Problems with Okta spring boot tutorial (possible bug in Okta API, and how to change redirect uri)

I’m trying this tutorial:

However, when I try it, it generates the URL without a nonce (it only included response_type=code, client_id, scope, state, redirect_uri) and so OKTA rejects it:

{“message”:“One or more of client_id, redirect_uri, scope, state, or nonce is missing”}

It looks like another person may have seen the same: https://stackoverflow.com/questions/49492349/generate-nonce-in-an-spring-security-application-using-openid-connect

However, I can’t find any solution googling.

I think there may be an actual bug here within Okta. nonce is not required for authorization code flow as per:

https://openid.net/specs/openid-connect-core-1_0.html section 3.1.2.1

Yet Okta is requiring it for all types: https://developer.okta.com/docs/api/resources/oidc#authorize

I think Spring Boot may be coded correctly in not supplying nonce as spring boot is sending it to the authorize endpoint with response_type = ‘code’ and no nonce value, which Okta responds to with an error that nonce is missing. In fact, this page https://auth0.com/docs/api-auth/tutorials/implicit-grant says that nonce is only required for: response_type=id_token token

I also cannot figure out how to change the redirect_uri from /login/oauth2/code/okta to /auth/callback

I’ve tried putting a redirect-uri and pre-established-redirect-uri on spring.security.oauth.client, spring.security.oauth.client.registration.okta and spring.security.oauth.client.provider.okta in my application.yml and nothing changes it.

Should I file a bug ticket?

@mraible, can you take a look at this and let me know if you this I’ve found a bug in the Okta API? Thanks, Mark

If you clone the example repo from my post and use the values for your app, does it work?

I’ve been using Spring Security 5.1’s OIDC support with Okta for the past few months without issues. We published a blog post today that shows the latest and greatest.

Unfortunately I still get the error about nonce not being sent, and the URL does not have a nonce in it:

https://oursite/myidentity/oauth2/v1/authorize?response_type=code&client_id=xxxxs&scope=openid%20profile%20email%20address%20phone&state=ssssss%3D&redirect_uri=http://localhost:3000/login/oauth2/code/okta

Also, I tried setting

redirect-uri-template: http://localhost:9000/auth/callback

but as you can see in the URL above, it did not have an effect.

It’s probably best to send this issue to developers@okta.com.

Thanks @mraible. As it turns out, apparently my company put a proxy inbetween us and okta since I last worked on this integration a few weeks ago. That proxy is what is giving me the error about nonce missing. I am looking into whether the proxy can be corrected or not.

I apologize for any time that you lost looking into this. I only learned of the proxy because something else was not working yesterday that worked a few weeks ago and so I asked internally about it and that is when I learned of the proxy. A few hours later I realized that the proxy might be the cause of this issue too and so I searched our code base for the error message and found it and realized our proxy was causing the issue I’ve posted about here.

If by chance you happen to know how to set the redirect URI for this solution, I will use that should the internal team be able to remove that requirement and we are then able to implement this solution. I realize that is more of a Spring Boot question though. If we can’t change the redirect URI from the default, then I’ll ask our admins to change what our registered callback is to match the Spring Boot default.