Hello everyone ,
I implemented implicite flow okta in my project angular and spring boot,
I have the problem 403 when i call rest API in my server backend.
this is how I did the configuration
backend :
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-750054.okta.com/oauth2/default
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://dev-750054.okta.com/oauth2/default/v1/keys
.antMatchers(HttpMethod.GET, “/user/**”).hasAnyAuthority(UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString()
.antMatchers(HttpMethod.POST, “/authentication/authenticate”).permitAll()
.antMatchers(HttpMethod.GET, “/application/version”).permitAll()
.anyRequest().authenticated()
.and().oauth2ResourceServer().jwt();
in front :
@Injectable()
export class JwtInterceptor implements HttpInterceptor {
constructor(private oktaAuth: OktaAuthService) {
}
intercept(request: HttpRequest, next: HttpHandler): Observable<HttpEvent> {
return from(this.handleAccess(request, next));
}
private async handleAccess(request: HttpRequest, next: HttpHandler): Promise<HttpEvent> {
const accessToken = await this.oktaAuth.getAccessToken();
request = request.clone({
setHeaders: {
Authorization: 'Bearer ’ + accessToken
}
});
return next.handle(request).toPromise();
}
}
in okta
This blog post shows how to integrate Angular and Spring Boot:
You could also check out the example code on GitHub:
thank you very much matt for this example , but in my project i have spring-boot.version = 2.1.0.RELEASE with spring-boot-starter-oauth2-resource-server , my probleme is 403 in autorisation server , i think the token is not good , i have a roles in claims
org.springframework.boot
spring-boot-starter-security
${spring-boot.version}
org.springframework.boot
spring-boot-starter-oauth2-resource-server
${spring-boot.version}
Can you try using the Okta Spring Boot starter instead? It includes spring-boot-starter-oauth2-resource-server.
thank you for your proposition ,when I integrated I found an incompatibility.
in my project backend I just add spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-750054.okta.com/oauth2/default
do i need to add anything else ? knowing that I implemented the [Implicite flow ] in front.
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
private static final String CSP_HEADERS = "default-src 'self'; frame-src 'self' data:; script-src 'self' https://cdn.jsdelivr.net/npm/hacktimer@1.1.3/HackTimer.min.js; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:";
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// we don't need CSRF because our token is invulnerable
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
// don't create session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/publication/**").hasAnyAuthority(UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString())
.antMatchers(HttpMethod.GET, UserRoleEnum.ROLE_LIRIS_PRODUCTION_PILOTE.toString())
// allow anonymous resource requests
.anyRequest().authenticated()
// .and().oauth2ResourceServer().jwt()
.and().oauth2ResourceServer().jwt();
;
// enable page caching
httpSecurity
.headers()
.cacheControl()
.and()
// add CSP headers to the response
.contentSecurityPolicy(CSP_HEADERS)
.and()
.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.frameOptions()
.deny();
}
}
Hi matt , I found the source of 403
the way to extract roles or groups from the access token okta is not correct,
do you have any idea about this problem ? . in authorities SCOPE_profil n SCOPE_opeid,
SCOPE_roles , but in my project i have roles like example ROLE_LIRIS_PRODUCTION_PILOTE
If you add a “groups” claim to the ID token, Spring Security should convert groups to authorities for you. Can you please try that and let us know if it works?
1 Like