How do I enable okta-spring-boot proxy support?

[preiner]

It appears that okta lib ignores java proxy settings. We need to use a proxy to reach okta.com but bypass proxy for local addresses.

[bdemers]

Hey @preiner, how did you set the properties? Which requests are not going through your proxy?

[preiner]

Hi, Forgive me, I am not a java developer. I am leading the okta implementation and was asked to drive this issue. I understand some of my comments may be a bit confusing, if you need clarification, please ask.

Our org has developed over a hundred apps using spring 2.0. We are trying to migrate them from kerberos (spnego) to oauth. Our existing platform is 100% on premise and now we have to go to the cloud to through a proxy. This is new territory for the company.

The devs dont like using JVM proxy because of two issues so they are seeking an okta library that can directly support auth traffic only through a proxy without forcing all http traffic through the proxy. They insist that they define a proxy in their project settings and that the okta library ignores it. (Personally i didnt know it was possible to define a proxy other than the JVM proxy. So this is the part thats sketchy for me. Im wondering if spring itself has a concept of a proxy)

Here are the JVM proxy issues. I think if you have a way to address one or both of them, they would be happy to use it.

Background: We have deployed many apps using short dns names to make it easier for users as we have multiple dns suffixes. For better or worse, we would like to continue supporting this. We also have many data centers & colos but they can all be described by one CIDR range such as 10.0.0.0/24. So we are trying to express an exclude that looks sort of like EXCLUDE=localhost, 127.0.0.1, 10.0.0.0/24, .company.com, .company.local, *.testdomain.zone,

Where short names are being entered like http://jira, http://confluence, https://internalapp

From what we understand an exclude pattern of "" would exclude every dns entry in universe and a pattern of "." would force users to put a trailing "." on the end of all short names (which they will never do correctly).

So since we cant determine how to express an exclude, they wanted to use include. This seems impractical because okta doesnt seem to want to rigidly control what dns zones their logon ui uses. We have already seen that whitelisting rules in our f5 is problematic. For example, not only do we have to open okta-emea.com, we have to do oktacdn.com and other domains because Okta forces us to accept web bugs / analytics on their logon page (and the dns domains of these bugs/analytics seem to be changing without advanced notice to the customer). So right now, every one is very frustrated with all of the headaches around okta & proxies.

So here are the 2 issues: 1) There is no way to express PROXY INCLUDE addresses only PROXY EXCLUDE 2) There is no way to express PROXY EXCLUDE for short DNS names

We would be grateful to understand how anyone else is handling this.

[bdemers]

Hey @preiner ! I cannot speak to all of these issues, but I should be able to point you in the right direction for this library. Please contact support for the other concerns.

The general recommendation for is to set the https.proxy* options, and use the non-proxy hosts property (with a wildcard * and pipes |)

https://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html

It sounds like you tried something along these lines, but I'm not sure which ones. Can you provide an example of your settings?

[preiner]

Hey back :)

[bdemers]

ha, sorry, I hit enter too soon ;)

[bdemers]

@preiner were you able to get the sys props to work for you?

[ilamathyIlangovan]

Hi, I am also facing the same issue. Getting below exception during application startup locally.

Unable to resolve Configuration with the provided Issuer of "https://ssoi-dev.XXX.com/oauth2/YYY": I/O error on GET request for "https://ssoi-dev.XXX.com/oauth2/YYY/.well-known/openid-configuration": ssoi-dev.XXX.com; nested exception is java.net.UnknownHostException: ssoi-dev.XXX.com: Unknown host ssoi-dev.XXX.com

Same configuration is working with spring-jwt-verifier. Can someone please help me to configure proxy for okta-spring-boot-starter?

[bdemers]

Hey @ilamathyIlangovan

Have you set the https.proxy* properties?

[ilamathyIlangovan]

Yes. I have set https properties

On Thu, 7 Nov, 2019, 10:44 PM Brian Demers, notifications@github.com wrote:

Hey @ilamathyIlangovan https://github.com/ilamathyIlangovan

Have you set the https.proxy* properties?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/137?email_source=notifications&email_token=ANWQIXCDTGXEON3S5RHN3VTQSREFZA5CNFSM4ILFIGS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDNELSA#issuecomment-551175624, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANWQIXHIF3FKGNV3B6J7JE3QSREFZANCNFSM4ILFIGSQ .

[bdemers]

How are you setting them? Are you starting a jar or war?

[ilamathyIlangovan]

I have tried all these options:

1. setting in terminal before mvn spring-boot:run export HTTP_PROXY=http://proxy.xxx.com:8080 export HTTPS_PROXY=http://proxy.xxx.com:8080
2. In intelliJ > Preference > System Settings > HTTP Proxy> Manual Proxy Configuration
3. In WebSecurityConfig configure() method System.setProperty("https.proxyHost", "proxy.xxx.com"); System.setProperty("https.proxyPort", "8080");

I am starting the application jar using mvn spring-boot: run command.

[bdemers]

Are you sure your https proxy is over port 8080? What type of proxy server are you using?

[ilamathyIlangovan]

Yes... The same configuration is working with okta-jwt-verifier. I am not aware of the proxy server.

On Fri, 8 Nov, 2019, 8:36 PM Brian Demers, notifications@github.com wrote:

Are you sure your https proxy is over port 8080? What type of proxy server are you using?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/137?email_source=notifications&email_token=ANWQIXCWHILERVJRNU6Y7VDQSV567A5CNFSM4ILFIGS2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDSMHLQ#issuecomment-551863214, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANWQIXB4BZPWLQAJ2GIMQCLQSV567ANCNFSM4ILFIGSQ .

[ilamathyIlangovan]

I am able to set Proxy host using System.setProperty in main method / WebSecurityConfig constructor. System.setProperty("https.proxyHost", "proxy.xxx.com"); System.setProperty("https.proxyPort", "8080"); WebSecurityConfig configure() method expects system property for the proxy to be set by the time the function is invoked. Thanks Team.

[bdemers]

Thanks for following up!