Comments (5)
Hey @MarcelTon!
Okta has two different types of issuers one for the Okta Dashboard/Admin console this is typically formatted as https://company.okta.com
the other is for API Access Management (any of your applications) and is typically seen as: https://company.okta.com/oauth2/default
Our Spring integration performs local validation of the access token by default, and this can ONLY be done for the API Access Management issuer (so this is likely why one worked and the other didn't)
You can work around this by validating the access token remotely by setting the property okta.oauth2.localTokenValidation=true
(or equivalent yaml).
That said, Spring Security 5, does NOT yet support remote token validation. So this is a bit of a dead end for the short term (and because of this, this property will NOT work with our major next release)
The easiest path forward is to use the /oauth2/default
style issuer.
Which leads us to the 401
, I'm not following this part completely, you mentioned said it worked well, but in some cases you get a 401? Can you clarify this part?
from okta-spring-boot-2-angular-7-example.
Hi @bdemers , thank you for your quick response. I have removed the part of my colleague being able to run the server, miscommunication. He can get a flow working with just the client, but obviously doesn't get any cool car list!
My title was unclear, I will try to clarify on the 401 (1 and 2) and would like to ask a follow-up question regarding the API Access Management issuer (3).
- When using the config
issuer: https://company.okta.com
for the server I receive the InvocationTargetException with the "String index out of range". - When using the config
issuer: https://company.okta.com/oauth2/default
for the server I receive the IllegalStateException with the "JwkTokenStoreConfiguration: 401 Unauthorized".
This is reproducible behaviour simply done by a fresh checkout (and verified by my colleagues so I was sure I wasn't losing it), changing the two config parameters and running ./mvnw spring-boot:run
from the server dir. The problem might very well lie with the 401, I just don't really know where to proceed in Okta to solve this access problem!
- What do you mean by the API Access Management "issuer"? The server run doesn't know anything of the user that started the run does it?
I will play around with the LocalTokenValidation
and see if it offers more insight, thank you again!
EDIT: I removed the "it works for my colleague"-stuff, we all can not run the server app and have the same errors for java8 and java11.
from okta-spring-boot-2-angular-7-example.
What comes back from a request to https://company.okta.com/oauth2/default/.well-known/openid-configuration
(from your browser)?
from okta-spring-boot-2-angular-7-example.
- When using the config
issuer: https://company.okta.com
for the server I receive the InvocationTargetException with the "String index out of range".
I think that you should set the org-url: okta.client.org-url= https://company.okta.com
from okta-spring-boot-2-angular-7-example.
For a https://company.okta.com
server without Authorization server, you must validate the idToken, you need set security.oauth2.resource.jwk.key-set-uri=https://company.okta.com/oauth2/v1/keys security.oauth2.client.client-id={$client.id}
in your application.properties and remove the okta oauth2.
And you need add:
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("${aud}");
}
in the ResourceServerConfigurerAdapter
class.
from okta-spring-boot-2-angular-7-example.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from okta-spring-boot-2-angular-7-example.