Spring Boot Okta Login Page Showing Invalid credentials

Questions
1

I have a problem about opening the login page of okta through http://localhost:9090/authenticate/login

I already get a page with showing a message which named “Invalid Crediantials”

Even if I recreate an app in app many times, I couldn’t solve the issue.

How can I fix it?

Here is the okta script of application.yml

okta:
  oauth2:
    issuer: https://dev-54315943.okta.com/oauth2/default
    audience: api://default
    client-id: 0oa6s3zb19diYE0Fs5d7
    client-secret: Et8NxudIRKlKSTpNPoF0uPkPgNzOuzLx0UGts08G
    scopes: openid, email, profile, offline_access

Here is the controller for okta

@RestController
@RequestMapping("/authenticate")
@Slf4j
public class AuthController {

    @GetMapping("/login")
    public ResponseEntity<AuthenticationResponse> login(
            @AuthenticationPrincipal OidcUser oidcUser,
            Model model,
            @RegisteredOAuth2AuthorizedClient("okta")
            OAuth2AuthorizedClient client
    ) {

        log.info("AuthController | login is called");
        log.info("AuthController | login | client : " + client.toString());

        AuthenticationResponse authenticationResponse = null;
        try{
            authenticationResponse
                    = AuthenticationResponse.builder()
                    .userId(oidcUser.getEmail())
                    .accessToken(client.getAccessToken().getTokenValue())
                    .refreshToken(client.getRefreshToken().getTokenValue())
                    .expiresAt(client.getAccessToken().getExpiresAt().getEpochSecond())
                    .authorityList(oidcUser.getAuthorities()
                            .stream()
                            .map(GrantedAuthority::getAuthority)
                            .collect(Collectors.toList()))
                    .build();
        }catch (Exception e){
            log.info("AuthController | login | error : " + e.getMessage());
        }


        return new ResponseEntity<>(authenticationResponse, HttpStatus.OK);
    }
}

Here is the configuration of okta

@Configuration
@EnableWebFluxSecurity
public class OktaOAuth2WebSecurity {

    @Bean
    public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange()
                .anyExchange().authenticated()
                .and()
                .oauth2Login()
                .and()
                .oauth2ResourceServer()
                .jwt();
        return http.build();
    }
}
1 Like
2

How does your application handle primary authentication into Okta? Redirecting to the Okta hosted login page or are you trying to get an embedded login page working?

Are you following a particular guide/sample of ours?

3

When I make a request to this link named localhost:9090/authenticate/login okta login page is opened.
Next , I enter email address and password which are already defined as a user in okta and its status named Active. I got a message “Invalid credentials” after clicking the login.

How can I fix it?

First you should run all services defined below in order.
1 ) Registry Server (Eureka Server)
2 ) Cloud Server
3 ) Api Gateway
4 ) Run other services

Here is the example link : Link

Here are some screenshots shown below.

okta_4
okta_41805×592 15.2 KB

okta_5
okta_51369×758 74.3 KB

okta_6
okta_61414×730 37.6 KB

okta_7
okta_71430×775 60.9 KB

okta_8
okta_81478×720 68.2 KB

4

@andrea I’m also having exact same issue. Any idea on how to resolve this ?

5

Are you seeing an API calls failing when you test your app?

6

@andrea No any errors when try to login

image
image1920×590 54.3 KB

7

Hm. so the /authorize call is successful at least, that’s promising. Any logs on the Java side for whether or not the /token call happened and whether or not it succeeded?

8

I forget to set this so I am getting that error. check all field in controller
authResponse.setAuthorities(authorities);

10

The only thing that needs to be done is that the people/group(s) you are creating within the directory need to be assigned to the application.
In case they are not assigned, the Token would get generated as shown in screen cap

ScreenHunter_1762_Apr._08_16.46
ScreenHunter_1762_Apr._08_16.461395×333 35.6 KB

but the Invalid Credentials error would still pop up.

ScreenHunter_1765_Apr._08_17.04

The missing part is to also ensure that the created user(s)/Group(s) are assigned to the respective applications and then the token(s) would be propagated to the spring authentication controller and user will be able see the token and granted authorities.

Bottomline: There is no need of code change but configuration adjustment is needed to assign user(s)/group(s) to the applications as attached for an example.

ScreenHunter_1767_Apr._08_17.08
ScreenHunter_1767_Apr._08_17.081090×532 33.4 KB

Login after assignment(s)

ScreenHunter_1768_Apr._08_17.09
ScreenHunter_1768_Apr._08_17.091032×637 22.4 KB

ScreenHunter_1769_Apr._08_17.12
ScreenHunter_1769_Apr._08_17.121260×219 57.8 KB

1 Like
11

@sunny13nitk Thank you, sir. Your solution has successfully resolved the issue on my end.