricio
Thanks a lot, it was just the version of play-pac4j it was different.
Unfortunately now I’m having another error:
[CompletionException: org.pac4j.core.exception.TechnicalException: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: No matching key(s) found]
Can you help me out?
Matt Raible
What is your discovery URL set to?
Gabriel Patricio
oidc.discoverUri="http://localhost:8080/auth/realms/{realm}/.well-known/openid-configuration"
where {realm} is set to my realm name in keycloak
I manage to login in keycloak login page, i just get this error after login.
Matt Raible
You might try asking this question on Stack Overflow and tagging it with “pac4j” and “keycloak”. I haven’t tried to get this tutorial to work with Keycloak, so I’m not sure what the problem is.
Gabriel Patricio
Hi,
Thanks a lot for your reply!
And good news, I figured out what was missing.
OidcConfiguration.setPreferredJwsAlgorithm();I had to discover which algorithm Keycloak is using for Jws and set it.
Everything is working smoothly, thanks!
Leah
Hello! How does Play Framework work when we are using okta widget in JavaScript to log in users ? For instance what security settings are needed to authenticate users so that they can access all the protected pages? It looks like @Secure annotation wouldn’t do the job.
Matt Raible
I’m not sure as I haven’t tried it myself. The best way would likely be to configure your Play app as a resource server (so it just validates the access token), and then have your JavaScript UI send the access token to the backend. You might be able to use our JWT Verifier for Java, but that probably won’t provide integration with the @Secure annotation.
If you’re using the Sign-In Widget because it allows customization, you can do that to the Okta hosted widget as well.
Dan
Any pointers as to how to get additional attribute in the oidc profile returned by Pac4j when my company has some non-standard attribute in the userInfo like employee id? Tried with getAttribute(“empid”) that gets me null, looks like pac4j ignores all other attributes when they are not part of the standard datasets when it is building the OidcProfile object.
Matt Raible
I’m not sure. I’d suggest asking this question by posting an issue to the pac4j GitHub project.