Implicite flow okta 403 error API oauth2ResourceServer().jwt()

Questions OAuth/OIDC
1

Hello everyone ,
I implemented implicite flow okta in my project angular and spring boot,
I have the problem 403 when i call rest API in my server backend.
this is how I did the configuration
backend :
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-750054.okta.com/oauth2/default
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://dev-750054.okta.com/oauth2/default/v1/keys

.antMatchers(HttpMethod.GET, “/user/**”).hasAnyAuthority(UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString()
.antMatchers(HttpMethod.POST, “/authentication/authenticate”).permitAll()
.antMatchers(HttpMethod.GET, “/application/version”).permitAll()
.anyRequest().authenticated()
.and().oauth2ResourceServer().jwt();

in front :

@Injectable()
export class JwtInterceptor implements HttpInterceptor {
constructor(private oktaAuth: OktaAuthService) {
}

intercept(request: HttpRequest, next: HttpHandler): Observable<HttpEvent> {
return from(this.handleAccess(request, next));
}

private async handleAccess(request: HttpRequest, next: HttpHandler): Promise<HttpEvent> {
const accessToken = await this.oktaAuth.getAccessToken();
request = request.clone({
setHeaders: {
Authorization: 'Bearer ’ + accessToken
}
});

return next.handle(request).toPromise();

}
}

in okta

image
image1109×296 18.2 KB

image
image1088×453 12.9 KB

image
image702×115 13.1 KB

image
image1353×181 16.8 KB

image
image1353×181 16.8 KB

image
image1231×492 89.8 KB

2

This blog post shows how to integrate Angular and Spring Boot:

You could also check out the example code on GitHub:

3

thank you very much matt for this example , but in my project i have spring-boot.version = 2.1.0.RELEASE with spring-boot-starter-oauth2-resource-server , my probleme is 403 in autorisation server , i think the token is not good , i have a roles in claims

org.springframework.boot spring-boot-starter-security ${spring-boot.version} org.springframework.boot spring-boot-starter-oauth2-resource-server ${spring-boot.version}
4

Can you try using the Okta Spring Boot starter instead? It includes spring-boot-starter-oauth2-resource-server.

5

thank you for your proposition ,when I integrated I found an incompatibility.

in my project backend I just add spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-750054.okta.com/oauth2/default
do i need to add anything else ? knowing that I implemented the [Implicite flow ] in front.

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;

private static final String CSP_HEADERS = "default-src 'self'; frame-src 'self' data:; script-src 'self' https://cdn.jsdelivr.net/npm/hacktimer@1.1.3/HackTimer.min.js; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:";

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            // we don't need CSRF because our token is invulnerable
            .csrf().disable()

            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

            // don't create session
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

            .and()

            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/publication/**").hasAnyAuthority(UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString())
            
            .antMatchers(HttpMethod.GET,  UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString())
            // allow anonymous resource requests 
            .anyRequest().authenticated()
           // .and().oauth2ResourceServer().jwt()
            .and().oauth2ResourceServer().jwt();
    ;


    // enable page caching
    httpSecurity
            .headers()
            .cacheControl()
            .and()
            // add CSP headers to the response
            .contentSecurityPolicy(CSP_HEADERS)
            .and()
            .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
            .and()
            .frameOptions()
            .deny();

}

}

6

Hi matt , I found the source of 403

the way to extract roles or groups from the access token okta is not correct,
do you have any idea about this problem ? . in authorities SCOPE_profil n SCOPE_opeid,
SCOPE_roles , but in my project i have roles like example ROLE_LIRIS_PRODUCTION_PILOTE

image
image1042×557 114 KB

7

If you add a “groups” claim to the ID token, Spring Security should convert groups to authorities for you. Can you please try that and let us know if it works?

1 Like