rajiv kumar
Hi Matt,
Yes, I misconfigured the redirect URI. Suppose if I have 3 microservices and if I access the controller end points of either one of the microservices, and assume if it is a first request, then I would like to redirect the request for login. If it is my requirement then what are all changes I should made.
Currently I’m getting 400 http status code if I’m trying to access the microservice without api-gateway zuul
Matt Raible
Hello Iori,
I’m not sure as I haven’t tried to get a Eureka server working on GCP + App Engine. I have done it with Kubernetes and KNative without issues. I’d try asking your question on Stack Overflow with steps to reproduce your issue.
Matt Raible
When you get the 400 error, does it say that you have an invalid redirect URI? If so, you need to make sure your app on Okta has the redirect URI that’s specified in this tutorial: http://localhost:8080/login/oauth2/code/okta. If that’s not the issue, check your client ID and secret. I’ve seen this error before when those values are incorrect.
Matt Raible
I recommend you configure all requests to go through your API gateway. If you’re trying to hit your other microservices directly, you’re not taking advantage of your gateway. It’s expected that you’ll receive an error from your other services if you try to access them directly. If you look closely at the error, it likely says you have an invalid redirect URI. You can see what this value is by looking at the parameter in the URL that’s being requested. If you add this value to your Okta app, it should work.
rajiv kumar
Hi Matt,
I verified this now my app is working but I have few questions.
1) why we are adding zuul routes in the application properties inside edge server?
2) In my library-service, there are two feign clients (for book & user services). I have added the resource server configuration ( like you did in the example for OktaOAuth2WebSecurityConfigurerAdapter) in all of my services (book, user and library service).
and then I have added the UserFeignClientInterceptor in the library-service because my library service will call both book & user service through respective feign clients.
Now the problem is when I use the book & user service using edge-server, I’m able get the okta login screen and the I’m getting the rest responses. but if I made a call using library-service (to either book/user service), then I’m getting 400 error.
rajiv kumar
Yes I understand but can’t we do like if I directly access a service not through edge-service and if it is a first request, then it should for login option. Will it possible?
Matt Raible
I only added Zuul routes in application.properties to show it’s possible. The UserFeignClientInterceptor will only work in the api-gateway because that’s there the oauth2Login() is configured. For the server-to-server communication, you might have to use client credentials. I’m not certain, though. For server-to-server communication, see Secure Server-to-Server Communication with Spring Boot and OAuth 2.0 and our Implement the Client Credentials Flow documentation.
Matt Raible
If you configure oauth2Login() for those services, and add a redirect URI to your Okta app, yes, you could do that.
Malleswara Rao
Hi Matt
i am getting below error please let me know how to fix .
[invalid_id_token] An error occurred while attempting to decode the Jwt: Jwt expired at 2020-09-19T15:39:13Z
Matt Raible
Make sure your computer’s clock is in sync with an internet time service.
Shankar Jat
Hi Matt,
Thanks for sharing this great example. I just wanted to ask you one thing that whatever response we get from car-service via readCars(), If i would like to show this json response on jsp side then how can i use this json response in jsp?
Matt Raible
Hello Shankar,
It would likely be very similar to how you’d do it in a regular Spring MVC controller. Grab the response, convert it to a String, then add it to a Model object to display in your JSP.
Harpreet Arora
First of all, Thanks a lot for such a nice and explanatory article. I have one query: why corsfilter is added in addition to the ‘CrossOrigin’ annotations at the method level.
Matt Raible
Because once you add Spring Security, @CrossOrigin no longer works. You have to add a filter to return the CORS headers before Spring Security kicks in. At least, that’s my experience. I’d love to find a better way to do it!
Stefan Glatt
Hi Matt, thanks a lot for this awesome example/tutorial. I’m just wondering what it would need to write my own authorization service instead of using Okta, to solve the refresh token issue. I’m thinking of providing a API endpoint that could be called once the token has expired and instead of the user having to manually log in again, like with Okta, automatically refresh the token and provide it to the apllication via some callback url.
Matt Raible
I believe the refresh token issue has been fixed in recent versions of Spring Cloud and Spring Security. I know it was just recently added to Spring Cloud Gateway in October.
AleGallagher
Hi @mattraible ! Thanks a lot for this tutorial. I have a doubt. You use the redirect URL and a browser to login. Is not possible do login by Postman for example? Calling an endpoint with the user and password in the request body instad of using a broser?
Thanks in advance!
Matt Raible
In this particular example, both the gateway and the car service are configured to act as resource servers. That’s what this code from Spring Security does:
.oauth2ResourceServer().jwt();
If you generate an access token, yes, you can use send it in an “Authorization” header in Postman (with a "Bearer " prefix) and it’ll work to give your request access. In this example, I generated the access token by leveraging .oauth2Login() in the gateway. Another way you could do it is create a new SPA app on Okta with implicity flow, add https://oidcdebugger.com/debug as a redirect URI, and then generate your access token using https://oidcdebugger.com. Here’s a screenshot of the settings you’ll want to use.
AleGallagher
Thanks for the answer! How should the flow of call to login by postman?
Matt Raible
I haven’t used Postman much with our APIs, so I’m probably the wrong person to ask. We do have a Postman Collections you might find useful. There’s also a listing on Postman’s site. If that doesn’t help, please post a question to our developer forums.
