Spring Boot questions - 403 forbidden

Hi,

I’ve had nothing but trouble when setting up my Spring Boot application to work with Okta. I am trying to build a very simple hobby website which uses authentication/authorization with Okta.

I’ve gone through all the tutorials and I have found them all to be confusing and frustrating. I currently have a prototype built but I can’t verify if what I am doing is correct Here is what I’m looking to do:

  1. Have the front end React site login and handle the authentication.
  2. When the front end receives a request for some data, it calls the Spring Boot backend using an access token.
  3. The API has some custom data which will return to the user the data they requested.

Some of the questions I have:
In my Spring Boot application,

  1. Why do I need to include the client-id in my application.yml file? When I include the client-id of the SPA I keep getting the error:

Caused by: java.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration with the provided Issuer of “https://my-domain.com/oauth2/aukj3JdfjjxzJkdL3
at org.springframework.security.oauth2.client.registration.ClientRegistrations.getOpenidConfiguration(ClientRegistrations.java:108) ~[spring-security-oauth2-client-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromOidcIssuerLocation(ClientRegistrations.java:72) ~[spring-security-oauth2-client-5.1.5.RELEASE.jar:5.1.5.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesRegistrationAdapter.java:89) ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.0.4.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistration(OAuth2ClientPropertiesRegistrationAdapter.java:61) ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.0.4.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.lambda$getClientRegistrations$0(OAuth2ClientPropertiesRegistrationAdapter.java:54) ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.0.4.RELEASE]
at java.util.HashMap.forEach(HashMap.java:1289) ~[na:1.8.0_221]
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistrations(OAuth2ClientPropertiesRegistrationAdapter.java:53) ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.0.4.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration.clientRegistrationRepository(OAuth2ClientRegistrationRepositoryConfiguration.java:56) ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.1.4.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration$$EnhancerBySpringCGLIB$$de4cad86.CGLIB$clientRegistrationRepository$0() ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.1.4.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration$$EnhancerBySpringCGLIB$$de4cad86$$FastClassBySpringCGLIB$$4d51f298.invoke() ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.1.4.RELEASE]
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363) ~[spring-context-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration$$EnhancerBySpringCGLIB$$de4cad86.clientRegistrationRepository() ~[spring-boot-autoconfigure-2.1.4.RELEASE.jar:2.1.4.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_221]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_221]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_221]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_221]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.1.6.RELEASE.jar:5.1.6.RELEASE]
… 102 common frames omitted
Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden
at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:83) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:122) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:102) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:778) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:736) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:311) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
at org.springframework.security.oauth2.client.registration.ClientRegistrations.getOpenidConfiguration(ClientRegistrations.java:106) ~[spring-security-oauth2-client-5.1.5.RELEASE.jar:5.1.5.RELEASE]
… 119 common frames omitted

If I don’t include the client id, my Spring Boot app starts up fine and even accepts a valid Bearer token on requests? All of the tutorials say I should be adding the client id, so what’s the deal?

  1. Do I need to specify the audience? I do have it in my application.yml but it isn’t being verified by anything.
  2. Where is the best place to store this custom data. It’s a lot of custom data that I want to have on my own Postgres database. What’s the best pattern for storing this?

These are just some of my questions to start. I am signed up for the Spring Boot webinar this week but I am just soooo frustrated after working on this for quite some time.

Any guidance will be super helpful, this should be a fun hobby project not something this painful.

Thing that stands out immediately is your issuer url. That should be an Okta URL, not “my-domain.com.”

What does your application.properties file look like?

Shouldn’t I be able to use the custom issuer? It shows up as an option on API -> Custom Authorizations. I can choose “Custom URL” under Issuer.

Try with an issuer-uri of https://my-domain.com
If you’ve setup a custom domain, and you’re using latest spring boot, you only need the domain name and spring will add the /.well-known/openid-configuration for you