Get Started with Spring Security 5.0 and OIDC

Matt Raible

If you create an OIDC app in Okta, you’ll specify a login redirect URI as part of that process. Then, you can use an OIDC library (we have them for many languages and frameworks) in your app. If you’re using Spring Boot, you can use Spring Security and its OIDC support (shown in this post), or you can use our Okta Spring Boot Starter.

mohanrao

Yep i am using spring boot so the initate login url will be http://localhost:8080/oauth2/authorization/okta. Am i correct?

Matt Raible

No, according to the example, the login redirect URI should be http://localhost:8080/login/oauth2/code/okta. The Base URI is not used AFAIK.

mohanrao

https://uploads.disquscdn.c…

See the attached one. I am talking about the one marked in the red not the blue one

Matt Raible

I don’t think the red one matters. I’ve never used it in any of the apps I’ve built.

saket kashyap

were you able to resolve this issue?

Matt Raible

Are you running the example locally on http or https? If http, make sure https://{yourOktaDomain} is something like https://dev-737523.oktaprev…, without “admin” in it. Also, make sure you have /oauth2/default in your Okta URLs.

Mauricio F.

I get the error:

Your login attempt was not successful, try again.

Reason: [invalid_id_token]

Can you please help?

Mauricio F.

I fixed it by adding the issuer-uri to the application.yml file

Matt Raible

I’m glad to hear you figured it out! :slight_smile:

ed

This works really well thanks. Is there any way to add another OICD provider? I realise okta might not want taht but it is pretty common to have e.g. FB and Google.

A B

I created a project from spring.io ( current default version shows 2.1.2 ) and initial set-up worked. But when I added the dependencies from the example for Spring Security 5’s OAuth configuration to initialize correctly and ran the app again, I donot get the password generated. Is this correct?

Matt Raible

It makes sense that the password for basic auth is no longer printed once you add OAuth support. Since you’re using Spring Boot 2.1, I recommend reading Spring Boot 2.1: Outstanding OIDC, OAuth 2.0, and Reactive API Support for more up-to-date information.

A B

Thanks. Do you also have any blog / example for retrieving user’s groups and using them to grant / deny permission to functionality inside the application?

It looks like the link that you added may have that example. I have not used groovy before, but I presume from how the code looks, I can use the code in java almost as is. I presume I will have to add the maven dependency for spring-boot-starter-oauth2-client and com.okta.spring:okta-spring-boot-starter:1.0.0. Is this correct?

Matt Raible

The “Limiting Access Based on Group” section in the previously mentioned post shows you how to add groups to a claim and protect methods by group name.

A B

Thanks for a quick reply. I had below question added to the question after you had replied, so you may not have seen this part.

It looks like the link that you added may have that example. I have not used groovy before, but I presume from how the code looks, I can use the code in java almost as is. I presume I will have to add the maven dependency for spring-boot-starter-oauth2-client and com.okta.spring:okta-spring-boot-starter:1.0.0. Is this correct?

A B

I added the following to pom.xml



<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-oauth2-client</artifactid>

</dependency>


<dependency>
<groupid>com.okta.spring</groupid>
<artifactid>okta-spring-boot-starter</artifactid>
<version>1.0.0</version>
</dependency>

but when I tried to run the app, I am getting this error. How can I resolve this error?

