Use OpenID Connect Support with JHipster
JHipster is one of the hippest things to happen to Java developers in the last few years. This article shows you how to add single sign-on to your JHipster app with OpenID Connect (OIDC). You can even use Keycloak or Okta as your Identity Provider!
Mario Guerrero
Great post.
Thanks.
Philippe Warnon
Great post.
Could you give us an idea to make it work with a multi-tenant keycloak ?
Would the config below combined with some filters to inject the tenant be a good way ?
oauth2:
client:
access-token-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/token
user-authorization-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/auth
ā¦
resource:
user-info-uri: http://localhost:9080/auth/realms/{realm}/protocol/openid-connect/userinfo
ā¦
Any advice would be great
Thanks
Matt Raible
Hello Philippe. I wasnāt aware that Keycloak supported multi-tenancy, but it sounds like a pretty cool feature. The configuration and authorization flow in JHipster is handled by Spring Security, so itās really a question for them. You might be able to refactor your app to use Keycloakās Spring Security Adapter.
Philippe Warnon
Thanks Matt.
I thought about using Keycloakās Adapter but the problem is that it creates a dependency to KeyCloak in the jhipster gateway. I would like to be able to switch from Keycloak to Okta or something else without code refactoring. But thanks for your advice, Iāll try it.
Justin Tran
HI @mraible ,
I tried to use Okta for your producton and I configed and connect to Okta and it works good.And I use the account that signed up on Okta and login then it is only have ROLE_USER.How can I have ROLE_ADMIN in my account ?
I tried to create new groups ROLE_ADMIN and ROLE_USER and add user to them but when logins still dont have role ROLE_ADMIN.
Please review the screenshot.
https://ibb.co/isb37x
Matt Raible
Hello Justin - did you add a claim to your identity token that includes the roles? These instructions in this tutorial show you how to do that:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it āgroupsā or ārolesā, and include it in the ID Token. Set the value type to āGroupsā and set the filter to be a Regex of .*.
Jose Mato
Great post!!! Does it support password autenthification flow ? I built a jhipster app and it works perfect with the login delegated on keycloak, but Imagine you want to expose my api to third party apps, is it possible to call the api any way?
Matt Raible
OAuth does have a āpasswordā grant type, but itās not recommended. Using a client credentials flow is usually recommended when you want to do server-to-server communication. See Secure Server-to-Server Communication with Spring Boot and OAuth 2.0 for more information.
Dave Cherkassky
With JHipster ā Okta, how does my user get from my application to Oktaās User Settings page (e.g. https://advantagegroup.oktaā¦
Matt Raible
Iām not sure what your question is. Are you asking how to get custom user attributes from Okta when using JHipster?
Chris Owen
Got a little stuck with the OKTA setup. Seem to be authenticating fine as far as the OKTA logs are concerned (groups are setup), but I donāt seem to be pulling through any information (Not granted any authorities) from the token and the app throws a null pointer when accessing user info.
[org.springframework.security.oauth2.provider.OAuth2Authentication@64da2bd2: Principal: ********; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, sessionId=<session>, tokenType=BearertokenValue=<token>; Not granted any authorities]
Matt Raible
Hello Chris. It sounds like you mightāve missed the step to add the groups claim to your authorization server. Please see JHipsterās Okta documentation for how to do this. Iāve copied the steps below for your convenience.
Create a ROLE_ADMIN and ROLE_USER group (Users > Groups > Add Group) and add users to them. You can use the account you signed up with, or create a new user (Users > Add Person). Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it āgroupsā or ārolesā, and include it in the ID Token. Set the value type to āGroupsā and set the filter to be a Regex of .*.
Drikus Britz
How difficult would it be to migrate an existing JHipster generated monolith from using JWT to using Okta as the security provider? Can you perhaps help with the correct (or preferred) steps and sequence to do this?
Matt Raible
Hello Drikus: you can find the steps how to migrate from JHipster JWT to OAuth 2.0 here.
Mathieu Chauvet
Thanks for this Post.
You might want to remove the SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI from this post that is not necessary and breaks the login when used with Docker apparently.
Matt Raible
Hello Mathieu - this post was originally created with 4.10.0. You are correct that this property was removed in JHipster 5.x. Iāll add a note to the post.
Steve Macleod
I believe Iāve followed these steps correctly, but am getting an Okta error on logout: illegal_post_logout_redirect_uri.
Description: The āpost_logout_redirect_uriā parameter must be an absolute URI that is whitelisted in the client app settings.
Any ideas what could be behind this?
Steve Macleod
All good resolved it. Just added http://localhost:8080 as a Logout redirect URI.
Park Breaking
I have an existing Gateway Application with a UAA Server. Can I implement Okta OIDC 3rd Party Login features into the current app or should I replace the whole thing. Iāve been looking for some time but to no avail.