Hi all, I spent a day to look for a way to set a proxy to query the issuer from backend side.
I use okta-springboot starter and spring security.
I have a configuration class:
@Bean
SecurityWebFilterChain securityFilterChain( ServerHttpSecurity http )
throws Exception
{
http.authorizeExchange( ( exchange ) ->
{
exchange.pathMatchers( "/actuator/**", "/ping" ).permitAll()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
} ).csrf().disable();
Okta.configureResourceServer401ResponseBody( http );
return http.build();
}
and I have tried almost all config properties okta or http in the application.yml but nothing works.
When I set jvm args like that:
-Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}
it works but I got this kind of errors: Caused by: java.net.UnknownHostException: Failed to resolve ‘hostname’ [A(1)] after 2 queries
Error has been observed at the following site(s):
*__checkpoint ⇢ Request to GET https:://${hostname}/oauth2/oktadomain/v1/keys [DefaultWebClient]
Original Stack Trace:
at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:136)
at reactor.core.publisher.MonoErrorSupplied.subscribe(MonoErrorSupplied.java:55)
at reactor.core.publisher.Mono.subscribe(Mono.java:4485)
Do you have any idea?
best
Mathieu
Hi, I have spent one more day to look for. I can certify now that the proxy is not taking account. Could you tell me how to use it?
regards,
Mathieu
erik
August 21, 2023, 11:37pm
3
Hello,
There are a number of different ways to set this,
If you are unsure if setting this via an environment variable or config is taking you can always set the env direclty in code,
System.setProperty("okta.oauth2.proxy.host", "proxy.example.com");
System.setProperty("okta.oauth2.proxy.port", "7000");
System.setProperty("okta.oauth2.proxy.username", "your-username");
System.setProperty("okta.oauth2.proxy.password", "your-secret-password");
I do question this
Request to GET https:://${hostname}/oauth2/oktadomain/v1/keys
What is the exact value you are setting.
The oktadomain
should be your Org and in between oauth2
and v1
should be your Authorization server id.
something like:
https://{domain}.okta.com/oauth2/default/v1/keys
Hi Erik,
Yes, I have done a mistake when I have obfuscated the address. The right pattern is as you mentionned:
https://domain/oauth2/authorizationServerId/v1/keys .
For the other part of your answer. I have tested but still have the same result. I have found this link v and try to implement the workaround.
regards
Well, I finally manage to do it like that:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.transport.ProxyProvider;
@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig
{
@Bean
SecurityWebFilterChain securityFilterChain( ServerHttpSecurity http )
throws Exception
{
http
.csrf().disable();
http.authorizeExchange( ( exchange ) ->
{
exchange.pathMatchers( "/actuator/**" ).permitAll()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer();
} );
return http.build();
}
@Bean
public WebClient webClient(ReactorClientHttpConnector reactorClientHttpConnector) {
return WebClient.builder().clientConnector(reactorClientHttpConnector).build();
}
@Bean
public HttpClient httpClient() {
return HttpClient.create()
.tcpConfiguration(tcpClient ->
tcpClient.proxy(
proxy -> proxy.type( ProxyProvider.Proxy.HTTP).host("proxhost")
.port(8080)));
}
@Bean
ReactorClientHttpConnector reactorClientHttpConnector(HttpClient httpClient) {
return new ReactorClientHttpConnector(httpClient);
}
@Bean
public NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder(WebClient webClient) {
return NimbusReactiveJwtDecoder
.withJwkSetUri("https://{domain}.okta.com/oauth2/default/v1/keys")
.webClient(webClient).build();
}
}
thanks,
regards
system
Closed
August 23, 2023, 10:50am
6
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.