Secure Your Java App with OAuth 2.0 in 5 Minutes

naresh

My requirement is i have to connect snowflake database using java(jdbc example). but snowflake db enabled okta authentication.
need example to connect snowflake database using okta authentication java example…

Brian Demers

Hey Naresh!
I’ve never used Snowflake, but based on the docs: https://docs.snowflake.com/…
It looks like it’s just an OAuth 2.0 Resource Server, which we have a lot of examples of.

The easiest way is probably setup Spring Cloud gateway, for testing.
This post sets up Spring Cloud Gateway https://developer.okta.com/… (instead of the legacy application, you would just point to your Snowflake db app)

However, I’m guessing your DB access should be a service account vs the end user. My recommendations for that is likely framework specific. For example if you were using Spring Boot and making requests with a RestTemplate or WebClient, you could just inject an authorizied client: https://www.youtube.com/wat…

Can you give us a few more details on your app and the frameworks you are using?

Srinivas Jakkula

Does this implementation need OKTA API license

Matt Raible

If you create an Okta developer account, you will be able to do everything in this blog post. If you have an Okta IT Trial (for workforce identity), you have to add API Management to it. I’d recommend just using a forever-free developer account!

hugo ortega

How to run source okta.env? With what tool?

Matt Raible

What OS are you using? On a Mac or Linux, you run this command in a terminal. For Windows, I recommend installing WSL. https://docs.microsoft.com/…

hugo ortega

Thanks for your quick response. I ran it in 7 centos, everything perfect.
Thank you very much!!

SpectreMan2012

When I log in with john.doe/secret I recieve a “Bad Credentials” message

Matt Raible

Tutorial: How to Build a JavaFX Desktop App with OIDC Authentication might help.

Erfan Tavoosi

I am looking for the syntax and official documentation on how to properly write -d parameters in the curl request. Like for instance how can I know that the correct way for declaring packagename is written in pascal and camel case like packageName?

Matt Raible

If you run “curl https://start.spring.io”, it will print out documentation that answers your questions. If it doesn’t, please let me know!

Narendar Narri

Thank you @MattRaible , Everything went well. At present my requirement is using jhipster(springboot+angular) i have created a monolithic application and created users also. Now I want to have SSO for my application so that only valid users who are present in database should be able to access my application.(Note: I want to check users with email address.)

Matt Raible

What you want to do isn’t a great architecture for SSO. For SSO, you typically redirect the user to authenticate when they try to access a secure URL. If that authentication fails, you’ll never know because it happens on the identity provider. You could probably do something where you have the user enter an email address, you check in your database for them, and if they exist, you redirect them to login.

However, the main point of SSO is to let someone else handle your users so you don’t have to. Having a coupling between your database and identity provider doesn’t seem like a good architecture. If you still want to do it, you could probably use a user sync webhook to put users into your database after they authenticate.

Narendar Narri

Thank you @Matt. Now we have already created our application using jhipster as I said. I have changed application.yml properties , security configuration and added okta dependency. Still I don’t know where it is going wrong even redirect is not happening. Could you please help me out what are class files I need to change in jhipster project??

Matt Raible

You don’t need the Okta Spring Boot Starter with JHipster, it already has support built-in. With the Okta CLI, all you need to run is:

okta apps create jhipster

That’s it’s! See https://www.jhipster.tech/s… for more information.

Jérémie Poisson

Hi, I have implemented OAuth in my Java Spring Boot app and its works fine. My concern is about the session that should allow access the okta tenant without the need to sign-in again after login into my app.
Right now if I access my app, sign-in then access another app or the okta tenant I have to sign-in again. I can’t find anything saying how to fix this right now.

Matt Raible

You should be able to use refresh tokens to solve this. Select “Refresh Token” as a grant type allowed in your Okta OIDC app, then add “offline_access” to your list of scopes. See our refresh tokens documentation for more information.

Majd Mahajena

Hello, Thanks for the guide,

I’m doing this with OIDC, and i keep getting the following error :
[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: 403 Forbidden: [no body]

I’m not understanding what I’m doing wrong,
and also wanted to ask if i already have a web app that works woth saml, can I integrate with okta on top of the current users with saml ? or does need a fresh set of users and such ?

Thanks a lot.

Aditya Subramanian

Hi,
I have added ‘com.okta.spring:okta-spring-boot-starter:1.4.0’ to my build.gradle.
And as expected my authentication is being taken care of migically.

The Okta documentation states that there is Authentiacation API and OAuth2.0/OpenID Connect API.
When going through the network traffic I see that the authetication is done using ‘/api/v1/authn’ (Authentication API) not ‘/oauth2/v1/token’.
I also chose openID Connect as sign on method while creating the okta auth server.
Following this guide did help to setup authentication, but not OAuth 2.0 .
So my question is , is there a way to use the OAuth2.0 APIs instead of the the Authentication APIs which seem to be the defaut ?

I also want to know how the token/sessionID is verified in the back channel.

Matt Raible

Can you check and make sure the OIDC app you created is assigned to the Everyone group, or your user?

Implementing SAML instead of OIDC is like implementing SOAP instead of REST. If you must do it, Spring Security SAML and Database Authentication might help.