Kathy Lieu
Hi Micah,
I know this is rather an old blog but I’m hoping you or someone can point out why I would be getting a 403 for users that is assigned to the group which should be authorized.
I saw a few people also ran into the same issue but I don’t see any solutions posted. I emailed you at micah.silverman@okta.com, providing some details on my Oauth Server and the OIDC app. In brief, I have a Web App and using a Authorization Code Flow. Appreciate if you can get back to me if you need more info. Thank you very much!
Kathy Lieu
Hi @disqus_KrDIXSJcwC
Did anyone get back to you on your 403? I’m building and running the sample github project and ran into the exact same issue. Got 403 unauthorized on all links. user still couldn’t get access to “users only” and admin couldn’t get to “admins only” either.
I have debug turned on and I see that the access token returned with the Granted Authorities list that doesn’t contain either admins or users. So, I wonder how could it ever worked. Perhaps some missing config on the okta Oauth server or the OIDC App.
https://uploads.disquscdn.c…
Looks like this blog is not active anymore, hence no one monitor the conversation/comments.
Matt Raible
Hello Kathy,
This blog is very active and we monitor the conversations and comments. However, it’s only a small team that monitors it and sometimes we occasionally miss comment notifications. If you want a wider reach with your questions, you have three options: 1) post it to our Okta developer forums, 2) post it to Stack Overflow with the “okta” tag, or 3) send an email to developers@okta.com (this automatically creates a support ticket).
If you’re getting a 403 error, my guess is you might’ve configured the “groups” claim incorrectly. Here’s the screenshot from the post that shows how to create it.
https://d33wubrfki0l68.clou…
I also noticed that you have ROLE_USER in your output, which makes me think you might be using JHipster. For JHipster, we expect the “groups” claim to be added to the ID Token.
Kathy Lieu
Hi Matt @mattraible,
Thank you very much for getting back to me promptly and sharing ways to get answers Glad to hear this blog is still active. I posted a comment 5 days ago and also send Micah an email but got no response. Good thing I tried reaching out again.
Thanks for spotting the error. That’s exactly the issue. I’m not using JHipster though. I just load the project into my InteliJ and run it within with logging level set to TRACE for org.springframework.security.
What I did differently is that I didn’t use the default OAuth server. Instead I created a customized OAuth Server and created the groups claims and Access Policies where I assigned my application to it.
The screenshot showing how to create the groups claim has “Access Token” as the token type, hence I followed it. Can you explain a little more on why for JHipster, the groups claim need to be ID Token? And I’m not using JHipster but it does solve my problem.
Also, I saw in one of Micah’s response to a 403 comment, he mentioned he has switched from the implicit to the authorization code. is there other implementation changes done in response to this switch?
Thank you again!
Matt Raible
Micah is on a multiple week vacation, that’s why you haven’t heard from him. I believe Spring Security (and our Okta Spring Boot Starter) expects you to have roles in the ID token. This post is quite old in internet time. You might try taking a look at Spring Method Security with PreAuthorize, which is from 2019.
Kishwar R. Naushahi
Hello Micah!
I tried following the aforementioned steps, when i executed the app by “mvn spring-boot:run” command, it has shown the processing as below - attached , and no further progress has proceed, however when I open the browser and enter the URL localhost:8080 Okta login screen appears-> when i clicked on login in button it returned an error message 401.
https://uploads.disquscdn.c…
any idea about what would be a reason and how could it should fix! thank you,…
Regards,
Kishwar
Kishwar R. Naushahi
Hi Micah,
I tried following the above instructions , however when i executed the application usimg mvn spring-boot:run command it stuck the process (screen short attached ), and do not further processed,… any idea about how could i fix it. thanks
when i opened ( not automatically launched ) the localhost:8080 , okta login screen appears clicked on login it gives error 401.
https://uploads.disquscdn.c…
Regards,
Pradeep Kumar
I ran into the same issue. All users are getting 403 errors.
I am getting the authorities as [SCOPE_openid, ROLE_USER, SCOPE_email, SCOPE_profile] for all users. Where am I going wrong?
Pradeep Kumar
Hello @Kathy
I am facing the exact same issue. I created a custom auth server, I used Auth code grant flow and I have not used JHipster. Also I created group claim and configured to thave access token type. Were you able to get the output? Please let me know, if this still an open issue.
Matt Raible
You need to add the groups claim to the ID token, not the access token. Can you try that and let me know if it works?
Kathy Lieu
Hi @disqus_9CJfH0peKk
So, my issue running the demo github project posted here was solved using @Matt Raible response above. I ran into the same issue trying to implement group claim in production code. After many debug sessions with Okta support engineer, we nailed the problem which was the bug in version 1.3 0 of okta-spring-boot-starter package I pulled in my dependencies. Apparently, 1.3.0 contained a bug that caused the groups not returned in the granted authorities list. https://github.com/okta/okt…
The fix for me was to use okta-spring-boot-starter version 1.4.0.
So, check the dependencies in your pom.xml to see if this might also be the cause of your issue.
Good luck!
Pradeep Kumar
Thanks for the quick reply. I added the groups claim to the ID token, upgraded the jar to 1.4.0, and still facing the same issue. I have pushed my code to my gitlab account. repo link.
Matt Raible
It looks like you’re using a custom authorization server and not the default one we create for you. Can you try using the default one? Also, I’d remove the redirect URI and try to get things working before you customize it.
Pradeep Kumar
Hi. I have deleted the default authorization server. I do not have the default authorization server. Is there a way to set it to default settings?
Matt Raible
No, but you can create a new developer account. You can even use the same email address.
Pradeep Kumar
Hi Matt, I tried with a new developer account - dev-7858070.okta.com. I tried with the same exact steps but I am not getting the roles yet. I am not sure, where I am going wrong. I tried with a brand new Okta tenant, worked with default authorization server, verified by adding the claims by both Access and IDToken type. Still there is no luck. Can you please help me in resolving this issue.
Matt Raible
Are you sure your groups claim matches the one used in this post?
https://d33wubrfki0l68.clou…
If so, it’s probably best to send an email to developers@okta.com to open a support ticket.
Bhavesh Mandalkar
Hi, I am also facing the same issue. If you have resolved this issue then can you please share the solution.
Pradeep Kumar
I was unable to solve the issue. I have raised a support ticket for the same. Will update this thread once I get any update.
Matt Raible
I was recently reminded of an issue with Spring Boot 2.4. Spring Security no longer defaults the scopes to “openid, email, profile”, so you have to specify these. We fixed this in recent releases of our Spring Boot starter and recommend you upgrade to v2. https://github.com/okta/okt…
