Get Started with Spring Security 5.0 and OIDC
Learn how to use Spring Security 5.0 and its OAuth 2.0 Login and OIDC support. Spring Security makes authentication with OAuth 2.0 pretty darn easy. It also provides the ability to fetch a user’s information via OIDC. Follow this tutorial to learn more!
Shivani
Everything in this blog works but I dont get groups for that user
Hans Desmet
Dear Matt,
Interesting article.
How do you assign roles (ADMIN,SECRETARY,…) to the user ?
Magnus Nordin
Hi Matt,
I have an issue when my app requests the token.
org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: Couldn’t retrieve remote JWK set: Connection timed out: connect
Do you have any idea about what could be wrong?
//Magnus
Matt Raible
My guess is you’re using something like https://dev-158606.oktapreview.com for your issuer rather than https://dev-158606.oktapreview.com/oauth2/default/. Make sure you use the issuer URI from one of your authorization servers.
Matt Raible
On Okta, you can create groups (Users > Groups > Add Group) and add users to them. Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” or “roles”, and include it in the ID Token (or access token). Set the value type to “Groups” and set the filter to be a Regex of .*. Then you can implement a custom authorities extractor to get this information in your app. This Stack Overflow Q & A has more information.
Magnus Nordin
Thanks for a quick reply,
And you were right, it was the uri for jwk-set-uri where I had a copy/paste error with double “.com”.
//Magnus
Ife
Minor correction: userinfo.html should go here-> src/main/resources/templates/userinfo.html
Matt Raible
Thanks for letting me know! This has been fixed.
Bhanu Suresh
getting 404 error, not rediricting to okta login page
Bhanu Suresh
can anyone suggest me
Matt Raible
What URL path is the 404? You might try comparing your app with the example app on GitHub. The most important thing is to make sure your Okta settings are similar.
SB1208
thank you, I have resolved the issue
SB1208
I’m getting below error, after login through okta, please suggest me
Your login attempt was not successful, try again.
Reason: An error occurred while sending the Access Token Request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Matt Raible
What version of Java are you using? I haven’t seen this issue before, but I found a similar question on Stack Overflow.
SB1208
I’m using java 8
mohanrao
Hi, Also what are the steps to be followed in OKTA application to support login initiated by OKTA?
Matt Raible
Are you asking about OIDC? OIDC doesn’t have the ability to do “IdP-initiated” login. It is always an SP initiated login. What OIDC does support is the ability for you to specify your applications initiate login URI, which will kick off the OIDC flow (in an SP initiated way).
mohanrao
Thanks for the clarification. that’s what even i thought . Then how does the login flow options with okta simplified and oidc compliant will work
mohanrao
Also sending id token directly to the app incase of spring boot it was validating a previous request in the session (to validate auth code request was sent) or not.