I have a Spring Boot Application using the Okta spring boot starter and things work pretty well. I am struggling with one thing though. One of the features of the okta spring boot starter is preventing quote “Each request to our application requires an unnecessary round trip back to the OAuth IdP”. The issue I am having is that when my access token expires (either due to expiration date or if I force invalidiation withing the admin console for a user), the application is not checking if the access token stored in the session has expired and then redirect the user to reauthenticate. I am then unable to access any api’s endpoints that require the access token to be valid.
If I try to access /userinfo and use the access token in the session (security context) I receive a 401 response. Is this a bug or am I missing something to force the application to check the access token stored in the session to see if it at least expired?
Hey @dutty,
You can force the token validation to be on the server side instead of the client side, you can set okta.oauth2.localTokenValidation=false
.
More generally to answer your question, this looks like a similar issue on StackOverflow. The session timeout does not match the access token:
We can look into adding a similar feature in future releases. (similar to the solution on SO)
Basically, your access token gets exchanged for a session (timeout depending on your container and/or Spring config).
Note: this would NOT @ResourceServer
(implicit flow) applications as the token would be validated on each request.
Does that help?
-Brian
I guess I am still a bit confused. A couple things I have tried that did not solve this problem.
-
I tried okta.oauth2.localTokenValidation=false but that caused my authorities not be missing. I setup the application to use a groups claim to pass back groups from Okta but when I set localTokenValidation to false, the UserInfo endpoint does not include groups so no authorities are found.
-
I have @enableResourceServer on my configuration but the token is not validated on each request. I am finding that the access token is expiring when I use the accessToken stored in the security context. Only when I invalidate the session in my application is the user forced to reauthenticate with Okta.
-
I am not sure how to implement the change suggested in SO with Okta spring boot.