The requests to /authn likely happens when you’re on Okta, using the Sign-In Widget to log in. Everything that happens to authenticate the user is not part of OAuth because is not an authentication protocol, it’s only for authorization. My What the Heck is OAuth? blog post might help clarify things.
If I want to add the ability to SSO with OKTA to an already existing Application, Without creating new users in the database from my side, So the whole user management would be on the Okta Admin side and not in the application itself. And the ability for the Okta admin to assign groups access to the application, without interacting with the application ( like creating users ), I have 3 Roles Admin, Editor and viewer and each Group would be given one of those Roles. and Can I add the ability to use the same token system that i’m using now JWT ? for request authorization ?
so What is the preferred way to do that ? OIDC or SAML ? And can it be private without uploading to the OIN ? and are there any good guides to do that with SPRING BOOT ?
I don’t think it matters (from the Okta side) if you implement it with SAML or OIDC. You’ll still be configuring users and groups in Okta, and not in your app. You don’t have to make your app public in the OIN. You only need to do that if you want to share it on other’s dashboard.
You can add a groups claim to your ID token with OIDC and then perform logic based on the authorities for the user. Our Okta Spring Boot starter will automatically convert the groups in the groups claim into Spring Security authorities.
Spring Security doesn’t log much by default (authentication errors are expected). However, when debugging a problem like this, it’s not has helpful. You can bump the level to get more information on the 403:
This post is a couple of years old, so I’m not sure which versions of Spring Boot you are using; you can bootstrap a sample application with the Okta CLI by running okta start spring-boot
That will leave you with a configured app that should work out of the box.
If you want to keep digging, we can still help you with your current application!
@bdemers my app is authenticated i.e no more 401.
But 403 for post endpoints. I think need I need to get authorization code or access token which can then pass in the post request to make resources enable but I am surprised by this, why all get endspoints are accessible. why authorization is working only for non-get rest method.
I have gotten auth code using authorize endpoint and then pass authcode in token endpoint to get token the pass in the header as bearer token and apis are accesible.
but there are two token access token and api token.
Can you tell me difference between two of them?
when i used audience in place of client secret and client id in my spring boot app configuration file then by hitting any endpoint it is not redirecting to okta sign in widget but when I used client id and secret in application configuration file then it is redirecting to okta sign in page first.
is this a normal behaviour, can you explain this ?
I have one more question
is it possible that we can set endpoint level authorisation specific to user, like we define roles.