Spring Security + Spring MVC

I am working on to integrate Okta in my Spring MVC project, I searched for Spring projects with Okta but I am finding only Okta with Spring boot project, could you help me with my query to integrate Okta in any spring MVC project?

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(β€œ/”).permitAll()
// all other requests
.anyRequest().authenticated()
// set logout URL
.and().logout().logoutSuccessUrl(β€œ/”)
.addLogoutHandler(new CustomLogoutHandler())
// enable OAuth2/OIDC
.and().oauth2Client()
.and().oauth2Login()
.defaultSuccessUrl(β€œ/loginSuccess.rest”, true);;
return http.build();
}

Question is how to get the preferred_username
	- > I tried accessing the oauth2 token 
	- > tried using event listener
	
Primary issue I am facing right now is, once after the authentication through okta widget login page it keeps repeating the same flow (with a 302) and not entering the client application.

Hello,

The Okta Spring SDK is for boot, but it relies on Spring Security for most of the functionality.
You can use Spring Security with Okta without using the Okta SDK.

The below tutorial demonstrates both Spring Security OAuth2, and Spring Security w/boot OAuth2.
https://www.baeldung.com/spring-security-5-oauth2-login

Thank You,

Hi Eric,

I did follow the same article and used spring security + oauth2 . I haven't used okta SDK.

redirects

Any clue as to why it is redirecting again to okta after the successful call back?

Thanks

1 Like

There could be a few reasons.

The /authorize call does succeed, can see a code value returned.

I assume the token call is happening, but I would need a .har file from you to verify.
In the case the token succeeds it could be that a specific scope/role/claim tpr requires is not present, so Springs doe another authorize.

For a case like this we would need a .har file to verify the entire flow is completing on the Okta side. If so then we would need to look further into your apps logic which might kick off another authorize even through tokens were successfully retrieved from the prior flow.