I have been using okta-spring-boot-starter for oidc auth code flow successfully. Now I need to provide support for multiple auth providers in my application so I am switching to vanilla spring-boot-starter-security starter. I am able to work most of the things except for fetching groups from okta.
I have tried following :
- Passing groups scope in the configuration.
spring:
security:
oauth2:
client:
registration:
okta:
client-id: *****
client-secret: ***
scope: openid,profile,email,groups
provider:
okta:
authorization-uri: https://mytenant.okta.com/oauth2/v1/authorize
token-uri: https://mytenant.okta.com/oauth2/v1/token
user-info-uri: https://mytenant.okta.com/oauth2/v1/userinfo
jwk-set-uri: https://mytenant.okta.com/oauth2/v1/keys
- Overriding the userAuthoritiesMapper mapper in spring security java class.
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.ignoringRequestMatchers(antMatcher(webappPath + "/api/**")))
.authorizeHttpRequests(authorize -> authorize
.requestMatchers(antMatcher("/swaggerui/**"))
.permitAll()
.requestMatchers(antMatcher(webappPath + "/**"))
.authenticated()
.anyRequest()
.permitAll())
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo
.userAuthoritiesMapper(this.userAuthoritiesMapper())));
if (singleLogout) {
http
.logout((logout) -> logout
.logoutSuccessHandler(oidcLogoutSuccessHandler())
);
}
return http.build();
}
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
Object groupName = oidcUserAuthority.getAttributes().get("groups");
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
//More logic here .....
}
});
return mappedAuthorities;
};
}
I have also run this in debug mode and I donot see the “groups” attribute in IDToken or userInfo .
When I use okta provided starter I see lots of attributes such as ADuserName , groups, PDCSClaim .
What magic Okta Springboot starter does so okta adds these attributes to IDTokens ?
Help appreciated.