Okta Spring Boot Starter issuer not redirecting to correct url

igrabov · May 25, 2021, 5:52pm

For my dev setup I have a fully working spring boot web app in which security is working correctly using the okta-spring-boot-starter with the following configurations:

okta:
  oauth2:
    client-id: ##
    issuer: https://{##}.oktapreview.com/oauth2/default
    client-secret: ##
    redirect-uri: /authorization-code/callback

However for production I have it setup to use our organization url as following:

okta:
  oauth2:
    client-id: ##
    issuer: https://{organization}.okta.com
    client-secret: ##
    redirect-uri: /authorization-code/callback

Upon login I get a 404 because the url that is being redirected to follows this pattern:
https://{organization}.okta.com/v1/authorize?response_type=code&client_id=#####

If I manually add /oauth2 before v1 then the flow continues working properly and im able to login into the application, e.g:
https://{organization}.okta.com/oauth2/v1/authorize?response_type=code&client_id=#####

Im led to believe this is an issue with the way the okta-spring-boot-starter is working. I have a different angular SPA app setup in organization that also uses just https://{organization}.okta.com as the issuer and that one ends up creating the correct redirect url of https://{organization}.okta.com/oauth2/v1/authorize?response_type=code&client_id=#####

Going to https://{organization}.okta.com/.well-known/oauth-authorization-server also shows the correct urls there

Does anyone know of a change I need to do or a fix for this issue?

igrabov · May 25, 2021, 7:11pm

After further investigation this is why:
private PropertySource oktaStaticDiscoveryPropertySource(Environment environment) {

Map<String, Object> properties = new HashMap<>();
properties.put("spring.security.oauth2.resourceserver.jwt.issuer-uri", "${okta.oauth2.issuer}");
properties.put("spring.security.oauth2.resourceserver.jwt.jwk-set-uri", "${okta.oauth2.issuer}/v1/keys");
properties.put("spring.security.oauth2.client.provider.okta.authorization-uri", "${okta.oauth2.issuer}/v1/authorize");
properties.put("spring.security.oauth2.client.provider.okta.token-uri", "${okta.oauth2.issuer}/v1/token");
properties.put("spring.security.oauth2.client.provider.okta.user-info-uri", "${okta.oauth2.issuer}/v1/userinfo");
properties.put("spring.security.oauth2.client.provider.okta.jwk-set-uri", "${okta.oauth2.issuer}/v1/keys");
properties.put("spring.security.oauth2.client.provider.okta.issuer-uri", "${okta.oauth2.issuer}"); // required for OIDC logout

return new ConditionalMapPropertySource("okta-static-discovery", properties, environment, OKTA_OAUTH_ISSUER);

}

This code naively assumes that {issuer}/xyx would work for all cases, but clearly breaks when using the default org auth server

andrea · May 25, 2021, 11:07pm

Can you confirm that everything works correctly when you make this change?

We’ll likely want to update our documentation to mention that you can set your issuer to https://org.okta.com/oauth2 to use the Org Authorization Server, but it might also be worth us looking into allowing you to set just the Okta domain as the issuer, which is supported for most of our other SDKs.

igrabov · May 26, 2021, 2:07am

So I tested the /oauth2 url again, and it allows me to access the login page but afterwards for the token endpoint it again misses /oauth2 so that workflow ends up failing.

Additionally if set issue to: https://{org}.okta.com/oauth2 I get the following stack on startup:
Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://{org}.okta.com/oauth2"

andrea · June 1, 2021, 11:43pm

Which version of the starter are you using/ It looks like we pushed an update in v2.0.0 as part of Opaque token support (where tokens are validated remotely by making a request to Okta, instead of locally, by parsing the token and checking the signature and claim values)/

igrabov · June 2, 2021, 4:04pm

Im using v2.0.0

Manually overrdigin the properties has turned out to work:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ${okta.oauth2.issuer}/oauth2/v1/keys
      client:
        provider:
          okta:
            authorization-uri: ${okta.oauth2.issuer}/oauth2/v1/authorize
            token-uri: ${okta.oauth2.issuer}/oauth2/v1/token
            user-info-uri: ${okta.oauth2.issuer}/oauth2/v1/userinfo
            jwk-set-uri: ${okta.oauth2.issuer}/oauth2/v1/keys

system · February 8, 2024, 6:21pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.