Build Single Sign-on in Java

Build Single Sign-on in Java

This tutorial builds and connects multiple applications to a single OAuth 2.0 Resource Server.

Jefferson Sousa

I was not able to pass on from the part of running the first application. It does not run on spring tool suite or maven. I’m a Junior developer, so it can be that too. I changed the file.Description:

Binding to target Failed to bind properties under ‘okta.oauth2’ to com.okta.spring.boot.oauth.config.OktaOAuth2Properties failed:

Property: okta.oauth2.issuer
Value: {}
Origin: class path resource []:1:20
Reason: null


Update your application’s configuration

Okta Developers

Remove the brackets {…} and just keep the … part. That should solve your problem.

Jefferson Sousa

I did! Thank you. Content great!


I can get “Amanda Tester” and “Tanya Tester” to login to the “client1” and “client2” apps, but the client1/client2 fail when they try to access:

this.resourceServerUrl + "/welecomeMessage"

I’m not sure why the “OIDC Resource Server” is not allowing access. What am I missing here?

Brian Demers

Double check that the Authorization Server you created has the correct Audience. If you just signed up for an Okta Developer account, one is automatically created for you, but that Audience would be set to api://default. So make sure you created one as described above.

If that doesn’t work, my go-to is turning up the logging for Spring Security (or just the root logger in a pinch). Spring Security doesn’t log authentication errors at the default levels (for good reason, as this could be log spam).

Keep us posted!


That’s what it was! I had api://oidcauthsevrer instead of api://oidcauthserver.
Thanks @disqus_u7ZhPHjjDC !

Brian Demers



I am always getting bad request on hitting url http://localhost:8080… Working after assigning the apps explicitly to users… ?

vamshi r

How to do same SSO by Java servlet as application

Adrian Campanaro

On step Create a Service Application for Your Resource Server
I am trying to create OAuth Service but it does not allow me to do so.


I took this example and added “groups” to the scopes in both apps. For both apps in Okta I added claims for “groups” and I enabled “groups” in scope and claims in the authorization server. When logging into the frontend app, I can see the groups in the authorities in the debugger. However, on the back end app, only a subset of the authorities make it through… the groups are missing. Is there something on the ServletOAuth2AuthorizedClientExchangeFilterFunction that I would need to add to forward this information onto the backend app?

When you add a groups claim to your authorization server, you’ll be prompted to add it to a type of token. It should show up just fine if you add it to both the ID token and access token.

Ah, thank you! I did try adding groups to both id and access, but when I was typing such back, I realized that I did the id one wrong. (Forgot to change “Starts With” to “Regex”). Once I fixed that mistake it indeed behaves just as you said it would.

When trying to run app1 and app2 with the mvnw command I received the build failure below. Anyone have any ideas?

Unknown lifecycle phase “.run.profiles=client1”. You must specify a valid lifecycle phase or a goal in the format : or :[:]:…

Are you using the same commands:

./mvnw spring-boot:run

And versions used in the post? Or rather, did you clone the repo as the tutorial suggests?

I previously used the command above, but it is now working after cloning the package. Thank you for the assistance.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.