We have a developed a web application that uses spring security. Recently, we extended the options to include OAuth2. We chose an implementation approach to be vendor agnostic and does not include the vendor boot starter projects. Internally we tested against Auth0 Developer Edition and Entra ID and it worked as expected.
However when we rolled out to a client with a production version of Okta (version unknown), the authentication failed in the request for tokens. I see the following request when I call the Auth0 Developer Edition :
HTTP POST https://XXXXX/oauth/token
Accept=[application/json, application/*+json]
Writing [{grant_type=[authorization_code], code=[XXXXXXXXXXXXXX], redirect_uri=[http://xxxxxx/login/oauth2/code/okta/]}] as "application/x-www-form-urlencoded;charset=UTF-8"
Response 200 OK
The same code at the client site is generating the following request:
HTTP POST https://XXXX/oauth2/XXXX/v1/token
Accept=[application/json, application/*+json]
Writing [{grant_type=[authorization_code], code=[xxxx], redirect_uri=[https://xxxx/login/oauth2/code/okta/]}] as "application/x-www-form-urlencoded;charset=UTF-8"
Response 401 UNAUTHORIZED
I understand that spring classes are using the standard OAuth2 URI’s to get the endpoints to invoke. I am just wondering what is causing the differences and how to resolve the issue.
adding properties
spring.security.oauth2.client.registration.okta.provider=okta
spring.security.oauth2.client.registration.okta.client-name=<client,name}
spring.security.oauth2.client.registration.okta.client-id={client.id}
spring.security.oauth2.client.registration.okta.client-secret={client.secret}
spring.security.oauth2.client.registration.okta.scope.0=openid
spring.security.oauth2.client.registration.okta.scope.1=profile
spring.security.oauth2.client.registration.okta.scope.2=email
spring.security.oauth2.client.registration.okta.redirect-uri={baseUrl}/login/oauth2/code/okta/
