Build Server Side Authentication in Grails with OAuth 2.0 and Okta

Build Server Side Authentication in Grails with OAuth 2.0 and Okta

This is a quick tutorial demonstrating how to add authentication to a Grails application with Okta.

rupak dutta

Hi andrew, after performing part 1, when i try to login with this link http://localhost:8080/home/index. its always giving this error “Sorry, we were not able to find a user with that username and password.” . i am seeing an error occurred in terminal as : "grails.plugin.springsecurity.oauth2.exception.OAuth2Exception: No provider ‘okta’ "
any body else got this error?

Matt Raible

What configuration settings do you have in your application.yml? They should resemble the following (with CLIENT_ID and CLIENT_SECRET populated from your app and dev-737523 replaced with your Okta org):


grails:
### other grails config settings ###
plugin:
springsecurity:
oauth2:
active: true
registration:
roleNames: [‘ROLE_USER’]
providers:
okta:
api_key: ‘CLIENT_ID’
api_secret: ‘CLIENT_SECRET’
userInfoUrl: ‘https://dev-737523.oktapreview.com/oauth2/default/v1/userinfo
authorizeUrl: ‘https://dev-737523.oktapreview.com/oauth2/default/v1/authorize
tokenUrl: ‘https://dev-737523.oktapreview.com/oauth2/default/v1/token
scopes: ‘email profile openid’

rupak dutta

Hi Matt,
thanks for your reply. i am sharing configurations of application.yml.

https://uploads.disquscdn.c…

rupak dutta

i have modified appication.yml by removing ‘-admin’ string from userInfoUrl,authorizeUrl,tokenUrl. but still getting same error “no provider. okta”.
my configurations :

plugin:
springsecurity:
oauth2:
active: true
registration:
roleNames: [‘ROLE_USER’]
providers:
okta:
api_key: ‘0oaht93r35EmQ5bN20h7’
api_secret: ‘cyKrCFmK-_pVZBhYq2HHLx1FERkdGcAAfN_pBhxO’
userInfoUrl: 'https://dev-764990.oktaprev…
authorizeUrl: 'https://dev-764990.oktaprev…
tokenUrl: 'https://dev-764990.oktaprev…
scopes: ‘email profile openid’

Matt Raible

It looks like you have the plugin defined under the “gorm” key when it should be defined under the “grails” key. Outdent the plugin block 8 spaces and it should solve your issue.

rupak dutta

Hi thanks for the previous reply, those were really helpful. i have another issue.
1. when ever i integrate my application with okta the default /ask page comes for first time login and i need to create an user in order to proceed. but my business logic states that after login the control should invoke my controller bypassing the /ask form page. How to bypass the /ask page?

2. even if i create a new user from /ask page, i could not find the user in my okta account. why?

Matt Raible

Where does your /ask page come from? There’s nothing in this tutorial that references a URL like that, so I’m not sure how your question is related to this blog post.

Flarespots

Hi!
Is there a way of using multiple Okta providers inside the Grails configuration? Or even better … is there a way of adding multiple providers “dynamically” ?

Matt Raible

Can you explain your use case a bit and why you have a need for this?

Flarespots

Hi Matt!
Thanks for your quick response.

Sure! This is the scenario:

We are selling a service through a Grails app for a client that uses Okta. However, there is a possibility to sell that service to other potential clients that also uses it…

We don’t want to create a different instance of that app for each client, instead, we’d like to keep a single instance with multiple users or licenses.

Can you please point me to the right direction on how to do this ?

Thanks and regards!


Ricardo V.
Flarespots

Matt Raible

Since Grails is built on Spring Boot, you can use Spring Boot’s externalized configuration feature to set Okta properties outside your app. We recommend using environment variables, Spring Cloud Config (if you’re using microservices), or one of Spring Boot’s other mechanisms. You should be able to switch Okta tenants using this feature, without modifying the artifact.

Flarespots

Great!
I’m going to check on that.
Thank you very much for your advice!


Ricardo V.
Flarespots

Ricardo

Hi Andrew! This is a great article, thanks for sharing it!
Is it possible to enable OKTA into a Grails project without losing the capacity to login through a Spring Security Core form or through REST ?

Thank you!

Matt Raible

Spring Security 5.1+ has support for multiple authentication mechanisms, do it depends on what version of Grails you’re using.

tr tr

I also had to add to app settings in Okta
https://uploads.disquscdn.c…

In the guide,
From your Okta admin panel, click on Applications in the top menu and then click “Add Application”
of
Create Your Okta Application

Al

Is there any reason for the restrictions in grails version for the plugin except you wrote it on that version? I tried to adapt this for an existing application, running on grails 3.0.8 by modifying your plugin so this would be allowed. It seems I am first redirected to success then spring wiring fails or something like that and I am redirected to the ask login page. Which will always redirect me again to itself in the end if I try to login. Any tips how this could be troubleshooted? I am not exactly a spring expert. Somehow userdata, which I can see in trace, seems not to be used at all, it seems to me there is never a user object created with the data I get from okta.

Matt Raible

You said you modified the Grails plugin used in this post. Is it possible for you to share your modifications? Ideally, they would be in the form of a pull request, but we’ll take anything you’re willing to share.

We’d like to help make the latest version of Grails work with Okta!

John Ruggentaler

I cloned the repository for this project and updated the configuration and updated the project to Grails 3.3.11 but when I browse to a secured controller I get the following error.
400
Bad Request

Your request resulted in an error. The ‘redirect_uri’ parameter must be a Login redirect URI in the client app settings: https://<domainname>.oktapreview.com/admin/app/oidc_client/instance/<api_key>#tab-general

Any idea what might be wrong?

Matt Raible

You can see the parameter you’re passing in by inspecting the URL in your browser when you see this error. Add it to your Okta app and you should be in business.