search

okta / okta-spring-boot

Okta Spring Boot Starter
324 stars 136 forks source link

Principal is null with Authorization Code Flow using example in README #31

Closed Prophet32j closed 6 years ago

Prophet32j commented 6 years ago

I have followed the code example in the README and successfully setup the Authorization Code Flow. The user is redirected to the login screen hosted by Okta if a secured route is accessed. Once the user is authenticated through Okta, the user is redirected back to my app successfully.

The problem is, when I try and grab the Principal as defined in the controller example, the Principal is always null. Is there some OAuth Spring Security config that needs to be added??

POM/App info

Controller serving secured page

package com.readingmentor.pir.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class DashboardController {

    @RequestMapping("/dashboard")
    public String dashboard(Principal principal) {
                // always null
        System.out.println("Principal " + principal.getName());
        return "dashboard";
    }

}

application.yml

okta:
  oauth2:
    issuer: https://dev-315558.oktapreview.com/oauth2/default
    clientId: ***
    clientSecret: ***
  client:
    orgUrl: https://dev-315558.oktapreview.com
    token: ***

__Security configuration

package com.readingmentor.pir.config;

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers(HttpMethod.GET, "/api/programs/*", "/api/programs").permitAll()
        .antMatchers(HttpMethod.POST, "/api/users").permitAll()
        .antMatchers("/api/**", "/dashboard").authenticated()
        .antMatchers("/**").permitAll()
        .anyRequest().authenticated();
    }

}
mraible commented 6 years ago

I did the following tutorial earlier this week and it worked fine. Are you doing something different?

https://developer.okta.com/blog/2017/11/20/add-sso-spring-boot-15-min https://developer.okta.com/blog/2017/11/20/add-sso-spring-boot-15-min

On Nov 22, 2017, at 6:47 PM, Josh Hardy notifications@github.com wrote:

I have followed the code example in the README and successfully setup the Authorization Code Flow. The user is redirected to the login screen hosted by Okta if a secured route is accessed. Once the user is authenticated through Okta, the user is redirected back to my app successfully.

The problem is, when I try and grab the Principal as defined in the controller example, the Principal is always null. Is there some OAuth Spring Security config that needs to be added??

POM/App info

Springboot 2.0.0.M3 okta-springboot starter 0.2.0 spring-security-oauth2 2.2.0.RELEASE Controller serving secured page

package com.readingmentor.pir.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping;

@Controller public class DashboardController {

@RequestMapping("/dashboard") public String dashboard(Principal principal) { // always null System.out.println("Principal " + principal.getName()); return "dashboard"; }

} application.yml

okta: oauth2: issuer: https://dev-315558.oktapreview.com/oauth2/default clientId: clientSecret: client: orgUrl: https://dev-315558.oktapreview.com token: *** __Security configuration

package com.readingmentor.pir.config;

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration @EnableOAuth2Sso public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override public void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.GET, "/api/programs/*", "/api/programs").permitAll() .antMatchers(HttpMethod.POST, "/api/users").permitAll() .antMatchers("/api/", "/dashboard").authenticated() .antMatchers("/").permitAll() .anyRequest().authenticated(); }

} — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31, or mute the thread https://github.com/notifications/unsubscribe-auth/AABF5HY_KHTH-R4zQzwwM4qLplHF667Hks5s5LKDgaJpZM4QoIZe.

Prophet32j commented 6 years ago

@mraible did you do it with springboot 2.0?

I removed the okta springboot starter dependency and followed your tutorial here: https://developer.okta.com/blog/2017/03/21/spring-boot-oauth

That one worked. I got my first and last name printed to the console. I got the full user info from here just to make sure all of the scopes defined are used.

OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) SecurityContextHolder.getContext() .getAuthentication();
Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();
Map<String, String> details = (Map<String, String>) userAuthentication.getDetails();
System.out.println(details);

I get all of my profile and email info printed to console.

mraible commented 6 years ago

@Prophet32j I've been able to use redirect-to-Okta with Spring Boot 2.0 (M6) and the Okta Spring Boot Starter 0.2.0. However, to get a Resource Server working with Spring Boot 2.0, I had to revert to 0.1.0 of the Okta Spring Boot starter.

bsakweson commented 6 years ago

@mraible I am in the process of integrating Okta to my resource server but ran into some issues. Can you please post a link of the code where you were about to use resource server?

