Build a Secure API with Spring Boot and GraphQL

Build a Secure API with Spring Boot and GraphQL

This post shows you how to build an GraphQL API with Spring Boot, then lock it down with Spring Security, OAuth 2.0, and Okta.

JA

Good sample on the authentication use case. Are there any examples to demo how authorization (role based access) can be achieved with GraphQL ?. What support does Okta provide for authorization?

Matt Raible

You can create a “groups” claim and the user’s groups will be added as Spring Security authorities. Then you should be able to use @PreAuthorize (and other annotations) to secure your methods. Instructions on how to do this:

Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” and include it in the ID Token. Set the value type to “Groups” and set the filter to be a Regex of .*.

Hope this helps!

Mauro Monti

Hi Andrew, thanks for this article! I have a question. I tried the examples and I would like to know what has changed from com.okta.spring.okta-spring-boot-starter (v0.6.1) to com.okta.spring.okta-spring-boot-starter (v1.2.0).
Seems that when I use the latest version (v1.2.0) the client-id and checkTokenEndpointUrl in RemoteTokenServices are initialized as null which causes a NPE on the loadAuthentication() call.
Anyways using 0.6.1 works fine, just wondering if there is anything else that i need to configure to use the latest version.
Thanks!
M.-

Brian Demers

Hey @mauromonti !

The biggest change was dropping support for Spring Boot 1.5 (In order to support Spring Security 5.x)
What version of Spring Boot are you using?

Mauro Monti

I am using the following versions:

org.springframework.boot:spring-boot-starter-parent:2.1.6.RELEASE
org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.4.RELEASE
com.okta.spring:okta-spring-boot-starter:1.2.1

Mauro Monti

Not sure why but I tried to reply to this question several times and Disqus keeps marking my answers as “pending” and never publish it. https://uploads.disquscdn.c…

Matt Raible

You don’t need the spring-security-oauth2-autoconfigure dependency if you’re using the 1.x version of our starter and Spring Boot 2.1.x. Can you try removing it and see if that helps?

Mauro Monti

Thanks @mattraible. That was the issue!