Build Server Side Authentication in Grails with OAuth 2.0 and Okta
This is a quick tutorial demonstrating how to add authentication to a Grails application with Okta.
Build Server Side Authentication in Grails with OAuth 2.0 and Okta
This is a quick tutorial demonstrating how to add authentication to a Grails application with Okta.
rupak dutta
Hi andrew, after performing part 1, when i try to login with this link http://localhost:8080/home/index. its always giving this error âSorry, we were not able to find a user with that username and password.â . i am seeing an error occurred in terminal as : "grails.plugin.springsecurity.oauth2.exception.OAuth2Exception: No provider âoktaâ "
any body else got this error?
Matt Raible
What configuration settings do you have in your application.yml
? They should resemble the following (with CLIENT_ID and CLIENT_SECRET populated from your app and dev-737523 replaced with your Okta org):
grails:
### other grails config settings ###
plugin:
springsecurity:
oauth2:
active: true
registration:
roleNames: [âROLE_USERâ]
providers:
okta:
api_key: âCLIENT_IDâ
api_secret: âCLIENT_SECRETâ
userInfoUrl: âhttps://dev-737523.oktapreview.com/oauth2/default/v1/userinfoâ
authorizeUrl: âhttps://dev-737523.oktapreview.com/oauth2/default/v1/authorizeâ
tokenUrl: âhttps://dev-737523.oktapreview.com/oauth2/default/v1/tokenâ
scopes: âemail profile openidâ
rupak dutta
Hi Matt,
thanks for your reply. i am sharing configurations of application.yml.
rupak dutta
i have modified appication.yml by removing â-adminâ string from userInfoUrl,authorizeUrl,tokenUrl. but still getting same error âno provider. oktaâ.
my configurations :
plugin:
springsecurity:
oauth2:
active: true
registration:
roleNames: [âROLE_USERâ]
providers:
okta:
api_key: â0oaht93r35EmQ5bN20h7â
api_secret: âcyKrCFmK-_pVZBhYq2HHLx1FERkdGcAAfN_pBhxOâ
userInfoUrl: 'https://dev-764990.oktaprevâŚ
authorizeUrl: 'https://dev-764990.oktaprevâŚ
tokenUrl: 'https://dev-764990.oktaprevâŚ
scopes: âemail profile openidâ
Matt Raible
It looks like you have the plugin defined under the âgormâ key when it should be defined under the âgrailsâ key. Outdent the plugin block 8 spaces and it should solve your issue.
rupak dutta
Hi thanks for the previous reply, those were really helpful. i have another issue.
1. when ever i integrate my application with okta the default /ask page comes for first time login and i need to create an user in order to proceed. but my business logic states that after login the control should invoke my controller bypassing the /ask form page. How to bypass the /ask page?
2. even if i create a new user from /ask page, i could not find the user in my okta account. why?
Matt Raible
Where does your /ask
page come from? Thereâs nothing in this tutorial that references a URL like that, so Iâm not sure how your question is related to this blog post.
Flarespots
Hi!
Is there a way of using multiple Okta providers inside the Grails configuration? Or even better ⌠is there a way of adding multiple providers âdynamicallyâ ?
Matt Raible
Can you explain your use case a bit and why you have a need for this?
Flarespots
Hi Matt!
Thanks for your quick response.
Sure! This is the scenario:
We are selling a service through a Grails app for a client that uses Okta. However, there is a possibility to sell that service to other potential clients that also uses itâŚ
We donât want to create a different instance of that app for each client, instead, weâd like to keep a single instance with multiple users or licenses.
Can you please point me to the right direction on how to do this ?
Thanks and regards!
â
Ricardo V.
Flarespots
Matt Raible
Since Grails is built on Spring Boot, you can use Spring Bootâs externalized configuration feature to set Okta properties outside your app. We recommend using environment variables, Spring Cloud Config (if youâre using microservices), or one of Spring Bootâs other mechanisms. You should be able to switch Okta tenants using this feature, without modifying the artifact.
Flarespots
Great!
Iâm going to check on that.
Thank you very much for your advice!
â
Ricardo V.
Flarespots
Ricardo
Hi Andrew! This is a great article, thanks for sharing it!
Is it possible to enable OKTA into a Grails project without losing the capacity to login through a Spring Security Core form or through REST ?
Thank you!
Matt Raible
Spring Security 5.1+ has support for multiple authentication mechanisms, do it depends on what version of Grails youâre using.
tr tr
I also had to add to app settings in Okta
https://uploads.disquscdn.câŚ
In the guide,
From your Okta admin panel, click on Applications in the top menu and then click âAdd Applicationâ
of
Create Your Okta Application
Al
Is there any reason for the restrictions in grails version for the plugin except you wrote it on that version? I tried to adapt this for an existing application, running on grails 3.0.8 by modifying your plugin so this would be allowed. It seems I am first redirected to success then spring wiring fails or something like that and I am redirected to the ask login page. Which will always redirect me again to itself in the end if I try to login. Any tips how this could be troubleshooted? I am not exactly a spring expert. Somehow userdata, which I can see in trace, seems not to be used at all, it seems to me there is never a user object created with the data I get from okta.
Matt Raible
You said you modified the Grails plugin used in this post. Is it possible for you to share your modifications? Ideally, they would be in the form of a pull request, but weâll take anything youâre willing to share.
Weâd like to help make the latest version of Grails work with Okta!
John Ruggentaler
I cloned the repository for this project and updated the configuration and updated the project to Grails 3.3.11 but when I browse to a secured controller I get the following error.400
Bad Request
Your request resulted in an error. The âredirect_uriâ parameter must be a Login redirect URI in the client app settings: https://<domainname>.oktapreview.com/admin/app/oidc_client/instance/<api_key>#tab-general
Any idea what might be wrong?
Matt Raible
You can see the parameter youâre passing in by inspecting the URL in your browser when you see this error. Add it to your Okta app and you should be in business.