My use case is a little different. My resource server will validate a bearer JWT token and extract claims from it, then use those claims to process request.

Spring Boot version is: 1.5.8.RELEASE

mraible commented 6 years ago

@bsakweson The code is in a Spring Boot 2.0 + Angular 5 blog post that will hopefully be published this week. The code in Build a Secure Notes Application with Kotlin, TypeScript, and Okta is very similar.

bsakweson commented 6 years ago

This code uses okta-spring-boot-starter version 0.1.0, correct?

From: Matt Raible notifications@github.com Reply-To: okta/okta-spring-boot reply@reply.github.com Date: Thursday, November 30, 2017 at 10:54 AM To: okta/okta-spring-boot okta-spring-boot@noreply.github.com Cc: bsakweson bsakweson@gmail.com, Mention mention@noreply.github.com Subject: Re: [okta/okta-spring-boot] Principal is null with Authorization Code Flow using example in README (#31)

@bsakweson The code is in a Spring Boot + Angular 5 blog post that will hopefully be published this week. The code in Build a Secure Notes Application with Kotlin, TypeScript, and Okta is very similar.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

bsakweson commented 6 years ago

I would prefer not to use a version that is not yet GA. Would this approach work with version 1.9.0-RELEASE?

mraible commented 6 years ago

This code uses okta-spring-boot-starter version 0.1.0, correct?

Yes, but I'm also updating it now and it works fine with 0.2.0. I'm unsure what project you're referring to with 1.9.0-RELEASE.

bsakweson commented 6 years ago

My apologies, I meant the spring-boot-starter version as shown below.

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>1.5.9.RELEASE</version>
    <relativePath />
</parent>

Also the version of spring-security-oauth2 in version 1.5.9.RELEASE is 2.0.14.RELEASE

mraible commented 6 years ago

Yes, this starter works with Spring Boot 1.5.9.

bsakweson commented 6 years ago

I must be missing something because I am getting a build error. Here is the error I am getting.


org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/code/OktaOAuthCodeFlowConfiguration$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:564) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867) ~[spring-context-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543) ~[spring-context-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1118) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1107) [spring-boot-1.5.9.RELEASE.jar:1.5.9.RELEASE]
    at com.sakotek.bakalr.BakalrApplication.main(BakalrApplication.java:35) [classes/:na]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_141]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_141]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_141]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_141]
    at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-1.5.9.RELEASE.jar:1.5.9.RELEASE]
Caused by: org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
    at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:205) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.aop.framework.ProxyFactory.getProxy(ProxyFactory.java:109) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.createProxy(AbstractAutoProxyCreator.java:466) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:349) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:298) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:423) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1633) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:555) ~[spring-beans-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    ... 20 common frames omitted
Caused by: org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
    at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:345) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:492) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:93) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:91) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_141]
    at org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:116) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:291) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:480) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:337) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:55) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:201) ~[spring-aop-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    ... 27 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
    at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source) ~[na:na]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_141]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_141]
    at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:459) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:336) ~[spring-core-4.3.13.RELEASE.jar:4.3.13.RELEASE]
    ... 40 common frames omitted
Caused by: java.lang.IllegalAccessError: class com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices$$EnhancerBySpringCGLIB$$6c8ad4c2 cannot access its superclass com.okta.spring.oauth.code.OktaOAuthCodeFlowConfiguration$Non500ErrorDefaultTokenServices
    at java.lang.ClassLoader.defineClass1(Native Method) ~[na:1.8.0_141]
    at java.lang.ClassLoader.defineClass(ClassLoader.java:763) ~[na:1.8.0_141]
    ... 45 common frames omitted
mraible commented 6 years ago

Try removing devtools as a dependency.

bsakweson commented 6 years ago

Yeah just that at this https://github.com/okta/okta-spring-boot/issues/22 Let me try that and see.

bsakweson commented 6 years ago

That works but it takes away the benefit of devtools. Any workaround?

mraible commented 6 years ago

The workaround is to use okta-spring-security-starter version 0.1.0, which provides the same functionality. It's just a previous version.

bsakweson commented 6 years ago

Weird maven is unable to bring this version down to my local repo.

