Angular 9(frontend) + spring Rest API backend

I have my client application created in OKTA(auth code+ PKCE )
OKTA SSO from angular is working perfectly well
Using this token when try to call API service it throws an error

Request header
GET /backend/contacts HTTP/1.1
Host: localhost:8080
Connection: keep-alive
sec-ch-ua: " Not;A Brand";v=“99”, “Google Chrome”;v=“97”, “Chromium”;v=“97”
Accept: application/json, text/plain, /
Authorization: Bearer eyJraWQiOiJYWmtrSzZweUpVd01NMGs5NmhSSnpBbnhQdWVDSVpzSVA3YUIyaTktM0owIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmxwVkJiZ1RHbUk5cUltZExCWFRGODdmU2FBRWhCWlNZOFpPN0poZWowanciLCJpc3MiOiJodHRwczovL2Rldi04ODI4OTU5Ni5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2NDMxNTU2NTMsImV4cCI6MTY0MzE1OTI1MywiY2lkIjoiMG9hM29ranpwY3NvVzd6Z001ZDciLCJ1aWQiOiIwMHUzb2o1amc5SnQyZmZINzVkNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoicHJhc3VuYS5iYW5nbGFAZ21haWwuY29tIn0.gLE2amAiSkgXteCImrrnDVgEqrR46tUuIeVJFbLkq-W4qVNKGwtAH0qFuradmd9l-ObPRCz3CUO1n3QJjlYrdLTcyobi-blwlWG_MtbRbGkyEghtIkb2ucMxh0v_jEH3-keZxqdyoZZ8pZXt0zvcYOYlDd8SSsTylYzyUcEFxJL2tG3fjhLHN0QXwlZYSqsBT3iM97-yTRv0A1mu29pwWLHXBQZABXg8w2t-jVqakWHd3MeLukQQHeboRKmgu3ZtCz3o8Ld_IDtF7pDqYbnqurGdM4nurbYO2iPQTDBU6qenvT469Dz8wDlk9IRGZ42__vCOodHr2K_HlVn4BnVWMg
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
sec-ch-ua-platform: “Windows”
Origin: localhost:4200
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: localhost:4200
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response header

1. HTTP/1.1 401 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: localhost:4200 Access-Control-Allow-Credentials: true Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers WWW-Authenticate: Bearer error=“invalid_token”, error_description=“An error occurred while attempting to decode the Jwt: Invalid token”, error_uri=“RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage” X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Length: 0 Date: Wed, 26 Jan 2022 00:07:33 GMT Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS

2. Request HeadersView parsed

3. GET /backend/contacts HTTP/1.1 Host: localhost:8080 Connection: keep-alive sec-ch-ua: " Not;A Brand";v=“99”, “Google Chrome”;v=“97”, “Chromium”;v=“97” Accept: application/json, text/plain, / Authorization: Bearer eyJraWQiOiJYWmtrSzZweUpVd01NMGs5NmhSSnpBbnhQdWVDSVpzSVA3YUIyaTktM0owIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmxwVkJiZ1RHbUk5cUltZExCWFRGODdmU2FBRWhCWlNZOFpPN0poZWowanciLCJpc3MiOiJodHRwczovL2Rldi04ODI4OTU5Ni5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2NDMxNTU2NTMsImV4cCI6MTY0MzE1OTI1MywiY2lkIjoiMG9hM29ranpwY3NvVzd6Z001ZDciLCJ1aWQiOiIwMHUzb2o1amc5SnQyZmZINzVkNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoicHJhc3VuYS5iYW5nbGFAZ21haWwuY29tIn0.gLE2amAiSkgXteCImrrnDVgEqrR46tUuIeVJFbLkq-W4qVNKGwtAH0qFuradmd9l-ObPRCz3CUO1n3QJjlYrdLTcyobi-blwlWG_MtbRbGkyEghtIkb2ucMxh0v_jEH3-keZxqdyoZZ8pZXt0zvcYOYlDd8SSsTylYzyUcEFxJL2tG3fjhLHN0QXwlZYSqsBT3iM97-yTRv0A1mu29pwWLHXBQZABXg8w2t-jVqakWHd3MeLukQQHeboRKmgu3ZtCz3o8Ld_IDtF7pDqYbnqurGdM4nurbYO2iPQTDBU6qenvT469Dz8wDlk9IRGZ42__vCOodHr2K_HlVn4BnVWMg sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 sec-ch-ua-platform: “Windows” Origin: http://localhost:4200 Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:4200/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

const oktaConfig = {

issuer: ‘https://dev-123.okta.com/oauth2/default’,

redirectUri: window.location.origin + ‘/implicit/callback’,

clientId: ‘xyz’,

pkce: true

};

okta.oauth2.client-id=xyz
okta.oauth2.issuer=https://dev-123.okta.com/oauth2/default
okta.oauth2.groups-claim=groups
okta.oauth2.audience=https://dev-123.okta.com/oauth2/default/v1/token

read localhost:4200 as http://localhost:4200

If you remove the audience property on the Spring Boot side (or change it to the default of api://default), does it work?

Tried by placing default auth server in audience , but it throws the same

some log from spring boot
org.springframework.security.oauth2.core.OAuth2AuthenticationException: An error occurred while attempting to decode the Jwt: Invalid token
at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:92) ~[spring-security-oauth2-resource-server-5.2.1.RELEASE.jar:5.2.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]

Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn’t retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://dev-88289596.okta.com/oauth2/default/v1/keys”: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Followed Securing Angular + Spring Boot Application with Okta | by Raghavendra Bhat | Medium ( code from git hub, it throws above error)

followed this Build a CRUD App with Angular 9 and Spring Boot 2.2 | Okta Developer it was giving invalid token ( i used spring boot maven instead of gradle Kotlin)

It looks like your Spring Boot app is behind a proxy and can’t connect to Okta. You might need to configure proxy settings for your app.

IT was perfectly correct since I could achieve this on personal PC but after setting VM args I still get Access issue.

This is how i configured my pom.xml with VM arguments
< configuration >
< jvmArguments >
-Dokta.oauth2.proxy.host=dev-123.okta.com
-Dokta.oauth2.proxy.port=443
<! – -Dokta.oauth2.proxy.username=your-username
-Dokta.oauth2.proxy.password=your-secret-password – >
</ jvmArguments >
</ configuration >

Very quick response Happy to approach!!!
PS: added spaces in angular braces to make it visible

If it works on your personal machine without a proxy, then all your code is correct. For the proxy settings, can you try configuring them in your application.yml and see if that works?

okta:
  oauth2:
    proxy:
      host: "proxy.example.com"
      port: 7000
      username: "your-username"             # optional
      password: "your-secret-password"      # optional

I did installcret for the URL (https://dev-123.okta.com/) since then its getting redirected to https with port 8443, configured the same in okta and in application(front+rest)
still looking into it,nothing is yet concrete yet

below is error i se in spring console
[nio-8443-exec-4] o.apache.coyote.http11.Http11Processor : Error parsing HTTP request header
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens

noendpoint.
browser side:
https://localhost:8443/contacts net::ERR_SSL_PROTOCOL_ERROR

Hi there ,

Any possibility to implement spring with SAML (OKTA) since I have proxy issues for my spring boot app??

Hi there,

Issue got resolved, after installing few certification from zscaler.
for eg:
keytool.exe -keystore "C:\Program Files\Java\jre1.8.0_301\lib\security\cacerts” -storepass changeit -import -v -file C:\tmp\ZscalerRootCertificate-2048-SHA256.crt

just for reference adding the solution that worked for me.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.