Tutorial: Learn how to use JWT and opaque access with Spring Boot.
Hi, a small note on the configuration described in the video,
starting spring boot 2.4, you need to add the openid scope into the
configuration like so:
This is because of the upgrade to spring security 5.4, which brings the change:
Refined ClientRegistrations to not default scopes to the OIDC scopes_supported attribute
in the What’s new section of spring
security’s reference documentation.
Good catch! I’ll update the post!
When the frontend is using the PKCE flow and you have no client secret, how do you validate the access_token with Spring Security?
/introspect endpoint doesn’t always require a client secret (it depends on the type of application you have setup). This page goes into more details: https://developer.okta.com/…
Does that answer your question?
Thanks for this excellent walkthrough. It was almost exactly what I was looking for. Using PKCE with Okta myself but still struggling. I don’t suppose this flow is built into Spring or coming soon? I tried to just leave the secret blank or out of my properties file but that did not suffice. Thanks!
Spring has limited built in support for PKCE. If you don’t set a client-secret Spring Security will attempt to use PKCE (with an Auth Code flow, i.e. using
There is an outstanding issue to support PKCE for confidential clients with an auth code flow too