Build a Secure API with Spring Boot and GraphQL

oktadev-blog · August 16, 2018, 8:19pm

This post shows you how to build an GraphQL API with Spring Boot, then lock it down with Spring Security, OAuth 2.0, and Okta.

oktadev-blog · November 20, 2018, 1:14am

JA

Good sample on the authentication use case. Are there any examples to demo how authorization (role based access) can be achieved with GraphQL ?. What support does Okta provide for authorization?

oktadev-blog · November 20, 2018, 1:32am

Matt Raible

You can create a “groups” claim and the user’s groups will be added as Spring Security authorities. Then you should be able to use @PreAuthorize (and other annotations) to secure your methods. Instructions on how to do this:

Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” and include it in the ID Token. Set the value type to “Groups” and set the filter to be a Regex of .*.

Hope this helps!

oktadev-blog · June 30, 2019, 6:40pm

Mauro Monti

Hi Andrew, thanks for this article! I have a question. I tried the examples and I would like to know what has changed from com.okta.spring.okta-spring-boot-starter (v0.6.1) to com.okta.spring.okta-spring-boot-starter (v1.2.0).
Seems that when I use the latest version (v1.2.0) the client-id and checkTokenEndpointUrl in RemoteTokenServices are initialized as null which causes a NPE on the loadAuthentication() call.
Anyways using 0.6.1 works fine, just wondering if there is anything else that i need to configure to use the latest version.
Thanks!
M.-

oktadev-blog · July 1, 2019, 2:29pm

Brian Demers

Hey @mauromonti !

The biggest change was dropping support for Spring Boot 1.5 (In order to support Spring Security 5.x)
What version of Spring Boot are you using?

oktadev-blog · July 1, 2019, 6:52pm

Mauro Monti

I am using the following versions:
org.springframework.boot:spring-boot-starter-parent:2.1.6.RELEASE org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.4.RELEASE com.okta.spring:okta-spring-boot-starter:1.2.1

oktadev-blog · July 30, 2019, 4:12am

Mauro Monti

Not sure why but I tried to reply to this question several times and Disqus keeps marking my answers as “pending” and never publish it. https://uploads.disquscdn.c…

oktadev-blog · July 30, 2019, 4:42am

Matt Raible

You don’t need the spring-security-oauth2-autoconfigure dependency if you’re using the 1.x version of our starter and Spring Boot 2.1.x. Can you try removing it and see if that helps?

oktadev-blog · July 30, 2019, 2:51pm

Mauro Monti

Thanks @mattraible. That was the issue!