Integrating okta-spring-boot re-directs me to a 404

I am trying to integrate okta-spring-boot into my existing Spring Boot application (using version 1.4.0) using my corporate okta instance and OpenID.

I can get the server to run, and when I visit localhost:8080, I get re-directed to my corporate okta, but it’s a 404 page.

The url of the 404 page is

https://somecorp.okta.com/v1/authorize?response_type=code&client_id=xxxx&scope=openid%20email%20profile%20address%20phone%20offline_access%20groups&state=SRLJzHljddodY_tMOnFmosJqm8CqMfdKzCVQZbuJArw%3D&redirect_uri=http://localhost:8080/authorization-code/callback&nonce=RBXElsdb29w24r5iwyt9ibHpNZwU7MYDJELcDg8NMQE

404 error screenshot

My application.properties looks like this

okta.oauth2.issuer=https://someCorp.okta.com
okta.oauth2.client-id=xxxx
okta.oauth2.client-secret=xxxx
okta.oauth2.redirect-uri=/authorization-code/callback

It seems like the issuer should be https://someCorp.okta.com/oauth2/default but the engineer I am working with on the corporate okta side says https://someCorp.okta.com should work no problem.

Here is a look at my SpringSecurityConfig

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/v1/info", "/v1/healthcheck", "/docs/**", "/metrics")
                .permitAll().requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                .anyRequest().authenticated()
                .and().oauth2Client()
                .and().oauth2Login();
        http.cors();
        http.csrf().disable();
    }
}

The https://someCorp.okta.com/.well-known/openid-configuration lists the issuer as {“issuer”: “https://someCorp.okta.com”}

Is there something I am doing wrong here? Thanks so much

Can you try using the latest version of our Spring Boot Starter (>= v2.0.0)?

I can’t easily upgrade my application to be able to use Spring Boot Starter (>= v2.0.0) so I ended up using this sample application : GitHub - okta-samples/okta-spring-boot-sample: Spring Boot + Okta

I am guessing maybe you think it could be an issue with anything < 2.0 version not supporting org auth?

The only thing I changed in the sample application was setting this in the application.properties

okta.oauth2.issuer=https://someCorp.okta.com
okta.oauth2.client-id=xx
okta.oauth2.client-secret=xx
okta.oauth2.redirect-uri=/authorization-code/callback

When I run the sample application with those properties I get this error when starting the server

Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'oauth2SecurityFilterChain' defined in class path resource [com/okta/spring/boot/oauth/OktaOAuth2AutoConfig$OAuth2SecurityFilterChainConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'oauth2SecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: Spring Security only supports JWTs or Opaque Tokens, not both at the same time.

If I change the issuer to this

okta.oauth2.issuer=https://someCorp.okta.com/oauth2/default

I can start the server and visit localhost:8080, which then redirects me to my corporate okta. I can login, and I get re-directed to localhost:8080 with this error being displayed

[access_denied] Policy evaluation failed for this request, please check the policy configurations.

Talking to my contact in my corp auth, it sounds like within their okta settings of

API → Authorization Servers

There are no entries.

Does there need to be something here for the whole flow to work for Spring Boot?

Thank you.