Using Okta Widget with Spring Security 5

For my Spring Boot app, after a user authenticates against Okta through the Okta widget, I’d like to automatically log the user into my app. I can use the OAuth2 Code Flow ( to redirect the user to the Okta-hosted login page and log them into my application, which works perfectly.

However, as I’d like to customize the look of the login form, using the widget is highly preferred. The sample projects I’ve come across retrieve the access token from the Okta widget to hit an API endpoint with a bearer token.

I may be missing something pretty basic here, since I’m only just getting into the weeds of Okta and Spring Security. Digging through Spring’s source code, it looks like after successfully authenticating and obtaining a session cookie through the Okta widget, Spring Security’s OAuth2LoginAuthenticationFilter (which is invoked when the widget redirects me) discards the http request due to an invalid/unrecognized state parameter (since the request did not originate from within the server), and thus the applicaton isn’t able to authenticate the user.

Will I need to create and register a custom AuthenticationFilter? I was hoping someone else would have come across this scenario.

Appreciate any help. Thank you!

You can customize the Okta-hosted widget, but it requires you set up a custom domain.

Please let me know if this works. I plan to try customizing the hosted widget myself tomorrow.