Rahul
Hi Matt,
I downloaded the code and it worked fine. Then I added an Authorization Server on my dev okta account, which was different than the detault server present and then the code breaks. I get a 401 error code with description as “Bearer error=invalid_token, error_description=“An error occurred while attempting to decode the Jwt: This aud claim is not equal to the configured audience”, error_uri=“https://tools.ietf.org/html…””. How can I get around this?
Thanks
Rahul
Rahul
Found out the issue you have to define the property okta.oauth2.audience=api://xyz , if you dont define this it picks the default value which is “api://default”
Matt Raible
That is correct. I’m glad you figured it out! Please let us know where we should update our documentation to make this easier.
dimitrimax
Where is the getName() method located on the ApiGateawayApplication class?
Matt Raible
I believe you meant to type car.getName(). This is generated by Lombok. If you use Maven like this tutorial shows, everything should work. If you want to run it from an IDE, you’ll need to configure the Lombok plugin for your IDE.
Best SEO
I am not able to test this with Postman. I managed to get the token with “oauth2/default/v1/token” and when I use this for login I get the following message. In Postman, on the Authorization tab, I tried using OAuth2 from the
“Type” dropdown and both the options from “Add authorization data to” drop down. I pasted the received token into “Access Token” text box. I also tried using “Bearer Token” type but got the same error.
{
“timestamp”: “2020-03-30T11:10:34.848+0000”,
“status”: 500,
“error”: “Internal Server Error”,
“message”: “pre:AuthorizationHeaderFilter”
}
On the service side, I saw the following message on the console.
Caused by: java.lang.ClassCastException: org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken cannot be cast to org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken
Matt Raible
The reason you’re seeing the ClassCastException is because Spring Security creates an OAuth2AuthenticationToken as the principal when you use oauth2Login(). When you use it as a resource server, the principal is a JwtAuthenticationToken. You can see the code in HomeController to see how to get the user’s claims from a JwtAuthenticationToken.
socrates hlapolosa
@mattraible Great Article, great series.
However, I got an empty list (not just the first time, always) when calling /cool-cars and after a little debugging I discovered a null pointer being thrown inside UserFeignClientInterceptor… because SecurityContextHolder.getContext().getAuthentication() returns null. Any idea why? Secondly, when i comment out that piece it works but I am not sure what i’m loosing by doing so, could you please explain.
Matt Raible
The last time I tried this tutorial (March 10, 2020), it worked just fine for me. The only think I can think of is you’re missing the following properties in api-gateway/src/main/resources/application.properties:
feign.hystrix.enabled=true
hystrix.shareSecurityContext=true
If you already have that, you might try comparing your code to the example on GitHub.
socrates hlapolosa
This is most odd. I wonder if it’s related to me running on windows, although I would be surprised at that. But I’ll try running my code in it’s current form on a different host.
Anna Ai
@mattraible Thanks for sharing this nice tutorial for both text & video. I am new to Spring Boot / Micro Services with some knowledge for struts/spring frameworks only and saw “I created all of these applications using start.spring.io’s REST API and HTTPie.” just wondering if you have the text or video for how to do that. And also what’s the pre-requirement to cause download stuffs when typing “eureka-service” in git as shown in your video ?
Matt Raible
A screencast for this video is at the top of the post and the text for the HTTPie commands is in the post too. I’m guessing you aren’t asking for those? For “eureka-service” and other commands that are similar, I created aliases in my ~/.zshrc file. They’re the same as the HTTPie commands.
alias eureka-service="http https://start.spring.io/starter.zip javaVersion==11 artifactId==discovery-service name==eureka-service dependencies==cloud-eureka-server baseDir==discovery-service | tar -xzvf -"
alias car-service="http https://start.spring.io/starter.zip artifactId==car-service name==car-service baseDir==car-service dependencies==actuator,cloud-eureka,data-jpa,h2,data-rest,web,devtools,lombok | tar -xzvf -"
alias api-gateway=“http https://start.spring.io/starter.zip artifactId==api-gateway name==api-gateway baseDir==api-gateway dependencies==cloud-eureka,cloud-feign,data-rest,web,cloud-hystrix,lombok | tar -xzvf -”
Anna Ai
Thank you for reply. I did create similar alias for eureka-service on git but get “bash: http: command not found” when typing “eureka-service” due to no httppie installed, so i am trying to download get-pip.py to see if it works. Thanks.
Barou Dioni
@mattraible I follow your tutorial to implemente my own authentication but I found badRequest 400 before login page.
Subramanian Chenniappan
thanks bro. I came here from youtube
Abdelrahman Mahmoud
Hi Matt,
Thanks for the great example.
I’m trying to practice using your example especially the one which using the spring cloud api gateway. And i was trying to implement a user authorization based on created groups in okta.
The question is, what’s the best practice either to apply the authorization on api gateway security or on the endpoint level security?
The thing is, I’m able to apply it on the api gateway security class, but not able to apply it on the endpoint itself using @PreAuthorize(“hasRole(’’)”) or @PreAuthorize(“hasAuthority(’’)”)
Thanks and regards
Matt Raible
Hello! See Spring Method Security with PreAuthorize for how to use @PreAuthorize with Okta.
Matt Raible
This usually happens when you’ve misconfigured a redirect URI or client ID. Make sure those values match what this tutorial recommends.
rajiv kumar
Hi Matt,
Thanks for sharing such a nice article
I’m trying to add the okta security to my existing demo micro services application but I’m getting 400-bad request response all the time.
Here is my application https://github.com/RajeevKu…
I’m trying to add it for api-gateway and library-service.
Iori Yagami
Hello, does this configuration work in GCP environment? I’m trying to deploy a similar architecture in GCP, the services being app engines. But I have a problem with Zuul not being able to route to the right service. I tried different combinations of path&url or serviceId using eureka but never worked. Any hints please?