Secure Spring Boot Login Options

oktadev-blog · May 14, 2019, 6:47pm

This tutorial shows you how to add login options to Spring Boot. Includes basic auth, form-based authentication, and OAuth 2.0 login.

oktadev-blog · May 21, 2019, 4:28pm

Evan Hines

I am looking into creating a custom login screen that uses Okta as the OAuth provider. I am able to login using Okta’s login. I was hoping it would be as simple as passing the credentials in the body of the post request as described here:
https://developer.okta.com/…

However, I cannot seem to find exactly how Spring Security is handling the actual redirect/call to Okta. Would you happen to have any information on how to go about doing this?

oktadev-blog · May 21, 2019, 4:52pm

Brian Demers

It depends how custom you want your login screen, and the type of application you are creating. For your typical server side rendered app (via thymeleaf, jsp, or other template language), you want to look at an OAuth2 Authorization Code flow. On the Spring Security side its just a redirect to another site, so the actual login page isn’t hosted by your application. From here you have two options to customize the login page. 1.) you can tweak a few settings via your Okta Admin console. or 2.) you can configure a custom URL/domain (see https://help.okta.com/en/pr… and have full control over the page.

There is also a third option (https://github.com/okta/sam… which involves hosting an Okta widget directly, but I would strongly recommend the other two options first (as it is much more complicated, has more surface area, and could possibly change with future versions of Spring Security)

oktadev-blog · March 8, 2020, 10:57am

Alessandro

Very useful tutorial, congratz! Just a question: how to use JWT instead of JSESSIONID cookie in Spring Security?
I don’t like that the server instance app must save all the session ids in memory.

oktadev-blog · March 9, 2020, 4:46pm

Brian Demers

You can do it, but in general I wouldn’t recommend it.
https://developer.okta.com/…

Depending on the type of application you are building, you have some options. You could stick an API gateway (Spring Cloud Gateway for example) and add the authentication there (they you have a single app to manage your sessions (and you can cluster and configure that one app), then pass the access tokens (jwt) downstream to your application.

This is just an example, and i’m not trying to suggest this solution is right for you without knowing more about what you are trying to achieve.

oktadev-blog · June 23, 2020, 8:53am

Binh Thanh Nguyen

Thanks, nice article!

oktadev-blog · October 18, 2020, 4:08pm

Andres Céspedes Morales

Thanks Andrew and Brian, good tutorial.

oktadev-blog · November 16, 2020, 9:25pm

AleGallagher

Very useful tutorial @disqus_u7ZhPHjjDC ! Thanks! I have a doubt. Is not possible to do all the login flow by Postman? instead of showing the login page. How should be the calls?

Thanks in advance!

oktadev-blog · November 17, 2020, 2:23am

Brian Demers

One of the big benefits of OAuth is you only give your credentials to the IdP.

If you are building an API, the login flow might not be what you are looking for. But before I make any assumptions, can you tell us a little about what you are trying to build

oktadev-blog · November 17, 2020, 6:58pm

AleGallagher

Thanks for your Answer @disqus_u7ZhPHjjDC . Sure, I’m develping an App using microservices, where the users can register themselves by email and passord, and post advertisements, and comments that. I thought to use OAuth2 with user password grant type to manage the authentication. Am I ok? Thanks!

oktadev-blog · November 18, 2020, 3:22pm

Brian Demers

The Password Grant, is scheduled to be removed in OAuth 2.1 (draft). There are more secure options that exist today.

Sounds like a typical CRUD, and we have a bunch of examples on our blog
There are a few ways to do this, but essentially you have your user login (i.e. redirect to a login page), If your application is a SPA, the front end gets an Access token. If it’s a backend application the backend gets the Token (typically more secure). You can either use that access token to send to your other micro services (if said services need info about the user), or you can use a Client Credentials flow between services.

- https://developer.okta.com/…
- https://developer.okta.com/…

oktadev-blog · November 18, 2020, 7:06pm

AleGallagher

Thanks for your help @disqus_u7ZhPHjjDC . I don’t understand how can I do login, if I have only backend code by microservices without any view, Is it not possible to do all the login calls with Postman’ How should I set redirectUris in the configuration in this case? Thanks a lot!

oktadev-blog · November 18, 2020, 9:36pm

Brian Demers

In OAuth terms your microservices would be “Resource Servers”. There are different ways to get Access Token, depending on how your user interacts with your application.

Essentially you call your API with a header: Authorization: Bearer {your-access-token}

https://developer.okta.com/…
This post shows an example of getting an access token (which you could do in Postman), but that isn’t how you would get an access token for an end user.

We have a bunch of examples of how to log users into different types of applications (and thus getting the access token you need). Just search our blog for your frontend type (or let me know I can point you in the right direction)

As for debugging, I usually use either https://oidcdebugger.com/ or I create a simple Controller that dumps the current user’s token: https://gist.github.com/bde…

@GetMapping("/token") String showToken(@RegisteredOAuth2AuthorizedClient(“okta”) OAuth2AuthorizedClient client) { return “export TOKEN=’” + client.getAccessToken().getTokenValue() + “’”; }

Then I login through my browser, grab that token and then use it with HTTPie, cURL, etc

Does that help?

oktadev-blog · November 19, 2020, 9:45am

Andy March

For the next person who needs to solve this, you can use the AuthN API directly to retrieve the sessionToken. This needs to be provided as an additonal parameter on the authorize redirect to Okta. The best way to inject this value in Spring is to add a OAuth2AuthorizationRequestResolver to you configuration which wil inject this value when it is available.
Sample Repo

oktadev-blog · November 27, 2020, 3:42pm

Hùng (Huka)

Hi @disqus_u7ZhPHjjDC

Thanks for your great tutorial.

I found a typo here:
Wrong: JOSE stands for Java Object Signing and Encryption
Right: JOSE stands for Javascript Object Signing and Encryption

You can verify it here: https://jose.readthedocs.io…

oktadev-blog · November 30, 2020, 10:04pm

Brian Demers

Thanks! I’ll fix the typo!

oktadev-blog · August 9, 2021, 4:35pm

Scott Duke

Just an FYI for those who downloaded the source code and tried to run the basic-auth project. When I ran this locally, I received the error “Could not initialize class org.codehaus.groovy.runtime.InvokerHelper” Follow solution in: https://www.codegrepper.com…

oktadev-blog · August 9, 2021, 11:02pm

Brian Demers

Thanks Scott!
Which version of Java were you using?

oktadev-blog · September 16, 2021, 7:18pm

srinivas kucherla

I followed this blog, but when i log into okta login , i am not getting prinicpal back , hence blank values. any help is a big help