I have an application (not reactive) with Angular UI, Zuul and a few Services which are integrated with Okta login (OAuth). This works fine but is stuck after the jwt token expires. Some details about the workflow
The app URL is pointing to Zuul.
Zuul redirects the request to Okta. User logs in.
Okta sends a Bearer token (also a refresh token) back.
This Bearer token is passed to the UI and is stored as a cookie. With every request the UI sends the Authorization header, with the bearer token.
This process works fine till the jwt token expires in an hour and then Zuul tries to redirect it to the default login page, which has nothing as we use the okta login.
Hi there @Tech. I can’t say I have worked with Zuul but hopefully I can still get you on the right track.
Your login page would just be https://dev1234.okta.com (The /oauth2/default URL is for your auth server). I’m assuming in step 1, your flow starts with a call to your /authorize endpoint - you would most likely want to try and replicate that flow as a fallback, as JUST redirecting a user to login will not inherently continue into an OAuth/OIDC flow.
Hi Cale,
Thanks for your response. In Zuul (Gateway which uses spring security) how this is configured is:
Application.yml file
okta:
oauth2:
issuer: https://dev1234.okta.com/oauth2/default
client-id:
client-secret:
Configuration file @Configuration
static class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
The Gateway service runs on port 8080 and if I hit the url localhost:8080 it automatically redirects me to https://dev1234.okta.com/ and renders the okta login page.
When the token expires the gateway fails to validate it and tries to send it to the spring boot default page localhost:8080/login but we have nothing there.
Have gone through this but I cant figure out how we can do this withing gateway?
Hi @erin.p
I did take a look at the suggestion. Shouldnt the spring security library do this automatically? spring security docs this is the link
OAuth2AuthorizedClientManager should be able to do it and I shouldnt have to write any custom code for it. Is that not a right presumption?