okta / okta-spring-boot Goto Github PK

View Code? Open in Web Editor NEW

313.0 101.0 133.0 4.02 MB

Okta Spring Boot Starter

Java 52.97% Groovy 43.65% Shell 3.38%

okta-spring-boot's Introduction

Okta Spring Boot Starter

Okta's Spring Boot Starter will enable your Spring Boot application to work with Okta via OAuth 2.0/OIDC.

Release status

This library uses semantic versioning and follows Okta's library version policy.

✔️ The current stable major version series is: 3.x

Version	Status
0.x.x, 1.x.x	⚠️ Retired
2.x.x	✔️ Stable
3.x.x	✔️ Stable

Note: 3.x.x versions of the SDK would need JDK 17 or above.

Spring Boot Version Compatibility

Okta Spring Boot SDK Versions	Compatible Spring Boot Versions
1.2.x	2.1.x
1.4.x	2.2.x
1.5.x	2.4.x
2.0.x	2.4.x
2.1.x	2.7.x
3.x.x	3.0.x

The latest release can always be found on the releases page.

What you need

An Okta account (sign up for a forever-free developer account)
An OIDC application (typically a 'Web' application)
An access token

Quickstart

Create a Spring Boot application with Spring initializr:

curl https://start.spring.io/starter.tgz -d dependencies=web,okta -d baseDir=<<yourProjectName>> | tar -xzvf -
cd <<yourProjectName>>

Configure it with Okta CLI:
```
okta apps create
```
Run it:
```
./mvnw spring-boot:run
```

Include the dependency

For Apache Maven:

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>${okta.springboot.version}</version>
</dependency>

For Gradle:

implementation 'com.okta.spring:okta-spring-boot-starter:${okta.springboot.version}'

where ${okta.springboot.version} is the latest published version in Maven Central.

Building API Applications - Resource Server

Are you building backend endpoints in order to support a client side application? If so follow along, otherwise skip to the next section.

Configure your properties

You can configure your applications properties with environment variables, system properties, or configuration files. Take a look at the Spring Boot documentation for more details.

Only these three properties are required for a web app:

Property	Default	Required	Details
okta.oauth2.issuer	N/A	✅	Authorization Server issuer URL, i.e.: https://{yourOktaDomain}/oauth2/default
okta.oauth2.clientId	N/A	`*`	The Client Id of your Okta OIDC application
okta.oauth2.clientSecret	N/A	`*`	The Client Secret of your Okta OIDC application
okta.oauth2.audience	`api://default`		The audience of your Authorization Server
okta.oauth2.groupsClaim	`groups`		The claim key in the Access Token's JWT that corresponds to an array of the users groups.

* Required when using opaque access tokens.

Create a Controller

The above client makes a request to /hello-oauth, you simply need to create a Spring Boot application and Controller to handle the response:

@SpringBootApplication
@RestController
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

	@GetMapping("/hello-oauth")
	public String hello(Principal principal) {
	    return "Hello, " + principal.getName();
	}
}

That's it!

To test things out you can use curl:

$ curl http://localhost:8080/hello-oauth \
   --header "Authorization: Bearer ${accessToken}"

The result should look something like:

Hello, [email protected]

Okta's Spring Security integration will parse the JWT access token from the HTTP request's Authorization: Bearer header value.

Check out a minimal example that uses the Okta Signin Widget and JQuery or this blog post.

Spring MVC

Setup your MVC project by following Quickstart section above.
Configure the URL mappings for handling GET and POST requests.

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@RestController
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

	@GetMapping("/")
	public String index(@AuthenticationPrincipal Jwt jwt) {
		return String.format("Hello, %s!", jwt.getSubject());
	}

	@GetMapping("/message")
	@PreAuthorize("hasAuthority('SCOPE_message:read')")
	public String message() {
		return "secret message";
	}

	@PostMapping("/message")
	@PreAuthorize("hasAuthority('SCOPE_message:write')")
	public String createMessage(@RequestBody String message) {
		return String.format("Message was created. Content: %s", message);
	}
}

NOTE: message:read and message:write used above in @PreAuthorize are OAuth scopes. If you are looking to add custom scopes, refer to the documentation.

Configure your Resource Server either for JWT or Opaque Token validation by creating a SecurityFilterChain bean. If neither JWT nor Opaque Token is specified in configuration, JWT validation will be used by default.

import com.okta.spring.boot.oauth.Okta;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration {
    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

        http.authorizeRequests()
            // allow anonymous access to the root page
            .antMatchers("/").permitAll()
            // all other requests
            .anyRequest().authenticated()
            .and()
            .oauth2ResourceServer().jwt(); // replace .jwt() with .opaqueToken() for Opaque Token case

        // Send a 401 message to the browser (w/o this, you'll see a blank page)
        Okta.configureResourceServer401ResponseBody(http);
        return http.build();
    }
}

Refer Spring Security documentation here for more details on resource server configuration.

Spring WebFlux

To configure a resource server when using Spring WebFlux, you need to use a couple annotations, and define a SecurityWebFilterChain bean.

import com.okta.spring.boot.oauth.Okta;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@EnableWebFluxSecurity 
@EnableReactiveMethodSecurity 
public class SecurityConfiguration {

    @Bean 
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange()
                .anyExchange().authenticated()
                .and()
            .oauth2ResourceServer()
                .jwt();
                
        // Send a 401 message to the browser (w/o this, you'll see a blank page)
        Okta.configureResourceServer401ResponseBody(http);
                
        return http.build();
    }
}

If you want to support SSO and a resource server in the same application, you can do that too!

@EnableWebFluxSecurity 
@EnableReactiveMethodSecurity 
public class SecurityConfiguration {

    @Bean 
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange()
                .anyExchange().authenticated()
                .and()
            .oauth2Login()
                .and()
            .oauth2ResourceServer()
                .jwt();
        return http.build();
    }
}

Full Stack Reactive with Spring WebFlux, WebSockets, and React uses both SSO and a resource server. Its current code uses Spring Security's OIDC support. Changing it to use the Okta Spring Starter reduces the lines of code quite a bit.

Supporting server side applications - OAuth Code flow

Building a server side application and just need to redirect to a login page? This OAuth 2.0 code flow is for you.

Create a Web App on Okta

To create a new OIDC app for Spring Boot on Okta:

Log in to your developer account, navigate to Applications, and click on Add Application.
Select Web and click Next.
Give the application a name and add http://localhost:8080/login/oauth2/code/okta as a login redirect URI.
Click Done.

Configure your properties

You can configure your applications properties with environment variables, system properties, or configuration files. Take a look at the Spring Boot documentation for more details.

Property	Required	Details
okta.oauth2.issuer	true	Authorization Server issuer URL, i.e.: https://{yourOktaDomain}/oauth2/default
okta.oauth2.clientId	true	The Client Id of your Okta OIDC application
okta.oauth2.clientSecret	true	The Client Secret of your Okta OIDC application
okta.oauth2.postLogoutRedirectUri	false	Set to a relative or absolute URI to enable RP-Initiated (SSO) logout.

NOTE: On setting postLogoutRedirectUri, you will be redirected to it after the end of your session. Therefore, this resource must be available anonymously, so be sure to add it to your HttpSecurity configuration.

See a postLogoutRedirectUri example:

okta:
  oauth2:
    postLogoutRedirectUri: "http://localhost:8080/logout/callback"

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {
    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            // allow anonymous access to the root and logout pages
            .antMatchers("/", "/logout/callback").permitAll()
            // all other requests
            .anyRequest().authenticated();
        return http.build();
    }
}

Create a simple application

Create a minimal Spring Boot application:

@RestController
@SpringBootApplication
public class ExampleApplication {

    public static void main(String[] args) {
        SpringApplication.run(ExampleApplication.class, args);
    }

    @GetMapping("/")
    public String getMessageOfTheDay(@AuthenticationPrincipal OidcUser user) {
        return user.getName() + ", this message of the day is boring";
    }
}

If you want to allow anonymous access to specific routes you can add a SecurityFilterChain bean:

@Configuration
static class SecurityConfig {
    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/my-anon-page").permitAll()
                .anyRequest().authenticated()
            .and().oauth2Client()
            .and().oauth2Login();
        return http.build();
    }
}

If you want to add custom claims to JWT tokens in your custom Authorization Server, see Add Custom claim to a token for more info.

You could then extract the attributes from the token by doing something like below:

@RestController
public class ExampleController {

    @GetMapping("/email")
    public String getUserEmail(AbstractOAuth2TokenAuthenticationToken authentication) {
        // AbstractOAuth2TokenAuthenticationToken works for both JWT and opaque access tokens
        return (String) authentication.getTokenAttributes().get("sub");
    }
}

Share Sessions Across Web Servers

The Authorization Code Flow (the typical OAuth redirect) uses sessions. If you have multiple instances of your application, you must configure a Spring Session implementation such as Redis, Hazelcast, JDBC, etc.

That's it!

Open up http://localhost:8080 in your favorite browser.

You'll be redirected automatically to an Okta login page. Once you successfully login, you will be redirected back to your app and you'll see the message of the day!

This module integrates with Spring Security's OAuth support, all you need is the mark your application with the standard @EnableOAuth2Client annotation.

