How to set proxy for issuer with okta/gateway/eureka

ferlaymat · August 18, 2023, 2:05pm

Hi all, I spent a day to look for a way to set a proxy to query the issuer from backend side.
I use okta-springboot starter and spring security.
I have a configuration class:

@Bean
SecurityWebFilterChain securityFilterChain( ServerHttpSecurity http )
throws Exception
{

    http.authorizeExchange( ( exchange ) ->
    {
        exchange.pathMatchers( "/actuator/**", "/ping" ).permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
    } ).csrf().disable();
    Okta.configureResourceServer401ResponseBody( http );

    return http.build();
}

and I have tried almost all config properties okta or http in the application.yml but nothing works.
When I set jvm args like that:

-Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}

it works but I got this kind of errors: Caused by: java.net.UnknownHostException: Failed to resolve ‘hostname’ [A(1)] after 2 queries

Error has been observed at the following site(s):
*__checkpoint â‡¢ Request to GET https:://${hostname}/oauth2/oktadomain/v1/keys [DefaultWebClient]
Original Stack Trace:
at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:136)
at reactor.core.publisher.MonoErrorSupplied.subscribe(MonoErrorSupplied.java:55)
at reactor.core.publisher.Mono.subscribe(Mono.java:4485)

Do you have any idea?
best
Mathieu

ferlaymat · August 21, 2023, 1:49pm

Hi, I have spent one more day to look for. I can certify now that the proxy is not taking account. Could you tell me how to use it?
regards,
Mathieu

erik · August 21, 2023, 11:37pm

Hello,

There are a number of different ways to set this,

If you are unsure if setting this via an environment variable or config is taking you can always set the env direclty in code,

System.setProperty("okta.oauth2.proxy.host", "proxy.example.com");
System.setProperty("okta.oauth2.proxy.port", "7000");
System.setProperty("okta.oauth2.proxy.username", "your-username");
System.setProperty("okta.oauth2.proxy.password", "your-secret-password");

I do question this
Request to GET https:://${hostname}/oauth2/oktadomain/v1/keys

What is the exact value you are setting.
The oktadomain should be your Org and in between oauth2 and v1 should be your Authorization server id.
something like:

https://{domain}.okta.com/oauth2/default/v1/keys

ferlaymat · August 22, 2023, 5:52am

Hi Erik,
Yes, I have done a mistake when I have obfuscated the address. The right pattern is as you mentionned:
https://domain/oauth2/authorizationServerId/v1/keys.

For the other part of your answer. I have tested but still have the same result. I have found this linkv and try to implement the workaround.

regards

ferlaymat · August 22, 2023, 10:50am

Well, I finally manage to do it like that:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.transport.ProxyProvider;

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig
{
@Bean
SecurityWebFilterChain securityFilterChain( ServerHttpSecurity http )
    throws Exception
{
    http
        .csrf().disable();

    http.authorizeExchange( ( exchange ) ->
    {
        exchange.pathMatchers( "/actuator/**" ).permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2ResourceServer();
    } );


    return http.build();
}


@Bean
public WebClient webClient(ReactorClientHttpConnector reactorClientHttpConnector) {
    return WebClient.builder().clientConnector(reactorClientHttpConnector).build();
}

@Bean
public HttpClient httpClient() {
    return HttpClient.create()
        .tcpConfiguration(tcpClient ->
            tcpClient.proxy(
                proxy -> proxy.type( ProxyProvider.Proxy.HTTP).host("proxhost")
                    .port(8080)));
}

@Bean
ReactorClientHttpConnector reactorClientHttpConnector(HttpClient httpClient) {
    return new ReactorClientHttpConnector(httpClient);
}

@Bean
public NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder(WebClient webClient) {
    return NimbusReactiveJwtDecoder
        .withJwkSetUri("https://{domain}.okta.com/oauth2/default/v1/keys")
        .webClient(webClient).build();
}
}

thanks,
regards

system · August 23, 2023, 10:50am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.