Principal is null with OAuth2 authenticated Url

I have been successfully able to use OAuth2 in my SpringBoot application using the okta-spring-boot-starter and the okta.oauth2 properties in application.yml. In my setup I want the root context “/” to be un-authenticated and the “/customers” context to be authenticated. The root context “/” behaves correctly and remains un-authenticated. However, “/customers” is not working: When “/customers” is hit, Okta correctly redirects me to the Okta hosted Login form, where the user logs in. Once the user is redirected by Okta Authorization server back to “/customers”, the Principal object is null. It seems like something is lost between the browser returning to “/login” (an endpoint setup by okta-spring-boot-starter internally) and then being redirected back to “/customer” by that internal endpoint. I notice that the JSESSIONID is different. Is it possible this is the cause? I am attaching screenshot of wireshark interactions between the browser and my SpringBoot server.


Answering my own question. Needed to add @EnableResourceServer to my controller. Thanks to this guy’s question and Matt Raible’s answer on stackoverflow: