Matt Raible
The requests to /authn likely happens when you’re on Okta, using the Sign-In Widget to log in. Everything that happens to authenticate the user is not part of OAuth because is not an authentication protocol, it’s only for authorization. My What the Heck is OAuth? blog post might help clarify things.
For token validation, JWT vs Opaque Access Tokens: Use Both With Spring Boot might help.
Majd Mahajena
Hi Matt,
Thanks for the reply :),
If I want to add the ability to SSO with OKTA to an already existing Application, Without creating new users in the database from my side, So the whole user management would be on the Okta Admin side and not in the application itself. And the ability for the Okta admin to assign groups access to the application, without interacting with the application ( like creating users ), I have 3 Roles Admin, Editor and viewer and each Group would be given one of those Roles. and Can I add the ability to use the same token system that i’m using now JWT ? for request authorization ?
so What is the preferred way to do that ? OIDC or SAML ? And can it be private without uploading to the OIN ?
and are there any good guides to do that with SPRING BOOT ?
Thanks A lot
really appreciate it
Matt Raible
I don’t think it matters (from the Okta side) if you implement it with SAML or OIDC. You’ll still be configuring users and groups in Okta, and not in your app. You don’t have to make your app public in the OIN. You only need to do that if you want to share it on other’s dashboard.
You can add a groups claim to your ID token with OIDC and then perform logic based on the authorities for the user. Our Okta Spring Boot starter will automatically convert the groups in the groups claim into Spring Security authorities.
Srikanth Valluru
Hi @mattraible ,
OIDC app is assigned to Everyone group but still getting the below error :
[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: 403 Forbidden: [no body]
Matt Raible
Can you please try Spring Boot and Okta in 2 Minutes as an alternative? It uses the latest versions of Spring Boot and our Okta Spring Boot starter.
Srikanth Valluru
Thanks Matt will try that
Can some here help me to resolve this issue.
It’s hard to tell from the screen shot (forgive me for asking), but do you get the same error when the username field is populated?
If so, what is the payload for that 401 response?
Do you get the same error when using a private/incognito window?
Hi thanks for replying.
I added one more account and assigned to my okta app through that account, I am now able to log in using the newly added account.
But the weird thing is that all get endpoints are accessible but post endpoints are returning forbidden(403) access.
My okta app’s grant type are authorization code and client credentials.
Which endpoints return a 403?
all post endpoints of my spring boot application.
There are a few things this could be.
Spring Security doesn’t log much by default (authentication errors are expected). However, when debugging a problem like this, it’s not has helpful. You can bump the level to get more information on the 403:
This post is a couple of years old, so I’m not sure which versions of Spring Boot you are using; you can bootstrap a sample application with the Okta CLI by running okta start spring-boot
That will leave you with a configured app that should work out of the box.
If you want to keep digging, we can still help you with your current application!
@bdemers my app is authenticated i.e no more 401.
But 403 for post endpoints. I think need I need to get authorization code or access token which can then pass in the post request to make resources enable but I am surprised by this, why all get endspoints are accessible. why authorization is working only for non-get rest method.
I’m not sure, did increasing the logging show anything useful?
Working fine now @bdemers
I have gotten auth code using authorize endpoint and then pass authcode in token endpoint to get token the pass in the header as bearer token and apis are accesible.
but there are two token access token and api token.
Can you tell me difference between two of them?
when i used audience in place of client secret and client id in my spring boot app configuration file then by hitting any endpoint it is not redirecting to okta sign in widget but when I used client id and secret in application configuration file then it is redirecting to okta sign in page first.
is this a normal behaviour, can you explain this ?
I have one more question
is it possible that we can set endpoint level authorisation specific to user, like we define roles.
We have some great OAuth videos you can check out to learn more about what should be going on (and why these things are important)
Hopefully, these can fill in some of the gaps for you!