Add Single Sign-On to Your Spring Boot Web App in 15 Minutes

Add Single Sign-On to Your Spring Boot Web App in 15 Minutes

This tutorial will walk you through building a Spring Boot application and show you how to harden your APIs with a variety of OAuth flows.

junior walter ramos diaz

Good tutorial, a question; Can only be used with internet connection?

Matt Raible

Yes, you’ll need an internet connection to work with a cloud identity provider like Okta.

sb

It looks like the blog is written with a future release in mind and hence screenshots etc are not consistent with okta user interface.
For example: Cant find client id and secret under Application general tab. Do you where to look for it?

Matt Raible

This post uses the Okta Developer Console, which was released in September 2017. You should be able to switch from our Classic UI to it with a toggle in the top left corner.

dekay23

This is all out of date, you don’t add, you create new. And all the Client Id, Client Secrets are no longer there but some sort of url. There is also no way to switch from the Classic UI?

Eric Braun

I am getting a null pointer exception while trying to grab the user info at my endpoint from a Principal after logging in through okta. I am using spring boot 1.5.6.RELEASE,
<dependency>
<groupid>com.okta.spring</groupid>
<artifactid>okta-spring-boot-starter</artifactid>
<version>0.2.0</version>
</dependency>

<dependency>
<groupid>org.springframework.security.oauth</groupid>
<artifactid>spring-security-oauth2</artifactid>
<version>2.2.0.RELEASE</version>
</dependency>

Matt Raible

I believe everything is up to date. You should be able to switch from the Classic UI to the Developer Console in the top left corner. If you don’t see that option, please send an email to developers@okta.com to get it fixed.

annbee

Thanks for a great tutorial. Is it possible to link my app with other sso providers by using these dependencies?

Matt Raible

Can you explain more about the use case you’re looking for? For example, are you looking to add social login to your Okta sign-in page?

annbee

Hi Matt. Thanks for your reply! Let me try to explain my use case better than I did.
I have developed a web app in spring boot and would like to integrate it with SSO. Instead of using okta I was wondering if it is possible to add SSO integration with other identity providers like ping federate or any other options available in the market.

Matt Raible

Yes, you can use Spring Security OAuth to talk to any OAuth 2.0 provider. I demonstrate how to do this in Build a Basic CRUD App with Angular 5.0 and Spring Boot 2.0 (updated today :tada:).

I’ve successfully used this same configuration with Keycloak as part of the JHipster project.

sb

Thanks Matt. I assuming having developer console is mandatory requirement to use this feature? If not what is the issuer url configuration?

Matt Raible

A developer account is mandatory, but you could configure everything through our Classic UI. It’s just a bit more painful. We have two main products, our IT product (SSO for your employees), and our Developer APIs (SSO for your customers). Maybe you signed up for the wrong one?

The IT product’s signup page is at https://www.okta.com/free-t…. The Developer API’s signup page is https://developer.okta.com/….

Oleksandr Hubachov

This example does not work. A few issues in this example:
1. @EnableOAuth2Sso annotation is not present in provided dependencies. This can be solver by adding <groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-autoconfigure</artifactid>
2. Even after that after login you will see There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain user details from token

Any ideas how to fix this?

Matt Raible

What version of Spring Boot are you using? Make sure you’ve added the following dependency:


<dependency>
<groupid>org.springframework.security.oauth</groupid>
<artifactid>spring-security-oauth2</artifactid>
<version>2.2.0.RELEASE</version>
</dependency>

This is what contains the @EnableOAuth2Sso annotation.

Paolo Romani

Same problem.
Thanks for any info

Matt Raible

I’m guessing you’re using Spring Boot 2.0. The Okta Spring Boot Starter (v0.4.0) only works with Spring Boot 1.5.x. If you want to use Spring Boot 2.0 + Okta, you can do it with the following steps:

1. Add the following dependencies.


<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-security</artifactid>
</dependency>
<dependency>
<groupid>org.springframework.security.oauth.boot</groupid>
<artifactid>spring-security-oauth2-autoconfigure</artifactid>
<version>2.0.0.RELEASE</version>
</dependency>

2. Add the @EnableResourceServer annotation to your main Application class.


import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

@EnableResourceServer

3. Create src/main/resources/application.yml and copy your Okta domain (without -admin!) and client ID into it.


security:
oauth2:
client:
access-token-uri: https://{yourOktaDomain}.com/oauth2/default/v1/token
user-authorization-uri: https://{yourOktaDomain}.com/oauth2/default/v1/authorize
client-id: {clientId}
scope: openid profile email
resource:
user-info-uri: https://{yourOktaDomain}.com/oauth2/default/v1/userinfo
token-info-uri: https://{yourOktaDomain}.com/oauth2/default/v1/introspect
prefer-token-info: false

sb

Thanks for tutorial, very useful.
Wondering if it is possible to configure a transparent proxy via which all calls to okta URIs pass through. We are in an environment where outbound connections are allowed only via a transparent proxy, so need to configure okta client to use it when setting up http clients. Let me know if okta supports this.
I see there is config I can do under okta.client.clientProxyInfo , but is it used in oauth2 SSO flow?

Brian Demers

The Okta starter only works with Spring-Boot 1.5.x (v2 will be added soon!)