String Index Out Of Range (bare) / 401 (with /oauth2/default) - when using example about okta-spring-boot-2-angular-7-example HOT 5 OPEN

Hey @MarcelTon!

Okta has two different types of issuers one for the Okta Dashboard/Admin console this is typically formatted as https://company.okta.com the other is for API Access Management (any of your applications) and is typically seen as: https://company.okta.com/oauth2/default

Our Spring integration performs local validation of the access token by default, and this can ONLY be done for the API Access Management issuer (so this is likely why one worked and the other didn't)

You can work around this by validating the access token remotely by setting the property okta.oauth2.localTokenValidation=true (or equivalent yaml).
That said, Spring Security 5, does NOT yet support remote token validation. So this is a bit of a dead end for the short term (and because of this, this property will NOT work with our major next release)

The easiest path forward is to use the /oauth2/default style issuer.

Which leads us to the 401, I'm not following this part completely, you mentioned said it worked well, but in some cases you get a 401? Can you clarify this part?

from okta-spring-boot-2-angular-7-example.

Hi @bdemers , thank you for your quick response. I have removed the part of my colleague being able to run the server, miscommunication. He can get a flow working with just the client, but obviously doesn't get any cool car list!

My title was unclear, I will try to clarify on the 401 (1 and 2) and would like to ask a follow-up question regarding the API Access Management issuer (3).

1. When using the config issuer: https://company.okta.com for the server I receive the InvocationTargetException with the "String index out of range".
2. When using the config issuer: https://company.okta.com/oauth2/default for the server I receive the IllegalStateException with the "JwkTokenStoreConfiguration: 401 Unauthorized".

This is reproducible behaviour simply done by a fresh checkout (and verified by my colleagues so I was sure I wasn't losing it), changing the two config parameters and running ./mvnw spring-boot:run from the server dir. The problem might very well lie with the 401, I just don't really know where to proceed in Okta to solve this access problem!

3. What do you mean by the API Access Management "issuer"? The server run doesn't know anything of the user that started the run does it?

I will play around with the LocalTokenValidation and see if it offers more insight, thank you again!

EDIT: I removed the "it works for my colleague"-stuff, we all can not run the server app and have the same errors for java8 and java11.

from okta-spring-boot-2-angular-7-example.

@MarcelTon

What comes back from a request to https://company.okta.com/oauth2/default/.well-known/openid-configuration (from your browser)?

from okta-spring-boot-2-angular-7-example.

1. When using the config issuer: https://company.okta.com for the server I receive the InvocationTargetException with the "String index out of range".

I think that you should set the org-url: okta.client.org-url= https://company.okta.com

from okta-spring-boot-2-angular-7-example.

For a https://company.okta.com server without Authorization server, you must validate the idToken, you need set security.oauth2.resource.jwk.key-set-uri=https://company.okta.com/oauth2/v1/keys security.oauth2.client.client-id={$client.id} in your application.properties and remove the okta oauth2.
And you need add:

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("${aud}");
}

in the ResourceServerConfigurerAdapter class.

from okta-spring-boot-2-angular-7-example.