Use with Spring Native

You can use this starter with Spring Native. However, you will need to enable HTTPS in your main Spring Boot application class. For example:

package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.nativex.hint.NativeHint;

@NativeHint(options = "--enable-https")
@SpringBootApplication
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

You can also configure this setting in your pom.xml or build.gradle. See Spring Native's documentation for more information.

Proxy

If you're running your application (with this okta-spring-boot dependency) from behind a network proxy, you could setup properties for it in application.yml:

okta:
  oauth2:
    proxy:
      host: "proxy.example.com"
      port: 7000
      username: "your-username"             # optional
      password: "your-secret-password"      # optional

or, add JVM args to your application like:

-Dokta.oauth2.proxy.host=proxy.example.com
-Dokta.oauth2.proxy.port=port
-Dokta.oauth2.proxy.username=your-username
-Dokta.oauth2.proxy.password=your-secret-password

or, you could set it programmatically like:

System.setProperty("okta.oauth2.proxy.host", "proxy.example.com");
System.setProperty("okta.oauth2.proxy.port", "7000");
System.setProperty("okta.oauth2.proxy.username", "your-username");
System.setProperty("okta.oauth2.proxy.password", "your-secret-password");

See here for the complete list of properties.

Note: Spring WebFlux (and WebClient) does not support these properties. (See spring-projects/spring-security#8882).

If you are running your Spring Boot App behind a reverse proxy, be sure to read this guide.

Inject the Okta Java SDK

To integrate the Okta Java SDK into your Spring Boot application you just need to add a dependency:

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-sdk</artifactId>
</dependency>

Then define the okta.client.token property. See creating an API token for more info.

All that is left is to inject the client (com.okta.sdk.client.Client)! Take a look at this post for more info on the best way to inject your beans.

Extra Credit

Want to build this project?

Just clone it and run:

$ git clone https://github.com/okta/okta-spring-boot.git
$ cd okta-spring-boot
$ mvn install

okta-spring-boot's People

Contributors

Stargazers

Watchers

Forkers

pksingh99 karthikkornalies yadab4u pramodmudgal rbiga ssoumyakulkarni esker ecustyuanzhen dmulcahey emmanuj yaoqi iaccelerators vln986 lamnguyen297 lfarmer asgar25 gitmeout1 massimiliano76 cpinkerton hoai wilfredman entrix ehaberman pks-os houdejun214 zveselinov iihero mraible wsalazar1989 awgroeneveld ameya-pandilwar m-assila alvindu13 rathodsantosh d8tamgitadmin edgordo shellfish1 ravisah05 espencer127 baocang aavi cybernetics bervoiv kmfslasher amran-bd romankagan lnvieira pongnice dogeared cah-sai-madaupu ma-sattari redsnower toretest helgp shanmukha2 vntkhatri karthikkalkur bonomali julang2 jackljohnson ayuob nztimkeegan dhruvesh-patel keeplearningandtrying ajayk426 nickynarak changwng venkat22 isabella232 felixsxhung jovankricka-everon jp-g thandra2809 vordimous teimtem ksbrwsk efficiencygeek azurecloudmonk briansutelus gfwesllei cluesblues chavishaarora bwcsemaj rfigueroa bluewu129 antoniocaroumindcurv lawrencedcodes lmonad tanbinh123 chengyubeatchain nathanawmk arief-hidayat lanaflon thomfal vaziuddin michaelotte-lhsystems gpoint antonyggvzvmnxxcx mwxf alexdavidov

okta-spring-boot's Issues

baseUrl argument cannot be null with Spring Boot 2.0

I upgraded okta-ionic-crypto-java-sdk-example to use Spring Boot 2.0.2 and 0.5.0 of this starter and okta-spring-sdk. After making this change, I get the following error on startup:

Caused by: java.lang.IllegalArgumentException: baseUrl argument cannot be null.
	at com.okta.sdk.impl.client.DefaultClientBuilder.setOrgUrl(DefaultClientBuilder.java:311) ~[okta-sdk-impl-1.1.0.jar:1.1.0]
	at com.okta.spring.sdk.OktaSdkConfig.oktaSdkClient(OktaSdkConfig.java:69) ~[okta-spring-sdk-0.5.0.jar:0.5.0]
	at com.okta.spring.sdk.OktaSdkConfig$$EnhancerBySpringCGLIB$$76e49314.CGLIB$oktaSdkClient$0(<generated>) ~[okta-spring-sdk-0.5.0.jar:0.5.0]
	at com.okta.spring.sdk.OktaSdkConfig$$EnhancerBySpringCGLIB$$76e49314$$FastClassBySpringCGLIB$$b5be408e.invoke(<generated>) ~[okta-spring-sdk-0.5.0.jar:0.5.0]
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) ~[spring-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:361) ~[spring-context-5.0.6.RELEASE.jar:5.0.6.RELEASE]
	at com.okta.spring.sdk.OktaSdkConfig$$EnhancerBySpringCGLIB$$76e49314.oktaSdkClient(<generated>) ~[okta-spring-sdk-0.5.0.jar:0.5.0]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_121]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_121]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_121]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_121]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.0.6.RELEASE.jar:5.0.6.RELEASE]
	... 33 common frames omitted

Adding the following property fixes this problem.

okta.client.org-url=https://dev-158606.oktapreview.com

Starter v0.3.0 doesn't work with Spring Boot + DevTools

2018-02-23 11:42:56.218  WARN 10813 --- [  restartedMain] ationConfigEmbeddedWebApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration': Unsatisfied dependency expressed through field 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
2018-02-23 11:42:56.219  INFO 10813 --- [  restartedMain] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default'
2018-02-23 11:42:56.220  INFO 10813 --- [  restartedMain] org.hibernate.tool.hbm2ddl.SchemaExport  : HHH000227: Running hbm2ddl schema export
2018-02-23 11:42:56.236  INFO 10813 --- [  restartedMain] org.hibernate.tool.hbm2ddl.SchemaExport  : HHH000230: Schema export complete
2018-02-23 11:42:56.242  INFO 10813 --- [  restartedMain] o.apache.catalina.core.StandardService   : Stopping service [Tomcat]
2018-02-23 11:42:56.276  INFO 10813 --- [  restartedMain] utoConfigurationReportLoggingInitializer :

Error starting ApplicationContext. To display the auto-configuration report re-run your application with 'debug' enabled.
2018-02-23 11:42:56.291 ERROR 10813 --- [  restartedMain] o.s.boot.SpringApplication               : Application startup failed

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration': Unsatisfied dependency expressed through field 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:588) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1264) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761) ~[spring-beans-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.5.10.RELEASE.jar:1.5.10.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.10.RELEASE.jar:1.5.10.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.10.RELEASE.jar:1.5.10.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.10.RELEASE.jar:1.5.10.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.10.RELEASE.jar:1.5.10.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.10.RELEASE.jar:1.5.10.RELEASE]
	at com.example.demo.DemoApplication.main(DemoApplication.java:12) [classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_144]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_144]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_144]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_144]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-1.5.10.RELEASE.jar:1.5.10.RELEASE]

Commenting out spring-boot-devtools in pom.xml fixes this issue.

Can't run example

I get this error when I try to use this:

java.lang.IllegalStateException: Error processing condition on com.okta.spring.oauth.OktaTokenServicesConfig$LocalTokenValidationConfig.jwtClaimsSetVerifier
        at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:64) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.context.annotation.ConditionEvaluator.shouldSkip(ConditionEvaluator.java:102) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForBeanMethod(ConfigurationClassBeanDefinitionReader.java:178) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:140) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:116) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:320) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:228) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:272) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:92) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:687) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:525) ~[spring-context-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at hello.Application.main(Application.java:16) [classes!/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[na:na]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [my-project-0.1.0.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [my-project-0.1.0.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:50) [my-project-0.1.0.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:51) [my-project-0.1.0.jar:na]
Caused by: java.lang.IllegalStateException: @ConditionalOnMissingBean did not specify a bean using type, name or annotation and the attempt to deduce the bean's type failed
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.validate(OnBeanCondition.java:309) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.<init>(OnBeanCondition.java:299) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchOutcome(OnBeanCondition.java:108) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        ... 25 common frames omitted
Caused by: org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanTypeDeductionException: Failed to deduce bean type for com.okta.spring.oauth.OktaTokenServicesConfig$LocalTokenValidationConfig.jwtClaimsSetVerifier
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.addDeducedBeanTypeForBeanMethod(OnBeanCondition.java:362) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.addDeducedBeanType(OnBeanCondition.java:346) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.<init>(OnBeanCondition.java:293) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        ... 27 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier
        at java.base/java.net.URLClassLoader.findClass(Unknown Source) ~[na:na]
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source) ~[na:na]
        at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:94) ~[my-project-0.1.0.jar:na]
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source) ~[na:na]
        at org.springframework.util.ClassUtils.forName(ClassUtils.java:250) ~[spring-core-4.3.14.RELEASE.jar!/:4.3.14.RELEASE]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.addDeducedBeanTypeForBeanMethod(OnBeanCondition.java:356) ~[spring-boot-autoconfigure-1.5.10.RELEASE.jar!/:1.5.10.RELEASE]
        ... 29 common frames omitted

