Override/Bypass Spring Boot default login page to okta login page

Questions OAuth/OIDC
,
1

Hi,
I am trying to implement OIDC with Spring Boot - Okta… I was able to run the application and everything is working fine…my question here was, is there any way to override the default login page of Spring Boot, where it will provide the link of okta which will take to the okta login page…
I need assistance on overriding/bypassing the default spring boot login page and upon hitting any of the app uri(s), it should take directly to the okta default login page…

please let me know if you need any additional info and any help is really appreciated.

2

I’m not sure how to do this. I did ask the Spring Security folks to add this as a feature last year, but I don’t think they ever did. They did think it was an interesting idea.

3

Hi @mraible,
thanks for looking into my issue…
I do see from the spring documentation of implementing custom login page in the websecurity configure method using
—> oauth2Login().loginPage("/oauth2/oktaLogin");
and then have a method to render the above realm…
But when I tried above, things are not working and not sure of whether we can implement the above scenario for my requirement…

ref:
https://docs.spring.io/spring-security/site/docs/5.0.0.RELEASE/reference/htmlsingle/#oauth2login-advanced-login-page

thanks again…
marc.

4

Yes, it looks like that will work. Note that it has an important phrase below the code.

You need to provide a @Controller with a @RequestMapping("/login/oauth2") that is capable of rendering the custom login page.

You might be able to send a redirect to /login/oauth2/authorization/okta in your Controller and that would skip the login page.

5

seems its not working the way of having @RequestMapping and redirecting…

Capture
Capture.PNG728×345 6.11 KB

think, by overriding and simply redirecting it, we are taking away the functionality of spring implementation and guess it wont work that way…

any other guess/ do we need to do any custom handling/configuration in the @ReqeustMapping method…?

thank you…

–marc

6

Sorry, it was just a guess. I would recommend contacting the Spring Security team (maybe by posting your question on Stack Overflow) and seeing what they recommend.

7

ok…thanks @mraible for looking into my issue…

8

Note that you can use Spring Boot’s OAuth support instead of OIDC and get the functionality you’re looking for. Add the following dependencies to your pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security.oauth.boot</groupId>
    <artifactId>spring-security-oauth2-autoconfigure</artifactId>
    <version>2.0.0.RELEASE</version>
</dependency>

Then create an Okta Web app and set the login redirect URI to https://localhost:8080/login. Then modify your app’s application.yml to have your settings:

security:
    oauth2:
        client:
            access-token-uri: https://{yourOktaDomain}/oauth2/default/v1/token
            user-authorization-uri: https://{yourOktaDomain}/oauth2/default/v1/authorize
            client-id: {clientId}
            scope: openid profile email
        resource:
            user-info-uri: https://{yourOktaDomain}/oauth2/default/v1/userinfo
            token-info-uri: https://{yourOktaDomain}/oauth2/default/v1/introspect
            prefer-token-info: false

Then add @EnableOAuth2Sso to you main Application.java class.

9

ok…will try and let u know @mraible
qq on that… you mean there is no need of overriding the WebSecurityConfigurerAdapter - configure method to authenticate the requests…?

@Configuration
//@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/resources/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
    .anyRequest().authenticated()
    .and()
    .oauth2Login();
}

}

10

If you want your whole app to be protected, you shouldn’t need a class that extends WebSecurityConfigurerAdapter. If you want to allow anonymous access to certain resources, then you will need this class.