Spring boot upgrade from 2.7.9 to 3.1.6

I recently upgraded from spring boot 2.7.9 to 3.1.6 and using okta 3.0.4 starter.While configuring the security filter chain I use authorizeHttpRequests on HttpSecurity class and okta authenticationfails with 400 bad request error where the error says redirect_uri should be a valid redirect_uri.The authorization request to okta has the right redirect_uri.If i change authorizeHttpRequests to authorizeRequests everythign works fine but authorizeRequests is deprecated in spring security 6.x.Can someone please assist on this issue?

Please refer the code below causing the issue

    protected SecurityFilterChain configure(HttpSecurity http) throws Exception {

        http.headers(headers -> headers
                .contentSecurityPolicy(csp -> csp
                        .policyDirectives("default-src 'self';" +
                                "script-src 'self' 'unsafe-inline' 'unsafe-eval' "+applicationURL+";"+
                                "style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; " +
                                "font-src 'self' https://fonts.gstatic.com; "+
                                "connect-src 'self' "+oktaURL+"; "+
                                "style-src 'self' https://cdn.jsdelivr.net/npm/bootstrap@4.4.1/dist/css/bootstrap.min.css https://fonts.googleapis.com 'unsafe-inline'; "+
                                "style-src-elem 'self' https://cdn.jsdelivr.net/npm/bootstrap@4.4.1/dist/css/bootstrap.min.css 'unsafe-inline'; "
                .addHeaderWriter(new StaticHeadersWriter("X-Permitted-Cross-Domain-Policies", "none")));
        http.authorizeHttpRequests(requests ->

        http.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults())).cors(Customizer.withDefaults());
        return http.build();

Hello prashshyam,

I would definitely suggest checking the logs on this as we outline here: Okta Help Center (Lightning) - in this case this would be for visibility on what the exact redirectURI is that’s being sent to your Okta org. This should give some insight into a potential reason for the error.

For moving to authorizeHttpRequests I would also suggest reviewing the code snippets here: Authorize HttpServletRequests :: Spring Security - there are quite a few examples of syntax for doing similar request matching to what you already have there.

When looking at our current version of the SDK (3.0.6) I see authorizeRequests is still in use, so if these suggestions don’t work and updating to 3.0.6 doesn’t help I would suggest opening a case with Okta Support so we can assist you further regarding this issue. Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.