How to set proxy for issuer with okta/gateway/eureka

Hi all, I spent a day to look for a way to set a proxy to query the issuer from backend side.
I use okta-springboot starter and spring security.
I have a configuration class:

@Bean
SecurityWebFilterChain securityFilterChain( ServerHttpSecurity http )
throws Exception
{

    http.authorizeExchange( ( exchange ) ->
    {
        exchange.pathMatchers( "/actuator/**", "/ping" ).permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
    } ).csrf().disable();
    Okta.configureResourceServer401ResponseBody( http );

    return http.build();
}

and I have tried almost all config properties okta or http in the application.yml but nothing works.
When I set jvm args like that:

-Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}

it works but I got this kind of errors: Caused by: java.net.UnknownHostException: Failed to resolve ‘hostname’ [A(1)] after 2 queries

Error has been observed at the following site(s):
*__checkpoint ⇢ Request to GET https:://${hostname}/oauth2/oktadomain/v1/keys [DefaultWebClient]
Original Stack Trace:
at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:136)
at reactor.core.publisher.MonoErrorSupplied.subscribe(MonoErrorSupplied.java:55)
at reactor.core.publisher.Mono.subscribe(Mono.java:4485)

Do you have any idea?
best
Mathieu

Hi, I have spent one more day to look for. I can certify now that the proxy is not taking account. Could you tell me how to use it?
regards,
Mathieu

Hello,

There are a number of different ways to set this,

If you are unsure if setting this via an environment variable or config is taking you can always set the env direclty in code,

System.setProperty("okta.oauth2.proxy.host", "proxy.example.com");
System.setProperty("okta.oauth2.proxy.port", "7000");
System.setProperty("okta.oauth2.proxy.username", "your-username");
System.setProperty("okta.oauth2.proxy.password", "your-secret-password");

I do question this
Request to GET https:://${hostname}/oauth2/oktadomain/v1/keys

What is the exact value you are setting.
The oktadomain should be your Org and in between oauth2 and v1 should be your Authorization server id.
something like:

https://{domain}.okta.com/oauth2/default/v1/keys

Hi Erik,
Yes, I have done a mistake when I have obfuscated the address. The right pattern is as you mentionned:
https://domain/oauth2/authorizationServerId/v1/keys.

For the other part of your answer. I have tested but still have the same result. I have found this linkv and try to implement the workaround.

regards

Well, I finally manage to do it like that:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.transport.ProxyProvider;

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig
{

@Bean
SecurityWebFilterChain securityFilterChain( ServerHttpSecurity http )
    throws Exception
{
    http
        .csrf().disable();

    http.authorizeExchange( ( exchange ) ->
    {
        exchange.pathMatchers( "/actuator/**" ).permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2ResourceServer();
    } );


    return http.build();
}


@Bean
public WebClient webClient(ReactorClientHttpConnector reactorClientHttpConnector) {
    return WebClient.builder().clientConnector(reactorClientHttpConnector).build();
}

@Bean
public HttpClient httpClient() {
    return HttpClient.create()
        .tcpConfiguration(tcpClient ->
            tcpClient.proxy(
                proxy -> proxy.type( ProxyProvider.Proxy.HTTP).host("proxhost")
                    .port(8080)));
}

@Bean
ReactorClientHttpConnector reactorClientHttpConnector(HttpClient httpClient) {
    return new ReactorClientHttpConnector(httpClient);
}

@Bean
public NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder(WebClient webClient) {
    return NimbusReactiveJwtDecoder
        .withJwkSetUri("https://{domain}.okta.com/oauth2/default/v1/keys")
        .webClient(webClient).build();
}

}

thanks,
regards

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.