Okta spring security OAuth session not kept alive

Hi,

I have implemented Spring Security to my Java Spring boot app acting as a custom Dashboard using these dependecies :

okta-spring-boot-starter
spring-boot-starter-web

Everything works fine but I found out that even after being logged in my app, reaching another Okta app or even the tenant itself is asking me to sign in again.

Isn’t the Okta session supposed to be kept between all application ? Do I need to impletement something special in my code ?

Here is my WebSecurityConfig class :

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http.headers().disable();
    http.csrf().disable();
    http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and().logout();
}

}

Also I’m trying to use the access token generated by the authentication to make a GET Users request. I have enabled the API scope inside the app but still getting a 401 error when using the Bearer token inside Postman.

Thank you for any help !

Regarding the first question, are you seeing an error or just being prompted to login again?

Hi,

I’m being prompted go sign in again.
I’ve had a similar issue because using a custom URL and using the old one inside the application. But in my configuration I have to set this inside my application.properties :

okta.oauth2.issuer=https://staubli.okta.com/oauth2/default     <------- Auth server but using the old url
okta.oauth2.client-id=clientID
okta.oauth2.client-secret=clientSecret
okta.oauth2.scopes=openid, profile, email
okta.oauth2.postLogoutRedirectUri=https://portal.staubli.com   <------- custom URL

EDIT : Creating another authorization server (which use custom URL) works ! No more relogging

But I still have the issue using the token as a Bearer token for API calls (with App scopes enabled)