2018-02-24 21:33:43.398  INFO 20020 --- [           main] ationConfigEmbeddedWebApplicationContext : Closing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@6b2ea799: startup date [Sat Feb 24 21:33:41 EST 2018]; root of c
ontext hierarchy
Exception in thread "main" java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:50)
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:51)
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier
        at java.base/java.lang.Class.getDeclaredMethods0(Native Method)
        at java.base/java.lang.Class.privateGetDeclaredMethods(Unknown Source)
        at java.base/java.lang.Class.getDeclaredMethods(Unknown Source)
        at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:613)
        at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:524)
        at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:510)
        at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:570)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:697)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:640)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:609)
        at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1484)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:425)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:395)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:515)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:508)
        at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:1188)
        at org.springframework.boot.SpringApplication.getExitCodeFromMappedException(SpringApplication.java:818)
        at org.springframework.boot.SpringApplication.getExitCodeFromException(SpringApplication.java:804)
        at org.springframework.boot.SpringApplication.handleExitCode(SpringApplication.java:790)
        at org.springframework.boot.SpringApplication.handleRunFailure(SpringApplication.java:744)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107)
        at hello.Application.main(Application.java:16)
        ... 8 more
Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier
        at java.base/java.net.URLClassLoader.findClass(Unknown Source)
        at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
        at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:94)

Okta Base/Org URL is NOT resolved from issuer property when using the Okta Org Issuer

When using the Okta Org issuer https://dev-123456.oktapreview.com/ the base url (used when the SDK is available) is not resolved.

This is because the current logic just strips /oauth2/* from the issuer and uses that.
We may want to set the base URL to the issuer, if issuer URL does not contain /oauth2/*.

Update to Spring Boot 2.1

and Spring Security 5.1 on include OIDC support

I've taken a first a pass through this and hacked it up enough to get the TCK (with modifications to pass).

Notes:

Spring OAuth config property names/structure has changed
breaking changes
official support via Spring Security/Spring Boot now, older oauth packages are deprecated
Resource server support only supports local validation of JWT based access tokens (not opaque tokens currently)
The new Spring OAuth doc is pretty good.
OAuth2/OIDC code flow just work when packages and properties are present, but most users will need to customize the configuration (this integration will need to be aware of this)

Tasks:

Make group token claim configurable
Add tests for autoconfiguration cases
- make sure okta oauth auto config doesn't trigger when properties are not present
Think about a solution to make changing the redirect uri easier to set (i.e. /authorize-code/callback
create release notes / migration guide
Make OktaOAuth2ConfigProperties just wrap the official properties (so users can set properties via the standard props or the simplified Okta ones (i.e. okta.oauth2.client-id)

Error processing condition on com.okta.spring.oauth.OktaTokenServicesConfig$LocalTokenValidationConfig.authoritiesExtractor

Hello,

Getting an exception when trying to start my spring boot app after adding okta-spring-boot-starter to my dependencies. I'm using spring boot v2.0.3

Here are all my dependencies in the pom.xml

        <parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.0.3.RELEASE</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>
	<dependencies>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-jpa</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-data-rest</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<!-- Security dependencies | START -->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		
		<dependency>
			<groupId>org.springframework.security.oauth</groupId>
			<artifactId>spring-security-oauth2</artifactId>
			<version>2.3.3.RELEASE</version>
		</dependency>

		<dependency>
			<groupId>com.okta.spring</groupId>
			<artifactId>okta-spring-boot-starter</artifactId>
			<version>0.6.0</version>
		</dependency>
		<!-- Security dependencies | END -->

		<!-- Database dependencies | START -->
		<dependency>
			<groupId>org.liquibase</groupId>
			<artifactId>liquibase-core</artifactId>
		</dependency>
		<dependency>
			<groupId>org.postgresql</groupId>
			<artifactId>postgresql</artifactId>
			<scope>runtime</scope>
		</dependency>

		<dependency>
			<groupId>org.projectlombok</groupId>
			<artifactId>lombok</artifactId>
			<optional>true</optional>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-tomcat</artifactId>
			<scope>provided</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>

	</dependencies>

The exception is:

java.lang.IllegalStateException: Error processing condition on com.okta.spring.oauth.OktaTokenServicesConfig$LocalTokenValidationConfig.authoritiesExtractor
	at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:64) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.context.annotation.ConditionEvaluator.shouldSkip(ConditionEvaluator.java:108) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForBeanMethod(ConfigurationClassBeanDefinitionReader.java:180) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:141) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:117) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:328) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:233) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:273) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:93) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:694) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:532) ~[spring-context-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140) ~[spring-boot-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:759) [spring-boot-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:395) [spring-boot-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:327) [spring-boot-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1255) [spring-boot-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1243) [spring-boot-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at gg.leaguemanager.api.LeagueManagerApiApplication.main(LeagueManagerApiApplication.java:13) [classes/:na]
Caused by: java.lang.IllegalStateException: @ConditionalOnMissingBean did not specify a bean using type, name or annotation and the attempt to deduce the bean's type failed
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.validate(OnBeanCondition.java:389) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.<init>(OnBeanCondition.java:379) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchOutcome(OnBeanCondition.java:114) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	... 17 common frames omitted
Caused by: org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanTypeDeductionException: Failed to deduce bean type for com.okta.spring.oauth.OktaTokenServicesConfig$LocalTokenValidationConfig.authoritiesExtractor
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.addDeducedBeanTypeForBeanMethod(OnBeanCondition.java:442) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.addDeducedBeanType(OnBeanCondition.java:426) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.<init>(OnBeanCondition.java:373) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	... 19 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.boot.autoconfigure.security.oauth2.resource.AuthoritiesExtractor
	at java.net.URLClassLoader.findClass(Unknown Source) ~[na:1.8.0_171]
	at java.lang.ClassLoader.loadClass(Unknown Source) ~[na:1.8.0_171]
	at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) ~[na:1.8.0_171]
	at java.lang.ClassLoader.loadClass(Unknown Source) ~[na:1.8.0_171]
	at org.springframework.util.ClassUtils.forName(ClassUtils.java:274) ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE]
	at org.springframework.boot.autoconfigure.condition.OnBeanCondition$BeanSearchSpec.addDeducedBeanTypeForBeanMethod(OnBeanCondition.java:436) ~[spring-boot-autoconfigure-2.0.3.RELEASE.jar:2.0.3.RELEASE]
	... 21 common frames omitted

2018-07-17 13:13:39.940  INFO 11900 --- [           main] ConfigServletWebServerApplicationContext : Closing org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext@2fc6f97f: startup date [Tue Jul 17 13:13:39 EDT 2018]; root of context hierarchy

I have added the properties to my project also:

okta.oauth2.issuer=...
okta.oauth2.clientId=...

If is a problem of incompatible versions between dependencies, is there a recipe that works?

Thanks

Spring Sec 5 /Boot 2 + custom WebSecurityConfigurerAdapter -http.oauth2Login() - not configurable

Hello,
I am working with Spring Boot 2.0.5 and Okta 0.6.0.
I am following a tutorial https://github.com/okta/samples-java-spring/blob/master/okta-hosted-login/src/main/java/com/okta/spring/example/CodeFlowExampleApplication.java but cannot get beyond an issue related to the redirect URI and too many redirects.

The redirect to Okta works successfully, the problems begin on the redirect back to localhost.

The UI I receive from my application is here:

I have set the redirect URI for my OIDC App to localhost:8082/callback and this is the configuration of my yml file:
security:
oauth2:
client:
client-id: XXXX
client-secret: XXX
access-token-uri: https://dev-848116.oktapreview.com/oauth2/XXX/v1/token
user-authorization-uri: https://dev-848116.oktapreview.com/oauth2/XXX/v1/authorize
client-authentication-scheme: form
sso:
login-path: /callback

okta:
oauth2:
issuer: https://dev-848116.oktapreview.com/oauth2/XXX

The Security configuration I am using is here:
@configuration
@EnableOAuth2Sso
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

/*public ApplicationSecurity(ApplicationContext applicationContext) {
    super(applicationContext);
}*/

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .antMatcher("/**")
      .authorizeRequests()
      .antMatchers("/callback")
      .permitAll()
      .anyRequest()
      .authenticated();
}

/*@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }
}*/

}
I have also tried the security configuration by extending the 'OAuth2SsoDefaultConfigurationclass however I can see this class implements theWebSecurityConfigurerAdapter` interface so perhaps no surprises it operates the same way.

It appears to me the http security is being ignored or bypassed. The controller config is very simple, here is the /callback implementation:

@GetMapping("/callback")
public String callback(OAuth2Authentication authentication, Model model) {
logger.info("Returning principal page: " + authentication.getUserAuthentication().getName());
model.addAttribute("user", authentication.getUserAuthentication().getName());
return "home";
}

Can you please advise what I need to do to resolve this, I'm not sure I need a concrete implementation of the /callback endpoint.

Provide example of injecting SDK

The readme says:

All that is left is to inject the client (com.okta.sdk.client.Client)!