2019-01-18 17:49:14.024 ERROR 37092 — [ main] o.s.boot.SpringApplication : Application run failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘jwtDecoder’ defined in class path resource [com/okta/spring/boot/oauth/OktaOAuth2ResourceServerAutoConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception; nested exception is java.lang.IllegalArgumentException: issuer cannot be null
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:627) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:607) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1288) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1127) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:538) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:498) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:846) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:863) ~[spring-context-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546) ~[spring-context-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:142) ~[spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:775) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:316) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248) [spring-boot-2.1.2.RELEASE.jar:2.1.2.RELEASE]
at com.mckesson.okta.mastersrx.mckessonoktaoidc.MckessonOktaOidcApplication.main(MckessonOktaOidcApplication.java:10) [classes/:na]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method ‘jwtDecoder’ threw exception; nested exception is java.lang.IllegalArgumentException: issuer cannot be null
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:622) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
… 19 common frames omitted
Caused by: java.lang.IllegalArgumentException: issuer cannot be null
at org.springframework.util.Assert.notNull(Assert.java:198) ~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.security.oauth2.jwt.JwtIssuerValidator.<init>(JwtIssuerValidator.java:45) ~[spring-security-oauth2-jose-5.1.3.RELEASE.jar:5.1.3.RELEASE]
at com.okta.spring.boot.oauth.OktaOAuth2ResourceServerAutoConfig.jwtDecoder(OktaOAuth2ResourceServerAutoConfig.java:69) ~[okta-spring-security-oauth2-1.0.0.jar:1.0.0]
at com.okta.spring.boot.oauth.OktaOAuth2ResourceServerAutoConfig$$EnhancerBySpringCGLIB$$2dba054e.CGLIB$jwtDecoder$0(<generated>) ~[okta-spring-security-oauth2-1.0.0.jar:1.0.0]
at com.okta.spring.boot.oauth.OktaOAuth2ResourceServerAutoConfig$$EnhancerBySpringCGLIB$$2dba054e$$FastClassBySpringCGLIB$$6343f510.invoke(<generated>) ~[okta-spring-security-oauth2-1.0.0.jar:1.0.0]
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363) ~[spring-context-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at com.okta.spring.boot.oauth.OktaOAuth2ResourceServerAutoConfig$$EnhancerBySpringCGLIB$$2dba054e.jwtDecoder(<generated>) ~[okta-spring-security-oauth2-1.0.0.jar:1.0.0]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_191]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
… 20 common frames omitted

Matt Raible

You only need the okta-spring-boot-starter dependency:


<dependency>
<groupId>com.okta.spring</groupId>
<artifactId>okta-spring-boot-starter</artifactId>
</dependency>

It pulls in all the necessary Spring Security dependencies. Note that if you’re trying to secure methods in WebFlux, there’s currently an open issue.

A B

Thanks,

So, the way I can use the sample OIDC app is to 1) Create a Spring Zip download from spring.io and then 2) add the above dependency to the pom.xml and then 3) continue using the test code in this article and the Spring Boot 2.1: Outstanding OIDC, OAuth 2.0, and Reactive API Support article for getting started to try and use the OIDC with Okta, right?

A B

@mattraible I tried to add the above dependency to the project I had created using spring.io but when I add the controller from https://github.com/okta/okt…, the apring-boot application does not start. I am getting errors about bearer token when starting the app. I think I maybe missing some dependencies or may have some extra ones. But I am unable to get a resolution.

Would it help if I add the pom.xml?

Thanks

org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘springSecurityFilterChain’ defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method ‘springSecurityFilterChain’ threw exception; nested exception is java.lang.NoClassDefFoundError: org/springframework/security/oauth2/server/resource/web/BearerTokenResolver
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:627) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:456) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method ‘springSecurityFilterChain’ threw exception; nested exception is java.lang.NoClassDefFoundError: org/springframework/security/oauth2/server/resource/web/BearerTokenResolver
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy…:185) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:622) ~[spring-beans-5.1.4.RELEASE.jar:5.1.4.RELEASE]
… 21 common frames omitted
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/oauth2/server/resource/web/BearerTokenResolver
at org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2ResourceServer(HttpSecurity.java:1018) ~[spring-security-config-5.1.3.RELEASE.jar:5.1.3.RELEASE]
at com.mckesson.okta.mastersrx.mckessonoktaoidc.ExampleApplication$OktaOAuth2WebSecurityConfigurerAdapter.configure(ExampleApplication.java:34) ~[classes/:na]

Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.server.resource.web.BearerTokenResolver
at java.net.URLClassLoader.findClass(URLClassLoader.java:382) ~[na:1.8.0_191]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[na:1.8.0_191]