Simple Authentication with Spring Security

Simple Authentication with Spring Security

In this tutorial, you’ll build a very simple Spring Boot app that uses auth, form-based authentication, and OAuth 2.0 / OpenID Connect.


got this error after I try localhost:8080, what else I can do?
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for “…”: PKIX path building failed: unable to find valid certification path to requested target; nested exception is PKIX path building failed: unable to find valid certification path to requested target


solved. The above errors only showed up when I used windows, switch to linux, then no errors

scott huang

hello, I’m hoping you could help me out. I followed the steps in the “Add OAuth 2.0 + OpenID Connect Authentication”, I’m now being redirected to the okta login page (which is great), but I get the following error message: [access_denied] Policy evaluation failed for this request, please check the policy configurations.

My user is assigned the application in okta and the policy is any user assigned the app, anywhere and on any device is allowed access


How do i get the OKTA id filed in “com.okta.sdk.resource.user.User”.id that is availble in the SDk, here in the Spring Security using OidcUser or any other way?

“id”: “00ub0oNGTSWTBKOLGLNR”,

“status”: “ACTIVE”,
“created”: “2013-07-02T21:36:25.344Z”,
“activated”: null,
“statusChanged”: null,
“lastLogin”: null,
“lastUpdated”: “2013-07-02T21:36:25.344Z”,
“passwordChanged”: “2013-07-02T21:36:25.344Z”,
“profile”: {
“firstName”: “Isaac”,
“lastName”: “Brock”,
“email”: “”,
“login”: “”,
“mobilePhone”: “555-415-1337”

Brian Demers

It’s usually the sub claim in an ID Token, and the uid claim in access tokens. With that ID, you can just call client.getUser(sub)

And if you haven’t seen it already take a look at the Spring Boot integration for the SDK:…

Fahim Farook

src/main/resources/** aren’t checked in?

Matt Raible

I don’t understand your question, can you please re-phrase?

Kishore Kumar

Is there any simple app – the bare minimum one – where in we can authenticate a spring boot resource app with client/secret and a issuer URI… the very minimum one… without any thymeleaf and other extra additions…
i did try with lot of resources but its all for older OKTA jars and you guys seem to be updating the requirements very rapidly…
so it would be a lot helpful if we get something with the bare minimum functionality , with the exact versions for the pom/gradle dependencies…

Matt Raible

Yes! Install the Okta CLI, then run “okta start spring-boot”.…

Benjamin Irwin

Is there any way to manage the authentication process (log in) inside your Spring Boot code? I.e. without being redirected to a login form and having to manually enter your login details each time you want to access the Spring Boot endpoints.

I was thinking like a ‘/login’ endpoint that you could call each time you wanted to access the Spring boot app, passing username and password to gain access to the other endpoints.

I ask because I want to protect an API and want clients to integrate it into their existing codebase without having to manually login all the time. Needless to say, I’m a Security/OAuth/Okta rookie.

Matt Raible

If you configure your Spring Boot app to use Spring Security’s resource server feature, you can pass a valid access token as an Authorization header in your requests. It will be used as an authentication mechanism and you’ll be logged in. See Build a Secure Spring Data JPA Resource Server for more information.

Benjamin Irwin

Hi Matt, many thanks for this reply - much appreciated. And thank you for the youtube video too - really useful

From the tutorial you sent, it looks like you still need to do some manual work to get that access token. We’re advised to go to oidcdebugger in order to generate it and the token we get back ultimately expires.

Is there any way to automate the process of retrieving the access token (e.g. a request to a ‘/login’ endpoint that can be done in the code, or something equivalent)? This way we can manage the authentication process in the code, so that the client doesn’t have to keep manually retrieving a new access token when it expires?

EDIT: I’ve just found the ‘Resource Owner Password flow’ which seems to do what is described (i.e. lets us handle the credentials in our code). I can see we are advised against using this by Okta. But it seems like the only option for what we want? This will enable us to have the client login once to access our API indefinitely.

Matt Raible

> Is there any way to automate the process of retrieving the access token (e.g. a request to a ‘/login’ endpoint that can be done in the code, or something equivalent)?

Yes, you can use OAuth and its flows to request an access token (and a refresh token for when the access token expires). I don’t have an example in code because I’m used to using our SDKs and they handle a lot of that for you.

One way that Okta handles giving programs access is allowing you to generate API keys. We use them for our Java SDK and the Okta CLI. I’d advice setting up something similar for your APIs.

Matt Raible

Do you have a “default” authorization server setup in API > Authorization Servers? If you don’t, it’s because you don’t have API Access Management as part of your org. If you create a new developer account, you’ll get one for free.


@mattraible Do you have an example, how can I retrieve access_token for new user programmatically (java) ?

Matt Raible

What type of client are you using? If you’re using client credentials, this post might help:…

The Spring Docs cover it pretty well now:…

If you’re trying to get an access token on behalf of the user programmatically, I don’t think that’s allowed.


Hi Matt) Thanks, you are right

Jai S

@@mattraible I am currently working on a project which is make my java application (not spring boot) as identity provider and okta as a service provider. I don’t have any idea can you help me. Is there any code is available.

Matt Raible

I’m not sure how to do this. I’ve only used Okta as an identity provider.