Can we add an example for n00bs like me who don't know how? 😄

@EnableOAuth2Sso fails with 401

Given the configuration:

bootstrap.yml

okta:
  oauth2:
    issuer: ****
    clientId: ***
    clientSecret: ***

Spring Boot Application

package nz.co.eroad.postedspeedsupport;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.cloud.netflix.zuul.EnableZuulProxy;

@SpringBootApplication
@EnableZuulProxy
@EnableOAuth2Sso
public class GatewayApplication {

    public static void main(String[] args) throws Exception {
        SpringApplication.run(GatewayApplication.class, args);
    }

}

After logging in you get:

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Fri Nov 10 15:44:51 NZDT 2017
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain user details from token

okta-spring-boot + okta-spring-sdk

Hi,
i would configure "roles-claim: groups" and "principal-claim: email" as OAuth2 properties and to do so i've added okta-spring-sdk as dependency in my maven project.
The problem with this dependency returned OAuth2Athentication.userAuthetication object(UsernamePasswordAuthenticationToken) contains different "details" element. Inside "Token Preview"(from okta dashboard) i get all informations, but in the client i can't get the full map, Why?
How can i continue to get userInfo with also "roles-claim: groups" and "principal-claim: email"?

Thanks

Can't obtain user info on Controller

Hi,
Was wondering how to obtain the Principal from a request from an SPA, I think I've followed the resource server tutorial fine. I've got a stack over flow question: https://stackoverflow.com/questions/52982123/can-not-retrieve-principal-from-spring-okta-cra-spa

I've got a demo repo at: https://github.com/Verric/carty-temp

Im not sure if this relates to #95 #76.

Basic details
Spring boot 2.0.6

implementation('com.okta.spring:okta-spring-boot-starter:0.6.1') {exclude group: 'org.slf4j' }

implementation('org.springframework.boot:spring-boot-starter-web')

implementation('org.springframework.boot:spring-boot-starter-data-jpa')

implementation('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.6.RELEASE')

implementation('org.springframework.boot:spring-boot-starter-validation')`

Note I had to ignore logging in spring boot okta as it was claiming about having both log4j2 and logback on the class path :p

P.S The authentication works fine, only users logged in (via okta) can access the resource server, however I'm just not sure how to get who is making the request :/

Thanks in advance

Spring Boot JavaFx Client

My client application is a spring boot javafx app connecting to a spring boot server application. Do you have an examples of integration of okta on the client side where being redirected to a web page wouldn't be part of the flow?

A redirect to a webpage embedded within a javafx webview could also work.

OidcDiscoveryClient doesn't work behind a proxy

As per title. It creates it's own rest template and uses the issuerUri to create requests, but it doesn't check the application.yml to see if a okt.client.proxy is set.

Suggest the rest template has a request factory set with a configured http client which can have it's HttpProxy set if it's part of the configuration.

Use "okta.oauth2.issuer" consistently

The property okta.oauth2.issuer is expected to be different in various parts of okta spring boot.

During application startup the issuer must not end in /oauth2/default in order to be able to discover the OIDC endpoints. The discovery endpoint is https://${okta.hostname}/.well-known/openid-configuration.

This code is executed during startup:
com.okta.spring.oauth.discovery.DiscoveryPropertySource#getDiscoveryMetadata()

String issuerUrl = environment.getRequiredProperty(OKTA_OAUTH_ISSUER);
OidcDiscoveryMetadata discoveryMetadata = createDiscoveryClient(issuerUrl).discover();

If okta.oauth2.issuer is configured to end in /oauth2/default (as documented) the following stacktrace is the result. This stems from the fact that the discovery endpoint is not available under https://${okta.hostname}/oauth2/default/.well-known/openid-configuration

Caused by: org.springframework.web.client.HttpClientErrorException: 404 Not Found
	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:85) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:707) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:660) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:635) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:310) ~[spring-web-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at com.okta.spring.oauth.discovery.OidcDiscoveryClient.discover(OidcDiscoveryClient.java:49) ~[okta-spring-security-oauth2-0.3.0.jar:0.3.0]
	at com.okta.spring.oauth.discovery.DiscoveryPropertySource.getDiscoveryMetadata(DiscoveryPropertySource.java:105) ~[okta-spring-security-oauth2-0.3.0.jar:0.3.0]
	at com.okta.spring.oauth.discovery.DiscoveryPropertySource.getProperty(DiscoveryPropertySource.java:77) ~[okta-spring-security-oauth2-0.3.0.jar:0.3.0]
	at org.springframework.core.env.PropertySourcesPropertyResolver.getProperty(PropertySourcesPropertyResolver.java:81) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.core.env.PropertySourcesPropertyResolver.getProperty(PropertySourcesPropertyResolver.java:66) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.core.env.AbstractEnvironment.getProperty(AbstractEnvironment.java:537) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
	at org.springframework.boot.bind.RelaxedPropertyResolver.getProperty(RelaxedPropertyResolver.java:84) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
	at org.springframework.boot.bind.RelaxedPropertyResolver.getProperty(RelaxedPropertyResolver.java:64) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
	at org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerTokenServicesConfiguration$JwkCondition.getMatchOutcome(ResourceServerTokenServicesConfiguration.java:379) ~[spring-boot-autoconfigure-1.5.9.RELEASE.jar:1.5.9.RELEASE]
	at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47) ~[spring-boot-autoconfigure-1.5.9.RELEASE.jar:1.5.9.RELEASE]
	... 26 common frames omitted

So, in order to get an app to successfully startup okta.oauth2.issuer must not end in /oauth2/default.

However, the code validating access token expects the issuer to end in /oauth2 (also not as documented) to construct a valid keys URL.

The keys URL is constructed during configuration:
com.okta.spring.oauth.OktaTokenServicesConfig.LocalTokenValidationConfig#tokenStore():

return new JwkTokenStore(oktaOAuth2Properties.getIssuer() + "/v1/keys", accessTokenConverter(), jwtClaimsSetVerifier());

For this to work the issuer must be https://${okta.hostname}/oauth2 (no trailing default as documented).
If /oauth2 is omitted (to get a successful startup and discovery) the access token validation will fail:

2018-01-11 17:15:07.485 DEBUG 82456 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="server_error", error_description="An I/O error occurred while reading from the JWK Set source: https://dev-xxxxxx.oktapreview.com/v1/keys"
2018-01-11 17:15:07.533 DEBUG 82456 --- [nio-8080-exec-1] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="server_error", error_description="An I/O error occurred while reading from the JWK Set source: https://dev-xxxxxx.oktapreview.com/v1/keys"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@287e7668]

I'm wondering if OktaTokenServicesConfig should be using the keys url from the discovery step instead of manually constructing it. Otherwise, what's the point of doing the discovery if the discovered URLs are not used.

okta-spring-boot.version: 0.3.0
spring-security-oauth2.version: 2.2.1.RELEASE

application.yml

okta:
  tenant: TTT
  hostname: ${okta.tenant}.oktapreview.com
okta.oauth2:
  #issuer: https://${okta.hostname} # successful discovery but failing access token validation
  #issuer: https://${okta.hostname}/oauth2 # failing OIDC discovery, needed for access token validation
  #issuer: https://${okta.hostname}/oauth2/default # as documented but not as the code is working
  clientId: XXX

OktaOAuthCodeFlowConfiguration should also work with OAuth2SsoCustomConfiguration

OktaOAuthCodeFlowConfiguration currently conditional on OAuth2SsoDefaultConfiguration, but should also allow OAuth2SsoCustomConfiguration.

Spring Sec throws 500 when parsing an invalid base64 JWT String

This should result in a 401 (as the token is invalid) for details see:
https://developer.okta.com/blog/2017/12/04/basic-crud-angular-and-spring-boot#comment-4091910715

TBD: after this is confirmed we might need to pass this upstream to Spring Sec

Add support to inject the java okta-sdk

Provide steps to run mvn install without failures

Since all the integration tests seem to fail, I'm guessing there's configuration that needs to happen before you can run mvn install w/o issues.

Invalid Token Guidance

Hey guys,

I followed https://developer.okta.com/blog/2017/12/06/bootiful-development-with-spring-boot-and-react for setting up a react + spring boot simple application.

I've checked both the client id and issuer on both React and Spring Boot configurations and they are the same. However, I am still getting an invalid token.

Things to note.

I made sure that my header is Authorization and BEARER MY_AUTHTOKEN.

Spring Boot version: Brussels-SR5

Extracting claims in ID token

I'm having trouble understanding how to configure okta-spring-boot correctly. Here's some context:

I'm configuring a resource server using @EnableResourceServer (so basically http.authorizeRequests().anyRequest().authenticated())
I'm using Resource Owner Password OAuth flow
Using scope openid profile offline_access
Using SpringBoot 2.0.5.RELEASE
Using okta-spring-boot 0.6.1

and here are my questions:

I noticed default value for okta.oauth2.localTokenValidation is true which means LocalTokenValidationConfig is used and thus will not attempt to make another call to Okta auth server /userinfo endpoint and thus any claims configured for "Userinfo / id_token request" will not be returned. However, I do know the {authServerUrl}/oauth2/default/v1/token response does include an ID token. Why does okta-spring-boot library not extract information from ID token also but only extracts data from access token?
Whether it's remote or local token validation, what kind of validation does it do? I have not configured the resource server with any private keys so I don't see how it can verify the tokens in the first place. How do I get Okta to do additional verification to ensure the JWTs have not been tampered with?
What does property security.oauth2.resource.preferTokenInfo do?
I managed to also use RemoteTokenValidationConfig by setting okta.oauth2.localTokenValidation to false which means on authentication, Okta uses access token to make a subsequent call to fetch additional user data from /userinfo endpoint. This is nice because the resultant OAuth2Authentication includes both access token and ID token/Userinfo properties. However, I'm hitting an issue where under this configuration, all server errors (such as 404 or 500) are returning 401 with the following in the logs. I expect this to return 404 but instead get 401.

