Spring boot Server side okta authentication

Questions
1

Hi
I was following this blog for authenticating my spring boot server with Okta
https://developer.okta.com/blog/2017/10/13/okta-groups-spring-security

this used thymeleaf as UI so my UI was also on the same port as my server, but in actual scenario I have angular application as my UI (client) when I tried getting access token by making a request at https://dev-519045.okta.com/oauth2/default/v1/token
I got CORS issues.
Can someone help me and give an example/blogpost where my authentication is handled by spring boot and UI will be angular having issues with okta integeration, I want minimum configurations on UI side.
any lead will be appreciated
thanks

2

Sounds like you are building a Resource Server (in OAuth terms).

Take a look at this sample: https://github.com/okta/samples-java-spring/tree/master/resource-server

Basically, this annotation will help you setup CORS:

But there are a few other differences between setting up a server-side rendered project and a resource server.

3

Thanks For replying,
Yes we are building Resource Server and I am quite new to spring security, we want Okta to send access token to our Resource Server.
whenever client makes request,
Resource server should redirect the flow towards Okta ( Authorization Server) and return access Token to Resource server which after some manipulations we will send it to client and validate accordingly

4

You might be mixing flows a little. A resource server typically does NOT have user interaction, it would be called by some other client (like a SPA, or some other browser JS code).

Take a look at this guide: https://developer.okta.com/quickstart/#/angular/java/spring

If i’m understanding your intent correctly your angular application, would deal with the user’s authentication and obtaining a token (either by redirecting or using the Okta Sign-In Widget) then send that token to your Spring Resource Server.

Does that help?

1 Like
5

Is it a bug in okta dependency every time I tried I face a bug CORS for my resource server get blocked,
I tried these things

  1. Adding cross origin annotation over request mapping and Rest Controller.
    [at]CrossOrigin(“http://localhost:4200”)
  2. Configuring global by overriding WebSecurityConfigurerAdapter
    public class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    Override
    protected void configure(HttpSecurity http) throws Exception {
    http
    .cors();
    }
    Bean
    CorsConfigurationSource corsConfigurationSource()
    {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList(“http://localhost:4200”));
    configuration.setAllowedMethods(Arrays.asList(“GET”,“POST”));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
    }
    }
6

Yes it did help but later point I start getting the CORS error again

Is it because through Okta portal CORS are enable for my client side as I set base url localhost:4200
so I even tried enabling CORS for my authorization server under
authorization server tab --> trusted Origin --> add origin

7

Our Spring Boot integration doesn’t do anything with CORS, as that configuration is specific to each application.

It also depends on the CORS error you are seeing (and where the communication is happening) if you have already authenticated, and your Angular app is making calls to your Spring backend, then the CORS config needed is on the Spring side.

You might also need to add OPTIONS requests to your allowed methods (IIRC)

Keep us posted!

8

image

what about it?..CORS have been blocked from my developer account.

9

What does your login page look like? are you using Okta’s Sign-In widget directly? Our Angular integration? or something else?