Angular7 + Springboot 1.X + Okta

We have an application that is currently using Angular7 + Springboot 1.X microservices.

On the backend, spring-security-oauth is used to vend bearer tokens to the front-end.

We have several microservices that receive tokens and act as resource servers (and have the @EnableResourceServer annotation). These microservices verify tokens through a separate auth service having @EnableAuthorizationServer. Aside from vending the tokens, the Auth service also has a custom token enhancer to include several application-specific, user-level attributes to the token response.

We are now looking to introduce Okta into the equation and plan to use the Okta Signin Widget within the Angular application to retrieve the token from Okta – that token would be then provided to the API tier on all subsequent calls.

I had a few questions to ensure we’re approaching this in a sane way:

  1. Is there any real need to have a separate auth service at this point since Okta would be acting as the Authorization Server? It seems as if each microservice could be responsible for doing their own validation of the Okta-provided JWT token.
  2. The latest code within the samples repo has an example resource server that doesn’t exist within the 0.6.1 tagged code – is there a good sample to use for the 1.X vintage of Springboot?
  3. Any other suggestions or gotchas to consider?

1.) No, sounds like in your case Okta would be used to handle this.

2.) Depending on how big your application is, the switch to Boot 2.x might not be much work (the OAuth/OIDC support is better, and is adding features all the time, the next minor release will have support for RP-initiated logout, PKCE support, just to name a couple) That said, take a look at the examples on the 0.6.1 tag:

3.) Take a look at using PKCE with the widget: (this isn’t covered in the widget example in that tag)