2018-11-02 17:38:04.469 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', GET]
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/foo'; against '/logout'
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', POST]
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /foo' doesn't match 'POST /logout
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', PUT]
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /foo' doesn't match 'PUT /logout
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', DELETE]
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /foo' doesn't match 'DELETE /logout
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2018-11-02 17:38:04.470 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2018-11-02 17:38:14.483 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.oauth2.client.OAuth2RestTemplate   : Created GET request for "https://company.okta.com/oauth2/default/v1/userinfo"
2018-11-02 17:38:14.484 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.oauth2.client.OAuth2RestTemplate   : Setting request Accept header to [application/json, application/*+json]
2018-11-02 17:38:15.327 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.oauth2.client.OAuth2RestTemplate   : GET request for "https://company.okta.com/oauth2/default/v1/userinfo" resulted in 200 (OK)
2018-11-02 17:38:15.328 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.oauth2.client.OAuth2RestTemplate   : Reading [interface java.util.Map] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@4787f6da]
2018-11-02 17:38:31.437 DEBUG 4062 --- [nio-8880-exec-3] .c.r.s.r.s.RedCustomerPrincipalExtractor : Username: [email protected], Okta mapped properties: {sub=00u2c82x4XMRMgFl0356, name=Tommy Li, locale=AU, nickname=Charlia, [email protected], given_name=Tommy, family_name=Li, zoneinfo=+10:00, updated_at=1541068229, lastName=Li, firstName=Tommy, displayName=Tommy Li, groups=[Everyone, Red Testers], title=Mr, customerNumber=2940935}
2018-11-02 17:38:31.437 DEBUG 4062 --- [nio-8880-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication success: org.springframework.security.oauth2.provider.OAuth2Authentication@6d477bd3: Principal: au.com.company.app.restapi.security.AuthenticatedCustomer@c766edf; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: Everyone, Red Testers
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter  : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.oauth2.provider.OAuth2Authentication@6d477bd3: Principal: au.com.company.app.restapi.security.AuthenticatedCustomer@c766edf; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: Everyone, Red Testers'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@5afc9c5b
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/foo'; against '/actuator/health'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/foo'; against '/echo/**'
2018-11-02 17:38:31.438 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/foo'; against '/error'
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/foo'; against '/error/**'
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /foo?param1=value1&param2=value2; Attributes: [#oauth2.throwOnError(authenticated)]
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@6d477bd3: Principal: au.com.company.app.restapi.security.AuthenticatedCustomer@c766edf; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=127.0.0.1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: Everyone, Red Testers
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@a5bf80d, returned: 1
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorization successful
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : RunAsManager did not change Authentication object
2018-11-02 17:38:31.439 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /foo?param1=value1&param2=value2 reached end of additional filter chain; proceeding with original chain
2018-11-02 17:38:31.441 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6f3b895c
2018-11-02 17:38:31.442 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
2018-11-02 17:38:31.442 DEBUG 4062 --- [nio-8880-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-11-02 17:38:31.442 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /error?param1=value1&param2=value2 at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /error?param1=value1&param2=value2 at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /error?param1=value1&param2=value2 at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /error?param1=value1&param2=value2 at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', GET]
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/error'; against '/logout'
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', POST]
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /error' doesn't match 'POST /logout
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', PUT]
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /error' doesn't match 'PUT /logout
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/logout', DELETE]
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /error' doesn't match 'DELETE /logout
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2018-11-02 17:38:31.443 DEBUG 4062 --- [nio-8880-exec-3] o.s.security.web.FilterChainProxy        : /error?param1=value1&param2=value2 at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2018-11-02 17:38:34.459  WARN 4062 --- [nio-8880-exec-3] c.o.s.oauth.OktaUserInfoTokenServices    : Could not fetch user details: class org.springframework.beans.factory.BeanCreationException, Error creating bean with name 'scopedTarget.oauth2ClientContext': Scope 'request' is not active for the current thread; consider defining a scoped proxy for this bean if you intend to refer to it from a singleton; nested exception is java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request.
2018-11-02 17:38:34.460 DEBUG 4062 --- [nio-8880-exec-3] p.a.OAuth2AuthenticationProcessingFilter : Authentication request failed: error="invalid_token", error_description="eyJraWQiOiJaNXZXQ1FsX25WWGpvQlB1WkExbGo5OEhMNVU4Y2tBNUthUWUxN09ZTmZnIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULklodzRrQ1hSX1JwUTZ6ejFPaWJMdWhpR2IwY1BCdW9hbk5oMVVxNHZDVncuWXpoTjFRL3hCY1BteExwZkpIRWpKVWJYTEVhN2pYaDBYMDA1QlhSY09TOD0iLCJpc3MiOiJodHRwczovL3JlZGVuZXJneS5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NDExNDA2MzIsImV4cCI6MTU0MTE0NDIzMiwiY2lkIjoiMG9hMjhjamRpMjM3UFdFNVUzNTYiLCJ1aWQiOiIwMHUyYzgyeDRYTVJNZ0ZsMDM1NiIsInNjcCI6WyJvZmZsaW5lX2FjY2VzcyIsInByb2ZpbGUiLCJvcGVuaWQiXSwic3ViIjoidG9tbXkubGlAcmVkZW5lcmd5LmNvbS5hdSIsImVtYWlsIjoidG9tbXkubGlAcmVkZW5lcmd5LmNvbS5hdSJ9.sGtie_p7lU-umuXzn2hVo2ULx82dCVs6qnQxUwRUSaByZt7aAmdcTTmy521K6_fvAVy3Ueszz0Nty5Pgz1RzrFW-fmMBiz_Ahl2WTgijsF7s3yLUXyJwPlD9JMOnvXSNWJeL7mZ8_cTPfne6Y1FVzgIzucV8NFbmE_EByMV_TqWnoDhqm-jM8K99PM6UkHWmmWzU-_2Ln1RhA76Cl_qyVzoDWtOKE_M951kDgHYbBLdRda7-usxbV2xVjeJfbB98Yr7QB5ZnYOIuI_AhDBEbBjw7B2CeXSTYjxS90QakDoO922KxReMrY_oOEpVbwa4IvBtdDBcv-1L_S4AogFHBOQ"
2018-11-02 17:38:34.461 DEBUG 4062 --- [nio-8880-exec-3] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="invalid_token", error_description="eyJraWQiOiJaNXZXQ1FsX25WWGpvQlB1WkExbGo5OEhMNVU4Y2tBNUthUWUxN09ZTmZnIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULklodzRrQ1hSX1JwUTZ6ejFPaWJMdWhpR2IwY1BCdW9hbk5oMVVxNHZDVncuWXpoTjFRL3hCY1BteExwZkpIRWpKVWJYTEVhN2pYaDBYMDA1QlhSY09TOD0iLCJpc3MiOiJodHRwczovL3JlZGVuZXJneS5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NDExNDA2MzIsImV4cCI6MTU0MTE0NDIzMiwiY2lkIjoiMG9hMjhjamRpMjM3UFdFNVUzNTYiLCJ1aWQiOiIwMHUyYzgyeDRYTVJNZ0ZsMDM1NiIsInNjcCI6WyJvZmZsaW5lX2FjY2VzcyIsInByb2ZpbGUiLCJvcGVuaWQiXSwic3ViIjoidG9tbXkubGlAcmVkZW5lcmd5LmNvbS5hdSIsImVtYWlsIjoidG9tbXkubGlAcmVkZW5lcmd5LmNvbS5hdSJ9.sGtie_p7lU-umuXzn2hVo2ULx82dCVs6qnQxUwRUSaByZt7aAmdcTTmy521K6_fvAVy3Ueszz0Nty5Pgz1RzrFW-fmMBiz_Ahl2WTgijsF7s3yLUXyJwPlD9JMOnvXSNWJeL7mZ8_cTPfne6Y1FVzgIzucV8NFbmE_EByMV_TqWnoDhqm-jM8K99PM6UkHWmmWzU-_2Ln1RhA76Cl_qyVzoDWtOKE_M951kDgHYbBLdRda7-usxbV2xVjeJfbB98Yr7QB5ZnYOIuI_AhDBEbBjw7B2CeXSTYjxS90QakDoO922KxReMrY_oOEpVbwa4IvBtdDBcv-1L_S4AogFHBOQ"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@4cac2f21]
2018-11-02 17:38:34.461 DEBUG 4062 --- [nio-8880-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

Issue with issuer URL in okta-spring-boot-starter v0.2.0

I am trying to work with okta-spring-boot-starter in my spring boot v1.5.6 application

Update my pom file as follows:

        <dependency>
            <groupId>com.okta.spring</groupId>
            <artifactId>okta-spring-boot-starter</artifactId>
            <version>0.2.0</version>
        </dependency>

