Refreshing a Access Token based on a refresh token - Spring Security

I have an application (not reactive) with Angular UI, Zuul and a few Services which are integrated with Okta login (OAuth). This works fine but is stuck after the jwt token expires. Some details about the workflow

  1. The app URL is pointing to Zuul.
  2. Zuul redirects the request to Okta. User logs in.
  3. Okta sends a Bearer token (also a refresh token) back.
  4. This Bearer token is passed to the UI and is stored as a cookie. With every request the UI sends the Authorization header, with the bearer token.
  5. This process works fine till the jwt token expires in an hour and then Zuul tries to redirect it to the default login page, which has nothing as we use the okta login.

The questions I have

  1. Where can the loging page be redirected, if needed https://dev1234.okta.com/oauth2/default?
  2. How to get a new bearer token based on the refresh token?
  3. Can I get the new bearer token in Zuul automatically based on the refresh token.If this is not possible what is the best approach?

Have posted this on stackoverflow too with some config/code snippets. Any help is appriciated.
https://stackoverflow.com/questions/65796199/how-to-refresh-bearer-token-automatically-for-okta

Hi there @Tech. I can’t say I have worked with Zuul but hopefully I can still get you on the right track.

  1. Your login page would just be https://dev1234.okta.com (The /oauth2/default URL is for your auth server). I’m assuming in step 1, your flow starts with a call to your /authorize endpoint - you would most likely want to try and replicate that flow as a fallback, as JUST redirecting a user to login will not inherently continue into an OAuth/OIDC flow.

  2. Here are steps on how to get a new access token with a refresh token: https://developer.okta.com/docs/guides/refresh-tokens/use-refresh-token/

  3. I can’t answer with specifics to Zuul, but I’m hoping the answer to #2 can help get you to where you want to be on this step.

Thanks!

Hi Cale,
Thanks for your response. In Zuul (Gateway which uses spring security) how this is configured is:
Application.yml file
okta:
oauth2:
issuer: https://dev1234.okta.com/oauth2/default
client-id:
client-secret:
Configuration file
@Configuration
static class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		// @formatter:off
		http
		.authorizeRequests().anyRequest().authenticated()
		.and()
		.oauth2Login()
		.and()
		.oauth2ResourceServer().jwt();
		// @formatter:on
	}
}

The Gateway service runs on port 8080 and if I hit the url localhost:8080 it automatically redirects me to https://dev1234.okta.com/ and renders the okta login page.
When the token expires the gateway fails to validate it and tries to send it to the spring boot default page localhost:8080/login but we have nothing there.

Have gone through this but I cant figure out how we can do this withing gateway?

@mraible, @bdemers can you give me any pointers? Details on stackoverflow

Hi @Tech,

Did you see Andrea’s suggestion on Stack Overflow?

Hi @erin.p
I did take a look at the suggestion. Shouldnt the spring security library do this automatically?
spring security docs this is the link
OAuth2AuthorizedClientManager should be able to do it and I shouldnt have to write any custom code for it. Is that not a right presumption?

Please tell me how this refresh token will be kept along with nee if token in security context holder ??