Create a Secure Spring REST API
This article explains how to build a Spring REST API, a resource server, and how to connect it into your security environment.
Ian Berryman
Great article!
I ran into an issue using the 1.1.0 version of the okta-spring-boot-starter artifact. Finally, changed it to the 0.6.1 used in this article and was able to authenticate properly. Any chance you could indicate the configuration differences between the two versions (or include a link)?
Matt Raible
Hello Ian,
We’re working on a blog post now that highlights the differences. The main thing is that with 0.6.1, you can use @EnableResourceServer to setup a Resource Server. With 1.1.0, you need to add a bit of Java config to configure a resource server. The Okta Spring Boot starter’s README has an example:
@Configuration
static class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().anyRequest().authenticated()
.and()
.oauth2ResourceServer().jwt();
}
}
Also, you might need to change the @PreAuthorize annotation’s code a bit:
@PreAuthorize(“hasAuthority(‘SCOPE_profile’)”)
You can see it all in action in Build Spring Microservices and Dockerize Them for Production.
Ian Berryman
Thanks Matt!
Nurlan
Very good article. If I need same REST API but without “okta-spring-boot-starter”, how would look like SecurityConfig.java and application.properties? And of course which dependencies need to add (I think about two more: spring-security-oauth2-client and spring-security-oauth2-jose)? I will be very grateful. And thank you for other articles.
Brian Demers
Take a look at the Spring Security doc:
https://docs.spring.io/spri…
There is an Okta example in there too.
Which dependencies should be listed in there too, but we use these ones:
https://github.com/okta/okt…
Nurlan
Brian, thank you for really quick response. I’ll check it and hope can find the answer.
David Gecawich
Matt or Brian,
I am using @EnableResourceServer to validate Okta OAuth Bearer tokens for a “Web” authorization code flow with a specific clientId and clientSecret. The requests originate from a web client. We needed to add an Okta Native app with Authorization Flow with PKCE for mobile clients, which use Client Credentials with PKCE. This resulted in another clientId. I need one resource server to now validate the Bearer <accesstoken> for two flow clientIds. How can this be achieved using the Okta boot dependency or another alternative. Right now, we are using com.okta.spring:okta-spring-boot-starter:0.6.1. Your help would be appreciated.
Thank you.David
David Gecawich
Brian,
I am using @EnableResourceServer to validate Okta OAuth Bearer tokens for a “Web” authorization code flow with a specific clientId and clientSecret. The requests originate from a web client. We needed to add an Okta Native app with Authorization Flow with PKCE for mobile clients, which use Client Credentials with PKCE. This resulted in another clientId. I need one resource server to now validate the Bearer <accesstoken> for two flow clientIds. How can this be achieved using the Okta boot dependency or another alternative. Right now, we are using com.okta.spring:okta-spring-boot-starter:0.6.1. Your help would be appreciated.
Thank you.
David
Brian Demers
If you update to the latest version (which also means updating to Boot 2.1+), this will work out of the box.
Also note, the next version of Spring Boot 2.2 (and the underlying version of Spring Security) supports PKCE as well.
Vydhi V
I followed these instructions and got to the point where I was able to add the okta config to the boot app and setup the OIDC Debugger site as another okta app as described in this article. The config on the spring boot app seems fine, I am also able to use the debugger site to obtain an access token. However I am stuck in the initial step to verify the token using curl to pass the bearer token as part of the request header. I keep getting invalid_token in the response and haven’t been able to get past that step. Would appreciate any help. Thanks.
Matt Raible
I’ve seen this happen before when your computer’s clock does not match an internet clock like Okta uses. Can you check your computer’s clock and make sure it’s synced to an internet clock?
Vydhi Vasudevan
I had tried this from a couple of different computers at the time of posting. Both of them had their clocks synced to the internet clock. The only difference was I had tried to add these dependencies into an existing boot project and am using gradle. I tried to get the exact project in this blog and tried the same thing and running into the same issues still.
Are there any considerations for the updated okta UI etc? I am pretty sure I created the apps on okta same as in this article.
I also noticed that the recent version of the okta-spring-boot-starter (1.2.1) that I am using has updated properties names as opposed to the ones listed in the linked git sample.
okta.oauth2.rolesClaim seems to no longer be supported and I see groups-claim
I had to use this version of the starter to get around some other initial issues (an error about missing issuer URL). Please point me in the right direction.
Brian Demers
Sounds like it could be a dependency miss match issue when using the 1.0+ version of our starter with this post? Try this example resource server project:
https://github.com/okta/sam…
Keep us posted!
Vydhi Vasudevan
It ended up being something in gradle. I restarted with the pom.xml included along with this article and converted it to gradle again to make sure it was a clean conversion. It worked as expected. Thanks for the help.
Lucas Cruz
I tried several times but without success …
The request return is: “error”: “invalid_token”,
“error_description”: "Invalid JWT. Malformed JOSE Header."
It makes no sense to create a service and then create another application, where is the link between the two?
Matt Raible
Does your issuer value have “/oauth2/default” on the end of it? The reason I ask is because if you use your org’s issuer (without “/oauth2/default”), it’ll work, but you won’t be able to validate tokens.
Phyo Thu Aung
I’m using okta-spring-boot-starter 1.4.0 and trying to follow this guide. It was giving me a “Invalid JOSE Header kid” error. So, I got an access token using samples-js-react app. Not sure why OIDC debugger wasn’t working for me. Kid is different from the token generated by that app.
Matt Raible
Are you using your Org’s default issuer? It should end in /oauth2/default. If not, create a new free developer account and it should work. There’s no limit to the number of accounts you can have.
Alex Muir
I was getting this error as well until I wrote a bash script with the following two lines
TOKEN="MQGHuZWN3w"
curl http://localhost:8080/protected/ -H “Authorization: Bearer $TOKEN”