Build a CRUD Application with Kotlin and React
This tutorial shows how to build a CRUD application with Kotlin and React.
Jonathan Pirog
I’m getting a 400 bad request when trying to login in the final step (instead of being directed to okta login page). Any ideas?
Matt Raible
Does it say that you have an invalid redirect URI? If so, look at what it has for the “redirect_uri” parameter in the address bar, then make sure your app has this value whitelisted as a Login Redirect URI on Okta.
Katie Levy
Great tutorial! Only thing missing is adding in the spring security dependencies here: https://developer.okta.com/…
implementation 'org.springframework.boot:spring-boot-starter-security’
implementation ‘org.springframework.security:spring-security-test’
Matt Raible
Hello Katie,
The Okta Spring Boot starter will bring in the correct Spring Security dependencies, so you don’t need the first dependency you mention. The spring-security-test library is nice for testing, but there are no tests in this tutorial. If you do use it, you should use testImplementation instead of implementation.
Katie Levy
Ah, thanks! Must’ve been an intellij syncing dependencies issue. Also, very minor but I found a small bug in the UI code, here’s a PR: https://github.com/oktadeve…
Matt Raible
Thank you! I’ll get this post updated and credit you with the fix. 
Craig Tognarina
Thanks for the post. In case anyone else hit the same issue I did, the proxy property setting in package.json was not working properly for me. This was causing the api request to the server to fail until I made the changes mentioned here: https://stackoverflow.com/q….
Matt Raible
I just tried the instructions in this tutorial (via my handy demo script) and everything worked fine with “proxy”: “http://localhost:8080”. I suspect you’re trying to do something a bit more complicated. Thanks for the tip!
Christopher Dalziel
As soon as I open inside IntelliJ for the first time the build fails immediately, the only display I get is "starting gradle daemon…"
Any suggestions?
Matt Raible
I haven’t seen this error before. Are you creating your app following this tutorial, or cloning the example repo? You might try cloning the repo, configuring it to use your Okta settings, and running ./gradlew bootRun from the command line.
kenyee
would be nice to add CSRF support to this sample instead of having to refer to a separate one
Matt Raible
You are right. In my experience, you don’t need CSRF unless you’re on the same domain. Also SameSite cookies might make it so CSRF isn’t necessary.
I recommend checking out JHipster. It allows you to create apps like the one here, but with much less code.
fauzan
im getting error after click login button: it says user not assigned. any idea why im getting this?
Matt Raible
If you used the Okta CLI to create your OIDC app, everything should work as expected. This is because it assigns your app to the Everyone group by default. If you use the Okta Admin Console to create your app, it currently doesn’t assign any groups by default. This should be fixed soon so the console has the same behavior as our CLI.
Mitch
Can you update to function components and hooks?
Matt Raible
No, but we’ll keep it in mind for a future post. In the meantime, you can check out other React posts.
Mitch
Im working on a conversion. I can submit a PR if you want?
Matt Raible
That’d be great!
Ezequiel Cabrera
Hi Matt, first of all, I love your guides and tutorials, they’ve been incredibly useful to me.
These last few months I’ve been trying to understand OAuth 2.0 with PKCE for optimally securing a React SPA that needs to communicate with a microservice ecosystem (just a couple of services for now), together with Okta for all auth purposes. Up until now, I was almost certain that I needed to implement a BFF pattern with: my SPA, a BFF with Spring Boot where I could securely store the access token, and maintain a secure session cookie between my FE and BFF (so that my SPA could make use of the stored token); then, my microservices would validate the token via introspection to Okta on each call.
Now, I’m afraid I might’ve overcomplicated things, and frustrated that I can’t seem to find what’s appropriate for my application with proper justification. Reading this article I get that I might also be able to just have my SPA talk directly to the microservices, without the need for BFF pattern, is that correct? Would that be secure enough? If not, was I in the right track before? Once I get the access token, how would you recommend I store it?