We’re using the okta-spring-boot-starter package in a Reactive application with Netty as the underlying HTTP library. The application is deployed to AWS EKS, behind a NAT Gateway. NAT Gateways drop idle connections after 350 seconds.
Whenever we go six minutes without someone trying to log in, the WebClient that’s used to talk to the Auth0 servers to perform the token exchange, tries sending the request on a connection that’s already been dropped, and thus gets a “connection reset by peer” (e.g. an RST packet from the NAT gateway). It’s unwilling to retry the token exchange because it’s a POST request and the headers have already been sent. So instead, the error bubbles up to the user.
We’re looking for a way to tell the library to just, use a new TCP connection for each token exchange, or to set appropriate keepalive parameters on the connections its using, anything that will just get it to not fail because we went six minutes without a login attempt (it’s an internal app, it doesn’t see heavy traffic). We tried using the method for customizing the WebClient used by Spring Security for OAuth2 token exchanges documented by Spring Security, but it doesn’t seem to work - our custom tokenExchangeAccessTokenResponseClient() bean isn’t even being called. Maybe we’ve done it wrong, maybe okta-spring-boot-starter overrides the setup provided by Spring Security with its own customizations, I don’t really know. But if anyone has any examples of how to make this work, I’d really appreciate it.