Added bootstrap.properties under /resources as follows:

okta.oauth2.issuer=https://{domain}.oktapreview.com/oauth2/default
okta.oauth2.audience={myAudience}
okta.oauth2.clientId={myClientId}
okta.oauth2.clientSecret={myClientSecret}
security.oauth2.sso.loginPath=/authorization-code/callback

With the URL set as above, I get the following error:

15:40:51.539 [RMI TCP Connection(2)-127.0.0.1] ERROR org.springframework.boot.SpringApplication - Application startup failed
org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
	at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:63)
	at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)
	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:628)
	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:303)
	at com.okta.spring.oauth.discovery.OidcDiscoveryClient.discover(OidcDiscoveryClient.java:49)
	at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.discoveryPropertiesSource(OktaPropertiesMappingEnvironmentPostProcessor.java:137)
	at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.postProcessEnvironment(OktaPropertiesMappingEnvironmentPostProcessor.java:95)
	at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEnvironmentPreparedEvent(ConfigFileApplicationListener.java:182)
	at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEvent(ConfigFileApplicationListener.java:168)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:167)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:122)
	at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:74)
	at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:54)
	at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:325)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:296)
	at org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:134)
	at org.springframework.cloud.bootstrap.BootstrapApplicationListener.bootstrapServiceContext(BootstrapApplicationListener.java:175)
	at org.springframework.cloud.bootstrap.BootstrapApplicationListener.onApplicationEvent(BootstrapApplicationListener.java:98)
	at org.springframework.cloud.bootstrap.BootstrapApplicationListener.onApplicationEvent(BootstrapApplicationListener.java:64)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:167)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:122)
	at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:74)
	at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:54)
	at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:325)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:296)
	...
	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

I updated the issuer to be okta.oauth2.issuer=https://{domain}.oktapreview.com but in that case I am getting exception as follows

15:56:14.406 [RMI TCP Connection(2)-127.0.0.1] ERROR org.springframework.boot.SpringApplication - Application startup failed
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
	at java.lang.String.substring(String.java:1967)
	at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.discoveryPropertiesSource(OktaPropertiesMappingEnvironmentPostProcessor.java:140)
	at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.postProcessEnvironment(OktaPropertiesMappingEnvironmentPostProcessor.java:95)
	at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEnvironmentPreparedEvent(ConfigFileApplicationListener.java:182)
	at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEvent(ConfigFileApplicationListener.java:168)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:167)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:122)
	at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:74)
	at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:54)
	at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:325)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:296)
	...
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

Any pointers would be appreciated as I am not able to proceed.

erreur

always getting null for java.security.Principal

I am trying to get user details from accessToken as explained in here. But I am always getting null .

Here are my dependencies ...

    <dependency>
        <groupId>com.okta.spring</groupId>
        <artifactId>okta-spring-boot-starter</artifactId>
        <version>0.6.0</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>2.2.0.RELEASE</version>
    </dependency>

I have added the config properties ...

okta:
    oauth2:
        issuer: https://XXXXX.oktapreview.com/oauth2/default
        clientId: XXXXX
    oauth:
        issuer: https://XXXXX.oktapreview.com/oauth2/default
        clientId: XXXX

I tried with valid accessToken and also with idToken for all I am getting null value. Please let me know if anything needs to be added or anything wrong and how to test?

Spring Boot 2.0: OAuth2Authentication.userAuthentication.details has different info with Okta Starter

If I use the Okta Spring Boot Starter (v0.5.0), the Principal is of type OAuth2Authentication, but it does not contain any user information in userAuthentication.getDetails(). It contains access token information instead.

If I change my app to use the Spring Security Starter instead (and adjust properties accordingly), userAuthentication.getDetails() contains user information.

I think Okta's starter should be adjusted so it matches the behavior that Spring Security has by default.

Is there a way to override uri?

I'm facing an issue, that my company's issuer url is not the same for all endpoints.
For example, configuration is located at https://{company}.oktapreview.com/.well-known/openid-configuration, but keys are located at https://{company}.oktapreview.com/oauth2/v1/keys.
However, the same issuer url is used to do all the requests. Is there a way to override this behaviour? I tried creating primary bean of JwkTokenStore with correct url, but for somereason it had no effect.

Thanks in advance

Update to Spring Security 5.1 and add OIDC support

This may be a good time to make a breaking change and stick with Spring Sec 5.1+ going forward (this implies Spring Boot 2x as well)

Setting `okta.oauth2.localTokenValidation` causes the `groups` returned in user details to NOT be parsed into Spring Authorities

Processing of groups to authorities should NOT be tied to localTokenValidation

IntelliJ IDEA says clientId should be client-id and clientSecret should be client-secret

The bug is that if you use these values, no clientId is sent. If you use clientId and clientSecret it works. Screenshot of popup:

Principal is null after update to spring boot 2.0.4 RELEASE

OAuth2 works fine with spring boot 1.5.8. Able to access POST /oauth/token end-point.

After update to spring boot 2.0.4 RELEASE. Prinicipal is null when I try to access /oauth/token end-point.

Here is my configuration of spring security.

`package com.ln.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;

@configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
private UserDetailsService userDetailsService;

@Bean
public PasswordEncoder passwordEncoder(){
	return new MessageDigestPasswordEncoder("MD5");
}

@Override
@Bean
public AuthenticationManager authenticationManager() throws Exception {
	return super.authenticationManagerBean();
}

@Bean
public TokenStore tokenStore() {
	return new InMemoryTokenStore();
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/webjars/**", "/api-ln/oauth/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
			.antMatchers("/api-ln/validate-user*", "/api-ln/public/**", "/api-ln/signup",
					"/api-ln/verify-registration", "/api-ln/oauth/**", "/login	").permitAll()
			.antMatchers("/api-ln/user/**").hasAnyRole("USER")
			.antMatchers("/api-ln/admin/**").hasAnyRole("ADMIN")
			.anyRequest().authenticated()
			.and().formLogin().permitAll();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
	auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}

}
`

`package com.ln.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.builders.ClientDetailsServiceBuilder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.token.TokenStore;

import com.ln.service.CustomUserDetailsService;

@configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

@Autowired
private CustomUserDetailsService userDetailsService;
	
@Autowired
private TokenStore tokenStore;

@Autowired
private AuthenticationManager authenticationManager;

@Autowired
private PasswordEncoder passwordEncoder;

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
	clients.withClientDetails(inMemoryClientDetailsService());
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
	endpoints
	.tokenStore(tokenStore)
	.authenticationManager(authenticationManager)
	.userDetailsService(userDetailsService);
}

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
	security.passwordEncoder(passwordEncoder).allowFormAuthenticationForClients().tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}

@Bean
public ClientDetailsService inMemoryClientDetailsService() throws Exception {
	return new ClientDetailsServiceBuilder<>().inMemory().withClient("client").secret("secret").authorities("ROLE_TRUSTED_CLIENT")
			.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
			.and().build();
}

}
`

`package com.ln.security;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;

@configuration
@EnableResourceServer
public class ResourceConfig extends ResourceServerConfigurerAdapter {

@Override
public void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
			.antMatchers("/api-ln/validate-user*", "/api-ln/public/**", "/api-ln/signup",
							"/api-ln/verify-registration", "/api-ln/oauth/**", "/login").permitAll()
			.antMatchers("/api-ln/user/**").access("hasRole('USER')")
			.antMatchers("/api-ln/admin/**").access("hasRole('ADMIN')")
			.antMatchers("/api-ln/user/**", "/api-ln/admin/**").authenticated()
			.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
	resources.resourceId("api-ln").stateless(false);
}

}
`

Any configurations need to be modified with spring boot 2.0.4 and spring cloud oauth2 2.0.0.RELEASE

Replacing Spring Security OAuth with this starter doesn't work with microservices + OAuth

I created a PR to demonstrate this issue, with steps to reproduce. You can see the steps to reproduce and the changes made at oktadev/spring-boot-microservices-example#9.

IllegalArgumentException: issuer cannot be empty

I'm working with @starbuxman to develop a reactive microservices stack for our Devoxx talk. Using 0.2.0 of this library throws the following error after I integrate things:

Caused by: java.lang.IllegalArgumentException: issuer cannot be empty
    at org.springframework.util.Assert.hasText (Assert.java:276)
    at com.okta.spring.oauth.discovery.OidcDiscoveryClient.<init> (OidcDiscoveryClient.java:36)
    at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.discoveryPropertiesSource (OktaPropertiesMappingEnvironmentPostProcessor.java:137)
    at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.postProcessEnvironment (OktaPropertiesMappingEnvironmentPostProcessor.java:95)
    at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEnvironmentPreparedEvent (ConfigFileApplicationListener.java:170)
    at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEvent (ConfigFileApplicationListener.java:156)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener (SimpleApplicationEventMulticaster.java:172)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener (SimpleApplicationEventMulticaster.java:165)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent (SimpleApplicationEventMulticaster.java:139)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent (SimpleApplicationEventMulticaster.java:127)
    at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared (EventPublishingRunListener.java:73)
    at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared (SpringApplicationRunListeners.java:54)
    at org.springframework.boot.SpringApplication.prepareEnvironment (SpringApplication.java:349)
    at org.springframework.boot.SpringApplication.run (SpringApplication.java:317)

Steps to reproduce:

git clone [email protected]:mraible/cloud-native-pwas.git
cd cloud-native-pwas/kotlin-reactive/edge-service

Modify pom.xml to add this library:

<dependency>
	<groupId>com.okta.spring</groupId>
	<artifactId>okta-spring-boot-starter</artifactId>
	<version>0.2.0</version>
</dependency>

Add properties to src/main/resources/application.properties:

okta.oauth2.issuer=https://dev-158606.oktapreview.com/oauth2/default
okta.oauth2.clientId=XXX
okta.oauth2.clientSecret=XXX

Run ./mvnw spring-boot:run.

