Migrate Your Spring Boot App to the Latest and Greatest Spring Security and OAuth 2.0

Migrate Your Spring Boot App to the Latest and Greatest Spring Security and OAuth 2.0

Migrate Spring Boot with OAuth 2.0 support from version 1.5.x to 2.1.x

Kunmun Mandala

Thank you Micah Silverman for the blog on “Spring Boot 2.1.x and the Okta Spring Boot Starter”. It’s very helpful and we were searching for this topic.
Can you please cover the topic “Spring Boot 2.1.x+ okta-spring-boot-starter 1.1.0 + Zuul”?

There is a blog from Matt related to this topic but it covers the older version of spring boot:https://developer.okta.com/…

Micah

Thanks for the comment! We don’t have any plans currently to update the specific zuul post from Matt. But, a new post coming soon from Matt has some information on the latest zuul too. Not ETA on that post, but keep an eye out for it.

Swagat Dishri

Thanks @afitnerd for the wonderful article,but here i am facing some issue “org.springframework.web.reactive.function.client.WebClientResponseException$Unauthorized: 401 Unauthorized” while calling
“localhost:8080/api” rest end point,any help will be appreciated

Matt Raible

Kunmun - please see Java Microservices with Spring Boot and Spring Cloud for an example with the latest versions of Spring Boot and Spring Cloud.

Vek

Hi Micah,

We are looking at a SSO, where the logout functionality clears session in Okta as well as Apps. We have user portal - with multiple Spring boot apps in SSO manner with OKTA as IDP using Okta Spring Boot Starter & Okta SDK & OKTA AUTH APIs. The SSO is working in case of logged in user and user is navigated from 1 app to another. But when User is logged out from app 1 - he can go app 2 without needing to logging in again. We need to configure spring security to check Okta for valid session everytime. How to do it ?

Vivek

Micah

Vivek:

I am looking into this. However, I am not sure there’s an easy solution. You’re looking for SLO (single logout) such that when a user logs out of one app, they are logged out of all apps.

It’s easy to destroy the Okta session using the oidc standard logout endpoint: <issuer> + “/v1/logout?client_id=” + <client_id> +"&id_token_hint=" + <id_token> + “&post_logout_redirect_uri=” + <redirect_uri>), but I am not sure Spring Security supports such a mechanism yet. I will do some more research and get back to you.

Vek

Hi Micah,

Thanks for your response !! The client id is same for all apps - as it is single app in Okta configuration / end user perspective. We just divided app, for ease of maintenance, development, deployment etc… Also they represent separate business unit having separate release timelines & subsequent needs.

We are working with Okta for the same and it seems this facility is not available easily. And we need to set some timeouts & do some research. I really appreciate you taking some time out and looking into this. I will wait for your response and I will share my findings on timeouts soon.

Vivek

Vek

Further, is there nothing in spring security to config in such a way to hit IDP to validate session for all hits or some URL patterns ?
Vivek