Jhipster okta integration issue

Can some one help with this problem? I’m getting the below error when I try to integrate jhipster with okta.

2019-06-06 01:06:59.261 INFO 722 — [ XNIO-2 task-12] c.o.f.config.SecurityConfiguration : --------------START---------------
2019-06-06 01:06:59.261 INFO 722 — [ XNIO-2 task-12] c.o.f.config.SecurityConfiguration : Authority–ROLE_USER
2019-06-06 01:06:59.265 ERROR 722 — [ XNIO-2 task-12] io.undertow.request : UT005023: Exception handling request to /login/oauth2/code/oidc

java.lang.ClassCastException: org.springframework.security.oauth2.core.user.OAuth2UserAuthority cannot be cast to org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority
at com.octo.frontendauth.config.SecurityConfiguration.lambda$null$1(SecurityConfiguration.java:108)
at java.lang.Iterable.forEach(Iterable.java:75)
at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
at com.octo.frontendauth.config.SecurityConfiguration.lambda$userAuthoritiesMapper$2(SecurityConfiguration.java:106)
at org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider.authenticate(OAuth2LoginAuthenticationProvider.java:120)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175)
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:186)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160)

Are you developing a monolith or a microservices architecture? If it’s just a monolith, can you show us your .yo-rc.json file and provide steps to reproduce?

Hi @mraible, I’m developing monolith app. Here is my .yo-rc.json file. Steps that I took so far are installed jhipster and modified application.yml like below, configured okta tenant and started the app.
oauth2:
client:
provider:
oidc:
issuer-uri: https://dev-534394.oktapreview.com/oauth2/default
registration:
oidc:
client-id: <>
client-secret: <>
scope: openid profile email
access-token-uri: https://dev-534394.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-534394.oktapreview.com/oauth2/default/v1/authorize

Here is the .yo-rc.json content

{
“generator-jhipster”: {
“promptValues”: {
“packageName”: “com.octo.frontendauth”
},
“jhipsterVersion”: “6.0.1”,
“applicationType”: “monolith”,
“baseName”: “frontendauthserver”,
“packageName”: “com.octo.frontendauth”,
“packageFolder”: “com/octo/frontendauth”,
“serverPort”: “8080”,
“authenticationType”: “oauth2”,
“cacheProvider”: “ehcache”,
“enableHibernateCache”: false,
“websocket”: false,
“databaseType”: “sql”,
“devDatabaseType”: “h2Memory”,
“prodDatabaseType”: “postgresql”,
“searchEngine”: false,
“messageBroker”: false,
“serviceDiscoveryType”: false,
“buildTool”: “maven”,
“enableSwaggerCodegen”: false,
“clientFramework”: “angularX”,
“clientTheme”: “solar”,
“clientThemeVariant”: “primary”,
“useSass”: true,
“clientPackageManager”: “npm”,
“testFrameworks”: [],
“jhiPrefix”: “jhi”,
“entitySuffix”: “”,
“dtoSuffix”: “DTO”,
“otherModules”: [],
“enableTranslation”: false
}
}

You don’t need the “access-token-uri” and “user-authorization-uri” values. Can you try removing them? You might also check out my recent blog post on using JHipster 6 with Okta. It includes a screencast if you prefer video.

Hi @mraible I tried removing them and still it has no effect. still getting the same error.
Here is code snippet from SecurityConfiguration.java

@Bean
@SuppressWarnings("unchecked")
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
    return (authorities) -> {
        Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
        log.info("--------------START---------------");
        authorities.forEach(authority -> {
        	log.info("Authority--"+authority);
            OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
        	log.info("oidc Authority--"+oidcUserAuthority);
            OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
            Collection<String> groups = (Collection<String>) userInfo.getClaims().get("groups");
            if (groups == null) {
                groups = (Collection<String>) userInfo.getClaims().get("roles");
            }
            mappedAuthorities.addAll(groups.stream()
                .filter(group -> group.startsWith("ROLE_"))
                .map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
        });

        return mappedAuthorities;
    };
}

Here is the log where it throw class cast exception:

2019-06-06 10:44:27.223 INFO 3143 — [ XNIO-1 task-18] c.o.f.config.SecurityConfiguration : --------------START---------------
2019-06-06 10:44:27.223 INFO 3143 — [ XNIO-1 task-18] c.o.f.config.SecurityConfiguration : Authority–ROLE_USER
2019-06-06 10:44:27.233 ERROR 3143 — [ XNIO-1 task-18] io.undertow.request : UT005023: Exception handling request to /login/oauth2/code/oidc

java.lang.ClassCastException: org.springframework.security.oauth2.core.user.OAuth2UserAuthority cannot be cast to org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority
at com.octo.frontendauth.config.SecurityConfiguration.lambda$null$1(SecurityConfiguration.java:108)
at java.lang.Iterable.forEach(Iterable.java:75)
at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
at com.octo.frontendauth.config.SecurityConfiguration.lambda$userAuthoritiesMapper$2(SecurityConfiguration.java:106)
at org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider.authenticate(OAuth2LoginAuthenticationProvider.java:120)

You probably missed a configuration step where you need to add a “groups” claim to the ID token. There are instructions in the blog post and in JHipster’s security docs.

Here is my okta tenant configuration. BTW, thanks much for responding quickly.

If it doesn’t work with this configuration, I’d try remove the “groups” claim that’s in the access token, as well as the “roles” claim. You only need one.

tried removing groups claims in access token and roles claim as well Still the same original error.
java.lang.ClassCastException: org.springframework.security.oauth2.core.user.OAuth2UserAuthority cannot be cast to org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority

Hi @mraible I delete .yo-rc-json file and recreated the project from scratch again and it worked fine this time. very weird. But anyways thank for your help !