Get Started with Spring Security 5.0 and OIDC

A B

@mattraible - Need some help with getting this to work with Spring 2.1 using the controller in https://github.com/okta/okt…

I tried to put in the error in the post, but it seems it gets removed.

Matt Raible

If you wrap your error with pre + code tags, it should work.


<pre><code>
your code here
</code></pre>

You could also post your question to our Developer Forums.

A B

@mattraible - Question posted with details at https://devforum.okta.com/t…

I have for sake of brevity - reduced the stacktrace. Please let me know, if getting the full stacktrace will help and I will add it there

A B

@m@mattraible - I have created a github example at Added repo at https://github.com/adbdkb/o…

Can you please take a look at it and let me know what I am doing wrong?

vijit2222

Can anyone suggest how to add custom attributes in okta user profile and extract them in OIDCUser in olta spring boot starter. And what is the way to use customuserdetailsservice to add some authorization based on database into token (by creating custom user in authentication)

Matt Raible

I wrote another blog post that shows how to use our Java SDK to store/retrieve custom attributes from an Okta profile. We don’t have any posts (yet) that show how to create a custom UserDetailsService or integrate with OIDCUser.

Brian Demers

@vijit2222:disqus Anything specific you are trying to add? Authorities/Roles/etc or just something specific to your application/domain ?

vijit2222

Thanks, I figured out to use custom OIDCService with oauth2login().userinfoendpoint().oidcservice(customoidcservice). It is working with oauth2 client but earlier i was trying with okta spring boot starter which is not allowing custom oidcservice as it overrides with its own oidcservice and not accepts your custom service

Brian Demers

Hey @vijit2222:disqus,

We had to work around a few things in order to provide an implementation that just worked. How the OidcUserService gets created is one of them.

An option to get around this would be to create a “CustomUser” and inject that (you could even wrap the OidcUser by doing something like:


@Bean
@Scope(value = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
CustomUser customUser() {
SecurityContext sc = SecurityContextHolder.getContext();
return new CustomUser((OidcUser) sc.getAuthentication().getPrincipal());
}

public static class CustomUser implements Principal {

private final OidcUser oidcUser;
private final String myData = “myData”; // some data, likely set from the above customUser method.

public CustomUser(OidcUser oidcUser) {
this.oidcUser = oidcUser;
}

public OidcUser getOidcUser() {
return oidcUser;
}

public String getMyData() {
return myData;
}

@Override
public String getName() {
return oidcUser.getName();
}
}

And in your controller:


@Autowired
private CustomUser customUser;

@GetMapping("/customUser")
public Welcome withCustomUser() {
return new Welcome("Less boring with a custom user - "+ customUser.getMyData(), customUser.getName());
}

Shortcuts were taken to try to keep this example brief, (field injection, blind cast, etc)

If this doesn’t work for you please create an issue in https://github.com/okta/okt… and we can keep the conversation going.

Tapas Mondal

Hi Mat,
thanks for your excellent post. I am using angular js and spring and my okra application type is web. Now i am trying to do authenticate from backend(Spring) . I exposed two methods in spring one is normat method return helloword and another is for okta auth. my both the exposed methods are accessible from browser and it is asking okta username/pwd when i am trying to access the authentication method.

But when i am trying connect these methods from my angular js the helloworld method is working well but when i am trying to connect okta auth method then getting cors exception though i have added the url in trusted region. can you please help me on this. it would be better if you send me one sample application with spring and angular and okta
Thanks in advance

Access to XMLHttpRequest at 'https://dev-598911.okta.com… (redirected from ‘http://localhost:8191/auth/token’) from origin ‘null’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Access to XMLHttpRequest at 'https://dev-598911.okta.com… (redirected from ‘http://localhost:8191/auth/userinfo’) from origin ‘null’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Matt Raible

Can you please try going to API > Trusted Origins in your Okta dashboard and adding http://localhost:8191 as an origin? If that doesn’t work, let us know!

Matt Raible

Remove “-admin” from your URLs and it should work. The URL for your Okta org is in the top right of your dashboard. We know it’s confusing. Sorry about that.

Melar Dev

Yes, that’s right, it fixed the issue, this was described in the blog post, I missed that, sorry.

laki

Hi Dear matt,
As you’re instruction i created a okta oaths application for my spring cloud data flow .as i feel i followed everything correctly as you mention in this blog .but problem what i facing is after i provide my user credentials for Okta login page it will redirect again to my localhost login page(localhost:9393 login page with okta redirect url —> after i select okta link it will redirect to enter the okta user name and password–>after i entered user name and password it should redirect inside to the dataflow server, but it redirecting to again to the localhost:9393 login page ) .could you please help me to solve this problem .

Backend error: - java.lang.IllegalArgumentException: No role mapping found for clientId okta

my yml

spring:
thymeleaf:
cache: false
security:
oauth2:
client:
registration:
okta:
client-id: {my_id}//
client-secret: {mysecret}

provider:
okta:
authorization-uri: https://dev-4121440.okta.co…
token-uri: https://dev-4121440.okta.co…
user-info-uri: https://dev-4121440.okta.co…
jwk-set-uri: https://dev-4121440.okta.co…

Matt Raible

Hello Iaki,

Do you have a GitHub repository you can share? Also, you should only need to specify the issuer URI, not the individual URIs (for the latest version of Spring Security).

dharm

Hey Matt,

By any chance you have a reference configuration for this setup for spring security (5.x) using XML not spring boot ?

Matt Raible

No, I do not. I haven’t used XML with Spring since 2014.