Brian Demers
Typically you would use either an application.yml or an application.properties. It’s easy to convert between the two. For example the following yaml:
okta:
oauth2:
issuer: https://my.example.com
client-id: my-client-id
is equivalent to this properties file:
okta.oauth2.issuer=https://my.example.com
okta.oauth2.client-id=my-client-id
Does that help?
Rafif elfazri
I think there is a conflict between these two variable in application.properties:
- spring.security.oauth2.client.provider.okta.issuer-uri
- okta.oauth2.issuer
The first variable allow me to to do RP-initiated logout that showed in this link:
The second variable allows me to have a groups name in oauth.getAuthorities()
But these two value can’t work with each other, you may only have one of these variable and you have to choose only one of the feature.
Brian Demers
Ahh, I see what you are asking.
If you are using the Okta-Spring-Boot starter, you should use the okta.oauth2.* properties.
If you want to do RP-Initiated Logout with the Okta Spring Boot starter, just set the okta.oauth2.postLogoutRedirectUri property to be the absolute URL where to redirect back too (and it will be configured automatically).
Rafif elfazri
I’m Sorry but it still doesn’t not do the RP-Initiated Logout
Brian Demers
It’s a recent addition, are you on the latest version?
Rafif elfazri
I’m on 1.2.1 okta starter version
Brian Demers
Ahh! try the latest: 1.4.0
You need to make sure you are on the current version of Spring Boot too
Rafif elfazri
Thank you very much, All my problems is solved right know. I’m glad that I ask for a guidance rather than keeping it silent.
Brian Demers
Any time Rafif!
That is why we have the comments turned on 
Rafif elfazri
Excuse me, It seems that i have still another error. when i put this line on my application.properties :
okta.oauth2.scopes= openid email profile custom
I’ve got this error:
Caused by: java.lang.IllegalArgumentException: scope “openid email profile custom” contains invalid characters
…
What might cause it?
Brian Demers
Hey Rafif!
Try using a comma separated list: okta.oauth2.scopes=openid,email,profile,custom
Keep us posted!
Mike Reynolds
Hi. I followed the article (very informative), but cannot get @PreAuthorise("hasAuthority(‘Everyone’)) ( or any other group) to work - I simply get access denied. I even tried an anyMatcher() in my SecurityConfig class and this didn’t help.
Do you have any suggestions? In my /userinfo endpoint
“Groups”: [“Everyone”, “Player” ]
Is it possible this is because the requests are coming from an ajax $.get or $.post ?
Matt Raible
Did you add a “groups” claim to your ID and access tokens as described in this post? If so, make sure your filter is a regex with dot asterisk - aka .*.
Chetan Shetty
Hi, I followed the article and faced compatibility issue with the spring-boot and okta-starter version.
Finally i was able to get it working on the below version
Spring version - 2.2.4.RELEASE
Okta starter version - 1.4.0
Also in the version on okta starter the configuration looks as below
okta:
oauth2:
issuer: <your okta="" url="">
clientId: <your client="" id="">
clientSecret: <your client="" secret="">
Abdelrahman Mahmoud
Hi,
Thanks for your great efforts.
I tried to put this service (oauthinfo) behind a spring cloud gateway following Matt article (reactive one).
as below:
public String oauthUserInfo( @AuthenticationPrincipal OAuth2User oauth2User) {
//…
}
The problem is that OAuth2User is always equals null.
Any idea?
Edit: same service (/oauthinfo) in the gateway is working fine
Thanks…
Matt Raible
Hello Abdelrahman,
How are you configuring Spring Cloud Gateway? Are you using oauth2Login() or oauth2ResourceServer()? In my experience, if you pass a Principal into your method, it can be a different type based on what authentication mechanism you’re using.
public UserDTO getUserFromAuthentication(Principal principal) {
if (principal instanceof AbstractAuthenticationToken) {
Map<string, object=""> attributes;
if (authToken instanceof OAuth2AuthenticationToken) { // if using oauth2Login()
attributes = ((OAuth2AuthenticationToken) authToken).getPrincipal().getAttributes();
} else if (authToken instanceof JwtAuthenticationToken) { // if using oauth2ResourceServer()
attributes = ((JwtAuthenticationToken) authToken).getTokenAttributes();
} else {
throw new IllegalArgumentException(“AuthenticationToken is not OAuth2 or JWT!”);
}
} else {
// Not authenticated
}
…
}
Alexander Shikanga-Tindi
Why doesn’t anyone cover testing?
Matt Raible
We have a couple posts that show how to test with Spring Security and Okta. Hopefully they help:
1. How to GraphQL in Java
2. Test Your Spring Boot Applications with JUnit 5
3. Upgrading Spring Security OAuth and JUnit Tests through the 
of a Java Hipster
4. The Hitchhiker’s Guide to Testing Spring Boot APIs and Angular Components with WireMock, Jest, Protractor, and Travis CI
Alexander Shikanga-Tindi
Thanks! @mattraible
Raju N
My organisation Okta, has only Access token claim configured in their Authorisation server. Is it possible to get groups attributes with only Access token claim ??