More configuration like public endpoints, etc.

Hi, I couldn't find any information about extra configuration of this library.

I have a ReactJS web application and some java microservices that expose an API.

Could I implement public endpoints?

Example:

Public (no JWT needed)
GET:/resource1
GET: /resource1/{id}

Private (JWT needed)
POST: /resource1
DELETE, PATCH, PUT: /resource1/{id}
GET, POST:/resource2
GET, DELETE, PATCH, PUT: /resource2/{id}

Do you know how to deny access to some resources?

Example:

User u1 has notes in a database, but he shouldn't edit, delete or create other user's notes. In this scenario, roles and groups don't apply.

My solution: I persist the uid like note's information and it checks that the uid in jwt is valid for the resource that I want to modify

Thanks.

404 The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings.

I have a basic Spring Boot 2.0.5 and Okta Starter configuration 0.6.0

My yml files looks like this:
security:
oauth2:
client:
client-id: XXX
client-secret: XXX
access-token-uri: https://dev-XXX.oktapreview.com/oauth2/ausgdwqzf1FKoPs6K0h7/v1/token
user-authorization-uri: https://dev-XXX.oktapreview.com/oauth2/ausgdwqzf1FKoPs6K0h7/v1/authorize
client-authentication-scheme: form
resource:
user-info-uri: https://dev-XXX.oktapreview.com/oauth2/ausgdwqzf1FKoPs6K0h7/v1/userinfo
token-info-uri: https://dev-XXX.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false

okta:
oauth2:
issuer: https://dev-XXX.oktapreview.com/oauth2/ausgdwqzf1FKoPs6K0h7

I'm not sure what the yml file should look like and how the okta starter should be used.

using the configuration above I continually get this UI:

The 404 BAD Request: The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings.

Can you help by advising me how Spring Boot 2.0.5 should be configured to work with Okta as an OAuth2 client and/or Resource server please?

Okta Spring Boot Starter doesn't work with spring-cloud-starter-gateway

The Okta Spring Boot Starter (v0.1.0) works when adding to a Spring Boot Eureka server. However, when I try to use it with spring-cloud-starter-gateway, it fails. Once I include the dependency, the following message is printed on startup.

2017-11-04 10:43:57.196  WARN 73027 --- [           main] 
GatewayClassPathWarningAutoConfiguration : 

**********************************************************

Spring MVC found on classpath, which is incompatible with Spring Cloud 
Gateway at this time. Please remove spring-boot-starter-web dependency.

**********************************************************

If I exclude spring-boot-starter-web, stuff blows up because there's no javax/servlet/Filter in the classpath.

Caused by: java.lang.NoClassDefFoundError: javax/servlet/Filter

If I add javax.servlet-api as a dependency:

<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>javax.servlet-api</artifactId>
</dependency>

It blows up with the following exception:

[WARNING] 
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.springframework.boot.maven.AbstractRunMojo$LaunchRunner.run (AbstractRunMojo.java:496)
    at java.lang.Thread.run (Thread.java:748)
Caused by: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.context.ApplicationContextException: Unable to start ServletWebServerApplicationContext due to missing ServletWebServerFactory bean.

Okta spring boot starter not working when using JPA dependency on spring boot

I have below okta dependencies:

<dependency>
   	    <groupId>com.okta.spring</groupId>
   	    <artifactId>okta-spring-boot-starter</artifactId>
   	    <version>0.5.0</version>
   	</dependency>
   	<dependency>
          <groupId>org.springframework.security.oauth.boot</groupId>
          <artifactId>spring-security-oauth2-autoconfigure</artifactId>
          <version>2.0.1.RELEASE</version>
      </dependency>

it was working when there is no jpa dependency but when I add below Jpa dependency it stopped working and gives an error

 <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>

Error creating bean with name 'org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration': Unsatisfied dependency expressed through field 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null

Okta Spring Boot Starter doesn't work with Spring Boot 2.0

Related to #22
I'm getting this same IllegalAccessError on the Implicit flow configuration.
My app is a springboot starter 2.0.0.M3.

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>0.2.0</version>
</dependency>

@Configuration
@EnableResourceServer
public class SecurityConfig {
}

okta:
  oauth2:
    issuer: https://my-dev.oktapreview.com/oauth2/default
    clientId: ***
    audience: api://default
    scopeClaim: scp
    rolesClaim: groups

My stack trace

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration': Unsatisfied dependency expressed through field 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:570) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:91) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:356) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1352) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:580) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:499) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:312) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory$$Lambda$120/1093110206.getObject(Unknown Source) ~[na:na]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:755) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:868) ~[spring-context-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549) ~[spring-context-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:122) ~[spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:386) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:327) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1245) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1233) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at com.readingmentor.pir.PIRApplication.main(PIRApplication.java:10) [classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_45]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_45]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_45]
	at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_45]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.0.0.M3.jar:2.0.0.M3]
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:591) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:499) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:312) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory$$Lambda$120/1093110206.getObject(Unknown Source) ~[na:na]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:205) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:255) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1305) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1271) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1198) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1089) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1058) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:567) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	... 25 common frames omitted
Caused by: org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:209) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.ProxyFactory.getProxy(ProxyFactory.java:110) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.createProxy(AbstractAutoProxyCreator.java:470) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:352) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:301) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:436) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1720) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	... 38 common frames omitted
Caused by: org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:345) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:492) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:93) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:91) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_45]
	at org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:116) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:291) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:480) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:337) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:58) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:205) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	... 45 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
	at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) ~[na:na]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_45]
	at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_45]
	at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:459) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:336) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	... 58 common frames omitted
Caused by: java.lang.IllegalAccessError: class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices$$EnhancerBySpringCGLIB$$50916add cannot access its superclass com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices
	at java.lang.ClassLoader.defineClass1(Native Method) ~[na:1.8.0_45]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:760) ~[na:1.8.0_45]
	... 63 common frames omitted

Any of the developer guides that are on the Okta developer blogs are not up to date and accurate.

Fail or Warn use when attempting to use an Okta Org issuer

When using the Okta Org issuer i.e. https://dev-123456.oktapreview.com/ local validation of access tokens is NOT possible, but this is the default functionality.

We should either fail fast (unless okta.oauth2.localTokenValidation=false is set)
Or WARN the user and disable local validation.

Add doc example for setting HTTP proxy config

This should be the standard http(s).proxy* properties, but a quick manual test and a doc update would be great.

RelaxedPropertyResolver removed from Spring Boot 2.x

In OktaSdkConfig.java class you use RelaxedPropertyResolver, but it has been removed from Spring Boot 2.x and won't be taken back. Please update the code.

okta-spring-boot-starter + spring-security-oauth2-autoconfigure (linked to #54)

Hi,
in my project i use the following dependencies

   <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth.boot</groupId>
        <artifactId>spring-security-oauth2-autoconfigure</artifactId>
    </dependency>

And all works great and the returned OAuth2Athentication.userAuthetication.details contains all userInfo.
But if i add okta-spring-boot-starter the returned OAuth2Athentication.userAuthetication.details not contains userInfo, but "ver", "jti", "iss", "aud", "iat", "exp", "cid", "uid","scp","sub".

Thanks
p.s. from okta dashboard trought "Token Preview" i get all informations, so...the okta configuration is correct.

Library configuration checks

To help avoid misconfiguration, this library should implement these checks against common errors: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Library+configuration+checks

For this library, these checks apply:

Issuer
Client ID
Client secret

Additionally, make sure these placeholders are always used in documentation or samples:

https://{yourOktaDomain} (not {yourOktaDomain}.com)
{clientId}
{clientSecret}

Can't run examples

mvn spring-boot:run fails in all 3 examples:

20:43:35.854 [main] DEBUG org.springframework.boot.devtools.settings.DevToolsSettings - Excluded patterns for restar
t : [/spring-boot-starter/target/classes/, /spring-boot-autoconfigure/target/classes/, /spring-boot-starter-[\w-]+/,
/spring-boot/target/classes/, /spring-boot-actuator/target/classes/, /spring-boot-devtools/target/classes/]
20:43:35.856 [main] DEBUG org.springframework.boot.devtools.restart.ChangeableUrls - Matching URLs for reloading : [
file:/C:/dev/workspace-spring/okta-developer/okta-spring-security/examples/siw-jquery/target/classes/]
20:43:36.708 [restartedMain] DEBUG org.springframework.boot.logging.ClasspathLoggingApplicationListener - Applicatio
n failed to start with classpath: [file:/C:/dev/workspace-spring/okta-developer/okta-spring-security/examples/siw-jq
uery/target/classes/]

Error from -e option:
[ERROR] Failed to execute goal org.springframework.boot:spring-boot-maven-plugin:1.5.7.RELEASE:run (default-cli) on
project okta-spring-boot-siw-jquery-example: Could not exec java: Application finished with exit code: 1 -> [Help 1]

I have mvn version 3.5.0.

