However, when I try it, it generates the URL without a nonce (it only included response_type=code, client_id, scope, state, redirect_uri) and so OKTA rejects it:
{“message”:“One or more of client_id, redirect_uri, scope, state, or nonce is missing”}
I think Spring Boot may be coded correctly in not supplying nonce as spring boot is sending it to the authorize endpoint with response_type = ‘code’ and no nonce value, which Okta responds to with an error that nonce is missing. In fact, this page Implicit Flow with Form Post says that nonce is only required for: response_type=id_token token
I also cannot figure out how to change the redirect_uri from /login/oauth2/code/okta to /auth/callback
I’ve tried putting a redirect-uri and pre-established-redirect-uri on spring.security.oauth.client, spring.security.oauth.client.registration.okta and spring.security.oauth.client.provider.okta in my application.yml and nothing changes it.
If you clone the example repo from my post and use the values for your app, does it work?
I’ve been using Spring Security 5.1’s OIDC support with Okta for the past few months without issues. We published a blog post today that shows the latest and greatest.
Thanks @mraible. As it turns out, apparently my company put a proxy inbetween us and okta since I last worked on this integration a few weeks ago. That proxy is what is giving me the error about nonce missing. I am looking into whether the proxy can be corrected or not.
I apologize for any time that you lost looking into this. I only learned of the proxy because something else was not working yesterday that worked a few weeks ago and so I asked internally about it and that is when I learned of the proxy. A few hours later I realized that the proxy might be the cause of this issue too and so I searched our code base for the error message and found it and realized our proxy was causing the issue I’ve posted about here.
If by chance you happen to know how to set the redirect URI for this solution, I will use that should the internal team be able to remove that requirement and we are then able to implement this solution. I realize that is more of a Spring Boot question though. If we can’t change the redirect URI from the default, then I’ll ask our admins to change what our registered callback is to match the Spring Boot default.