Okta-spring-boot-starter Cannot Create an Anonymous Route Exception

fmi_dev_ryckbirch · May 31, 2023, 2:04pm

I am integrating okta-spring-boot-starter into an existing API backend application.

I want to use the okta-spring-boot-starter and application.yml based configuration only. And it works great.

However, I need to expose a health check endpoint that does NOT require Bearer token access. I cannot figure out how to get this right. I have tried all kinds of spring security configurations. Nothing works.

I have also tried just using the OKTA issuer with OOTB spring security (that allows the ignore matches to work) BUT I get back that the server wants Basic rather than Bearer in the WWW-Authorization response header…

Help please…

Ryck

erik · June 1, 2023, 7:09am

Hello,

When configuring HttpSecurity would adding a matcher permitAll() for the health check URL accomplish what you are looking for?

...
http.exceptionHandling()
    .accessDeniedHandler((req, res, e) -> res.sendRedirect("/403"))
    .and().authorizeRequests()
    .antMatchers(HttpMethod.GET,"/", "/custom-login", "/discovery-callback", "/css/**").permitAll()
    .anyRequest().authenticated()
...

thank you,

fmi_dev_ryckbirch · June 1, 2023, 7:50pm

It could I suppose. I was hoping that the okta-spring-boot-starter would respect the standard application.properties/.yml configuration mechanism of ignore-ant-matchers so that there is no need to code and the IoC of spring is honored.

I ended up writing a filter to manage placing authentication on anything with the given API root entry point (working with HAPI-FHIR server implementation–> /fhir). I finally stumbled across the sample resource server code and copied the base logic in and got things working.

Erik, thanks for getting back to me. Appreciate it very much!

Ryck