Any suggestions how to fix it?

Missing JwtClaimsSetVerifier class when adding okta-spring-boot-starter

Using the following dependencies I'm getting a missing class error on JwtClaimsSetVerifier. If I remove com.okta.spring:okta-spring-boot-starter things compile as expected. Do I need to add any other dependencies?

compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.security.oauth:spring-security-oauth2')
compile('com.okta.spring:okta-spring-boot-starter:0.2.0')

Exception in thread "restartedMain" java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49)
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier
	at java.lang.Class.getDeclaredMethods0(Native Method)
	at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
	at java.lang.Class.getDeclaredMethods(Class.java:1975)
	at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:613)
	at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:524)
	at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:510)
	at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:570)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:697)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:640)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:609)
	at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1484)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:425)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:395)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:515)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:508)
	at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:1186)
	at org.springframework.boot.SpringApplication.getExitCodeFromMappedException(SpringApplication.java:818)
	at org.springframework.boot.SpringApplication.getExitCodeFromException(SpringApplication.java:804)
	at org.springframework.boot.SpringApplication.handleExitCode(SpringApplication.java:790)
	at org.springframework.boot.SpringApplication.handleRunFailure(SpringApplication.java:744)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107)
	at space.swordfish.edge.service.EdgeServiceApplication.main(EdgeServiceApplication.java:16)
	... 5 more
Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier
	at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

Consider renaming the starter to "okta-spring-boot-starter"

Error on spring boot custom login using widget in jsp

I have been trying to implement custom login using jsp as my view but i got error saying

We found some errors. Please review the form and make corrections.

but I got success response form /api/v1/auth when i check my network.
also it work fine with thymeleaf view.

Any indication on the next release?

0.2.0 is looking very helpful for us moving forward - any idea when it will find it's way out to the wild?

Returned redirect_uri includes http URL

I'm now trying to implement oauth with okta using okta-spring-boot v0.3.0 with the following properties.

okta.oauth2.issuer=https://{domain}.okta.com
okta.oauth2.clientId=AAABBBCCC
okta.oauth2.clientSecret=AAABBBCCC
okta.oauth2.audience=api://default
okta.oauth2.redirect_uri=https://{domain}/authorization-code/callback
security.oauth2.sso.loginPath=/authorization-code/callback
security.oauth2.client.clientAuthenticationScheme=header

However, when I accessed to the URL of my application, I got the redirected URL including weird redirect_uri. It should be https://{domain}, but I got http://{domain} and encountered 400 error...

https://{domain}.okta.com/oauth2/v1/authorize?client_id=AAABBBCCC&redirect_uri=http://{domain}

Any ideas? If you can give me any advice, it's very helpful for me. I'm completely stuck..

Spring dev-tools + jpa cause a CGLIB error at startup

Hello,

I am using Spring Boot 2.0.5 and Okta Starter 0.6.0. I am using JPA and DevTools.

I cannot run the application which is in a most basic form i.e. nothing more than basic managed bean config and property source configuration for JPA beans, I get the following stacktrace, please can you suggest how to reconfigure to start the application.

Note I am defining the JPA config locally i.e. EntityManageFactory, TransactionManager and Datasource.

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:581) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:495) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:317) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:759) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:869) ~[spring-context-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:550) ~[spring-context-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140) ~[spring-boot-2.0.5.RELEASE.jar:2.0.5.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:780) [spring-boot-2.0.5.RELEASE.jar:2.0.5.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:412) [spring-boot-2.0.5.RELEASE.jar:2.0.5.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:333) [spring-boot-2.0.5.RELEASE.jar:2.0.5.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1277) [spring-boot-2.0.5.RELEASE.jar:2.0.5.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1265) [spring-boot-2.0.5.RELEASE.jar:2.0.5.RELEASE]
at org.fcbogle.spring.SatsOauthClientApplication.main(SatsOauthClientApplication.java:14) [classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_144]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_144]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_144]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_144]
at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.0.5.RELEASE.jar:2.0.5.RELEASE]
Caused by: org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:208) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.aop.framework.ProxyFactory.getProxy(ProxyFactory.java:110) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.createProxy(AbstractAutoProxyCreator.java:473) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:355) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:304) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:431) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1703) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:573) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
... 20 common frames omitted
Caused by: org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:345) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:492) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:93) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:91) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_144]
at org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:116) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:291) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:480) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:337) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:58) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:205) ~[spring-aop-5.0.9.RELEASE.jar:5.0.9.RELEASE]
... 27 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
at sun.reflect.GeneratedMethodAccessor27.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_144]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_144]
at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:459) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:336) ~[spring-core-5.0.9.RELEASE.jar:5.0.9.RELEASE]
... 40 common frames omitted
Caused by: java.lang.IllegalAccessError: class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices$$EnhancerBySpringCGLIB$$289e1444 cannot access its superclass com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices
at java.lang.ClassLoader.defineClass1(Native Method) ~[na:1.8.0_144]
at java.lang.ClassLoader.defineClass(ClassLoader.java:763) ~[na:1.8.0_144]
... 45 common frames omitted

Can't startup app: java.lang.IllegalAccessError

I've integrated okta-spring-boot-starter in my Spring Boot 1.5.8 project using the following steps:

Add dependency:

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>0.2.0</version>
</dependency>

Upgrade Spring OAuth (this is not documented in the README):

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
            <version>2.2.0.RELEASE</version>
        </dependency>
    </dependencies>
</dependencyManagement>

Added @EnableOAuthSso to my main Spring Boot class:

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;

@EnableOAuth2Sso

When I start my app, I get the following error:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:564) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867) ~[spring-context-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543) ~[spring-context-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
        at com.example.demo.DemoApplication.main(DemoApplication.java:12) [classes/:na]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_144]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_144]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_144]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_144]
        at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-1.5.8.RELEASE.jar:1.5.8.RELEASE]
Caused by: org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
        at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:205) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.aop.framework.ProxyFactory.getProxy(ProxyFactory.java:109) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.createProxy(AbstractAutoProxyCreator.java:466) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:349) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:298) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:423) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1633) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:555) ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        ... 20 common frames omitted
Caused by: org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
        at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:345) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:492) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:93) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:91) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_144]
        at org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:116) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:291) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:480) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:337) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:55) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:201) ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        ... 27 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
        at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) ~[na:na]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_144]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_144]
        at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:459) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:336) ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
        ... 40 common frames omitted
Caused by: java.lang.IllegalAccessError: class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices$$EnhancerBySpringCGLIB$$58dd557d cannot access its superclass com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices
        at java.lang.ClassLoader.defineClass1(Native Method) ~[na:1.8.0_144]
        at java.lang.ClassLoader.defineClass(ClassLoader.java:763) ~[na:1.8.0_144]
        ... 45 common frames omitted

Principal is null with Authorization Code Flow using example in README

I have followed the code example in the README and successfully setup the Authorization Code Flow. The user is redirected to the login screen hosted by Okta if a secured route is accessed. Once the user is authenticated through Okta, the user is redirected back to my app successfully.

The problem is, when I try and grab the Principal as defined in the controller example, the Principal is always null. Is there some OAuth Spring Security config that needs to be added??

POM/App info

Springboot 2.0.0.M3
okta-springboot starter 0.2.0
spring-security-oauth2 2.2.0.RELEASE

Controller serving secured page

package com.readingmentor.pir.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class DashboardController {
	
	@RequestMapping("/dashboard")
	public String dashboard(Principal principal) {
                // always null
		System.out.println("Principal " + principal.getName());
		return "dashboard";
	}
	
}

application.yml

okta:
  oauth2:
    issuer: https://dev-315558.oktapreview.com/oauth2/default
    clientId: ***
    clientSecret: ***
  client:
    orgUrl: https://dev-315558.oktapreview.com
    token: ***

__Security configuration

package com.readingmentor.pir.config;

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Override
	public void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
		.antMatchers(HttpMethod.GET, "/api/programs/*", "/api/programs").permitAll()
		.antMatchers(HttpMethod.POST, "/api/users").permitAll()
		.antMatchers("/api/**", "/dashboard").authenticated()
        .antMatchers("/**").permitAll()
        .anyRequest().authenticated();
	}

}

okta / okta-spring-boot Goto Github PK

okta-spring-boot's Introduction

Okta Spring Boot Starter

Release status

Spring Boot Version Compatibility

What you need

Quickstart

Include the dependency

Building API Applications - Resource Server

Configure your properties

Create a Controller

That's it!

Spring MVC

Spring WebFlux

Supporting server side applications - OAuth Code flow

Create a Web App on Okta

Configure your properties

Create a simple application

Share Sessions Across Web Servers

That's it!

Use with Spring Native

Proxy

Inject the Okta Java SDK

Extra Credit

okta-spring-boot's People

Contributors

Stargazers

Watchers

Forkers

okta-spring-boot's Issues

Could I implement public endpoints?

Example:

Do you know how to deny access to some resources?

Example:

Recommend Projects

Recommend Topics

Recommend Org