Use OpenID Connect Support with JHipster

Use OpenID Connect Support with JHipster

JHipster is one of the hippest things to happen to Java developers in the last few years. This article shows you how to add single sign-on to your JHipster app with OpenID Connect (OIDC). You can even use Keycloak or Okta as your Identity Provider!

Mario Guerrero

Great post.

Thanks.

Philippe Warnon

Great post.
Could you give us an idea to make it work with a multi-tenant keycloak ?
Would the config below combined with some filters to inject the tenant be a good way ?
oauth2:
client:
access-token-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/token
user-authorization-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/auth

resource:
user-info-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/userinfo

Any advice would be great
Thanks

Matt Raible

Hello Philippe. I wasn’t aware that Keycloak supported multi-tenancy, but it sounds like a pretty cool feature. The configuration and authorization flow in JHipster is handled by Spring Security, so it’s really a question for them. You might be able to refactor your app to use Keycloak’s Spring Security Adapter.

Philippe Warnon

Thanks Matt.
I thought about using Keycloak’s Adapter but the problem is that it creates a dependency to KeyCloak in the jhipster gateway. I would like to be able to switch from Keycloak to Okta or something else without code refactoring. But thanks for your advice, I’ll try it.

Justin Tran

HI @mraible ,
I tried to use Okta for your producton and I configed and connect to Okta and it works good.And I use the account that signed up on Okta and login then it is only have ROLE_USER.How can I have ROLE_ADMIN in my account ?

I tried to create new groups ROLE_ADMIN and ROLE_USER and add user to them but when logins still dont have role ROLE_ADMIN.

Please review the screenshot.
https://ibb.co/isb37x

Matt Raible

Hello Justin - did you add a claim to your identity token that includes the roles? These instructions in this tutorial show you how to do that:

Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” or “roles”, and include it in the ID Token. Set the value type to “Groups” and set the filter to be a Regex of .*.

Jose Mato

Great post!!! Does it support password autenthification flow ? I built a jhipster app and it works perfect with the login delegated on keycloak, but Imagine you want to expose my api to third party apps, is it possible to call the api any way?

Matt Raible

OAuth does have a “password” grant type, but it’s not recommended. Using a client credentials flow is usually recommended when you want to do server-to-server communication. See Secure Server-to-Server Communication with Spring Boot and OAuth 2.0 for more information.

Dave Cherkassky

With JHipster – Okta, how does my user get from my application to Okta’s User Settings page (e.g. https://advantagegroup.okta…

Matt Raible

I’m not sure what your question is. Are you asking how to get custom user attributes from Okta when using JHipster?

Chris Owen

Got a little stuck with the OKTA setup. Seem to be authenticating fine as far as the OKTA logs are concerned (groups are setup), but I don’t seem to be pulling through any information (Not granted any authorities) from the token and the app throws a null pointer when accessing user info.

[org.springframework.security.oauth2.provider.OAuth2Authentication@64da2bd2: Principal: ********; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<session>, tokenType=BearertokenValue=<token>; Not granted any authorities]

Matt Raible

Hello Chris. It sounds like you might’ve missed the step to add the groups claim to your authorization server. Please see JHipster’s Okta documentation for how to do this. I’ve copied the steps below for your convenience.

Create a ROLE_ADMIN and ROLE_USER group (Users > Groups > Add Group) and add users to them. You can use the account you signed up with, or create a new user (Users > Add Person). Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it “groups” or “roles”, and include it in the ID Token. Set the value type to “Groups” and set the filter to be a Regex of .*.

Drikus Britz

How difficult would it be to migrate an existing JHipster generated monolith from using JWT to using Okta as the security provider? Can you perhaps help with the correct (or preferred) steps and sequence to do this?

Matt Raible

Hello Drikus: you can find the steps how to migrate from JHipster JWT to OAuth 2.0 here.

Mathieu Chauvet

Thanks for this Post.
You might want to remove the SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI from this post that is not necessary and breaks the login when used with Docker apparently.

Matt Raible

Hello Mathieu - this post was originally created with 4.10.0. You are correct that this property was removed in JHipster 5.x. I’ll add a note to the post.

Steve Macleod

I believe I’ve followed these steps correctly, but am getting an Okta error on logout: illegal_post_logout_redirect_uri.
Description: The ‘post_logout_redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.
Any ideas what could be behind this?

Steve Macleod

All good resolved it. Just added http://localhost:8080 as a Logout redirect URI.

Park Breaking

I have an existing Gateway Application with a UAA Server. Can I implement Okta OIDC 3rd Party Login features into the current app or should I replace the whole thing. I’ve been looking for some time but to no avail.