Implicite flow okta 403 error API oauth2ResourceServer().jwt()

Hello everyone ,
I implemented implicite flow okta in my project angular and spring boot,
I have the problem 403 when i call rest API in my server backend.
this is how I did the configuration
backend :

.antMatchers(HttpMethod.GET, “/user/**”).hasAnyAuthority(UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString()
.antMatchers(HttpMethod.POST, “/authentication/authenticate”).permitAll()
.antMatchers(HttpMethod.GET, “/application/version”).permitAll()

in front :

export class JwtInterceptor implements HttpInterceptor {
constructor(private oktaAuth: OktaAuthService) {

intercept(request: HttpRequest, next: HttpHandler): Observable<HttpEvent> {
return from(this.handleAccess(request, next));

private async handleAccess(request: HttpRequest, next: HttpHandler): Promise<HttpEvent> {
const accessToken = await this.oktaAuth.getAccessToken();
request = request.clone({
setHeaders: {
Authorization: 'Bearer ’ + accessToken

return next.handle(request).toPromise();


in okta

This blog post shows how to integrate Angular and Spring Boot:

You could also check out the example code on GitHub:

thank you very much matt for this example , but in my project i have spring-boot.version = 2.1.0.RELEASE with spring-boot-starter-oauth2-resource-server , my probleme is 403 in autorisation server , i think the token is not good , i have a roles in claims

org.springframework.boot spring-boot-starter-security ${spring-boot.version} org.springframework.boot spring-boot-starter-oauth2-resource-server ${spring-boot.version}

Can you try using the Okta Spring Boot starter instead? It includes spring-boot-starter-oauth2-resource-server.

thank you for your proposition ,when I integrated I found an incompatibility.

in my project backend I just add
do i need to add anything else ? knowing that I implemented the [Implicite flow ] in front.

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;

@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

private JwtAuthenticationEntryPoint unauthorizedHandler;

private static final String CSP_HEADERS = "default-src 'self'; frame-src 'self' data:; script-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:";

protected void configure(HttpSecurity httpSecurity) throws Exception {
            // we don't need CSRF because our token is invulnerable


            // don't create session


            .antMatchers(HttpMethod.GET, "/publication/**").hasAnyAuthority(UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString())
            .antMatchers(HttpMethod.GET,  UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString())
            // allow anonymous resource requests 
           // .and().oauth2ResourceServer().jwt()

    // enable page caching
            // add CSP headers to the response



Hi matt , I found the source of 403

the way to extract roles or groups from the access token okta is not correct,
do you have any idea about this problem ? . in authorities SCOPE_profil n SCOPE_opeid,
SCOPE_roles , but in my project i have roles like example ROLE_LIRIS_PRODUCTION_PILOTE

If you add a “groups” claim to the ID token, Spring Security should convert groups to authorities for you. Can you please try that and let us know if it works?