Spring boot upgrade from 2.7.9 to 3.1.6

prashshyam · January 5, 2024, 12:35am

I recently upgraded from spring boot 2.7.9 to 3.1.6 and using okta 3.0.4 starter.While configuring the security filter chain I use authorizeHttpRequests on HttpSecurity class and okta authenticationfails with 400 bad request error where the error says redirect_uri should be a valid redirect_uri.The authorization request to okta has the right redirect_uri.If i change authorizeHttpRequests to authorizeRequests everythign works fine but authorizeRequests is deprecated in spring security 6.x.Can someone please assist on this issue?

Please refer the code below causing the issue

@Bean
    protected SecurityFilterChain configure(HttpSecurity http) throws Exception {

        http.headers(headers -> headers
                .contentSecurityPolicy(csp -> csp
                        .policyDirectives("default-src 'self';" +
                                "script-src 'self' 'unsafe-inline' 'unsafe-eval' "+applicationURL+";"+
                                "style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; " +
                                "font-src 'self' https://fonts.gstatic.com; "+
                                "connect-src 'self' "+oktaURL+"; "+
                                "style-src 'self' https://cdn.jsdelivr.net/npm/bootstrap@4.4.1/dist/css/bootstrap.min.css https://fonts.googleapis.com 'unsafe-inline'; "+
                                "style-src-elem 'self' https://cdn.jsdelivr.net/npm/bootstrap@4.4.1/dist/css/bootstrap.min.css 'unsafe-inline'; "
                        ))
                .addHeaderWriter(new StaticHeadersWriter("X-Permitted-Cross-Domain-Policies", "none")));
        http.authorizeHttpRequests(requests ->
                        requests.requestMatchers("/blastdetailsViewOnly").permitAll()
                                .requestMatchers("/api/**").authenticated());

        http.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults())).cors(Customizer.withDefaults());
        return http.build();
    }

daniel.sanders · January 9, 2024, 3:21pm

Hello prashshyam,

I would definitely suggest checking the logs on this as we outline here: Okta Help Center (Lightning) - in this case this would be for visibility on what the exact redirectURI is that’s being sent to your Okta org. This should give some insight into a potential reason for the error.

For moving to authorizeHttpRequests I would also suggest reviewing the code snippets here: Authorize HttpServletRequests :: Spring Security - there are quite a few examples of syntax for doing similar request matching to what you already have there.

When looking at our current version of the SDK (3.0.6) I see authorizeRequests is still in use, so if these suggestions don’t work and updating to 3.0.6 doesn’t help I would suggest opening a case with Okta Support so we can assist you further regarding this issue. Thanks!

system · February 8, 2024, 3:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.