I am following this example to secure application without springboot spring mvc + spring security with Okta login without springboot
When I login to the http://localhost:8080/myappContext/ it takes me to Okta logic screen. I enter either one of the user in assign list and click "sign in" it signs in then shows following error.
any help is appreciated.
Following is my Okta application configuration
I have Okta developer account application is setup as web application with oidc,
- client authentication is "client secret".
- Grant type is ("Client credentials", "authorization code", implicit(hybrid) -> allow id token with implicit grant type, allow access token with implicit grant type)
- sign in direct uri is "http://localhost:8080/myappContext/login/oauth2/code/okta
- signet redirect uri is "http://localhost:8080/myappContext"
- login initiated by "App only"
- Federation Broker Mode is disabled.
- Okta api scopes granted none.
- user assignments user1 and user 2 (2 users)
- Groups: every one
Following is my code detail
Spring 5 security with OIDC login for Okta.
spring-framework version 5.3.x
spring security version 5.6.x
SecurityWebApplicationInitializer.java
public class SecurityWebApplicationInitializer
extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationInitializer() {
super(SecurityConfiguration.class);
}
}
application.properties
okta.client-id={clientId}
okta.client-secret={clientSecret}
okta.issuer-uri=https://{yourOktaDomain}/oauth2/default
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
@PropertySource("classpath:application.properties")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private final String clientSecret;
private final String clientId;
private final String issuerUri;
@Autowired
public SecurityConfiguration(@Value("${okta.issuer-uri}") String issuerUri,
@Value("${okta.client-id}") String clientId,
@Value("${okta.client-secret}") String clientSecret) {
this.issuerUri = issuerUri;
this.clientId = clientId;
this.clientSecret = clientSecret;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login();
}
@Bean
public OAuth2AuthorizedClientService authorizedClientService() {
return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository());
}
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
ClientRegistration okta = getRegistration();
return new InMemoryClientRegistrationRepository(okta);
}
public ClientRegistration getRegistration(){
ClientRegistrations.fromOidcIssuerLocation(Objects.requireNonNull(issuerUri))
.registrationId("okta")
.clientId(clientId)
.clientSecret(clientSecret)
.build();
}
}
My controller
public class SecureController{
@RequestMapping("/")
public String authenticated(Principal user){
return "home";
}
@RequestMapping("/login/oauth2/code/okta")
public String callback(Principal user){
return "authenticated"
}
}