Could not resolve dependencies for project ***: Could not find artifact com.okta.spring:okta-spring-boot-starter:jar:0.1.0 in central (https://repo.maven.apache.org/maven2)
mraible commented 6 years ago

Right, that's because we changed the name between releases. Use okta-spring-security-starter instead of okta-spring-boot-starter.

bsakweson commented 6 years ago

I want to add here for anyone who may run into this in the future that reverting to use okta-spring-security-starter version 0.1.0 comes with some additional changes. Properties name changes from okta.oauth2.issuer to okta.oauth.issuer etc.. This may be specific to my setup though. Just and FYI.

mraible commented 6 years ago

@bsakweson This is correct: we changed the name of the starter and the properties between 0.1.0 and 0.2.0.

bsakweson commented 6 years ago

Ok I thought I was out of the woods before going to lunch but it looks like there is still something missing after reverting to version 0.1.0 here is the error I am getting now:

Description:

Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean named 'tokenServices' that could not be found.

Action:

Consider defining a bean named 'tokenServices' in your configuration.
Prophet32j commented 6 years ago

Ok. So maybe I had a complete misunderstanding of this starter. Does the Auth Code flow not request an access token for the client? I'm totally confused on this statement:

This module integrates with Spring Security's OAuth support, all you need is the mark your application with the standard @EnableOAuth2Client annotation

Where do we get an access token for the Principal? Are we supposed to code that ourselves?

Prophet32j commented 6 years ago

Debugging inside of Spring, I see that calls are made to the access token URI endpoint, and I can see the access token that's being returned. How do I get that access token? Am I doing something wrong? There are no cookies or any injected tokens passed to my browser.

If I can grab this token and send it myself, then I can manually add the Authorization header in my React app.

bdemers commented 6 years ago

You wouldn't, that is the access token that your spring app is using. If you have a front end app that is driving the flow, you may want to look at the @EnableResourceServer annotation and the OAuth Implicit flow.

bsakweson commented 6 years ago

It is all good guys. It turns out I was expecting to see the complete user profile after login but that seem not be to the case. I am making a second call with access token to get user profile.

On Tue, Dec 5, 2017 at 5:34 PM, Josh Hardy notifications@github.com wrote:

Debugging inside of Spring, I see that calls are made to the access token URI endpoint, and I can see the access token that's being returned. How do I get that access token? Am I doing something wrong? There are no cookies or any injected tokens passed to my browser.

If I can grab this token and send it myself, then I can manually add the Authorization header in my React app.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31#issuecomment-349464267, or mute the thread https://github.com/notifications/unsubscribe-auth/ANectN3mUZwpJrrXMk7QpJLkqOf6OU9qks5s9cTcgaJpZM4QoIZe .

Prophet32j commented 6 years ago

The implicit flow doesn't let me lock down UI routes and do data injection, right? If a user visits a route before the SPA is loaded, I want to inject data into the UI specific for that route and that user. In order to do that I need to know the user. with an implicit flow I don't know the requesters identity until after the SPA is loaded, right? Or am I missing something?

Sent from my iPhone

On Dec 5, 2017, at 4:46 PM, bsakweson notifications@github.com wrote:

It is all good guys. It turns out I was expecting to see the complete user profile after login but that seem not be to the case. I am making a second call with access token to get user profile.

On Tue, Dec 5, 2017 at 5:34 PM, Josh Hardy notifications@github.com wrote:

Debugging inside of Spring, I see that calls are made to the access token URI endpoint, and I can see the access token that's being returned. How do I get that access token? Am I doing something wrong? There are no cookies or any injected tokens passed to my browser.

If I can grab this token and send it myself, then I can manually add the Authorization header in my React app.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31#issuecomment-349464267, or mute the thread https://github.com/notifications/unsubscribe-auth/ANectN3mUZwpJrrXMk7QpJLkqOf6OU9qks5s9cTcgaJpZM4QoIZe .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

Prophet32j commented 6 years ago

I figured it out why I was having a problem. Spring Security was correctly creating the Http Session like it does and sending the JESSSIONID cookie. My issue was that I was getting a 403 Not Authorized, but didn't know why. Turns out it had to do with CSRF tokens. I was not disabling CSRF tokens, nor was I including a CSRF token in my requests.

bdemers commented 6 years ago

I’m not following 100%, you can inject data into your resource for implicit flows. You can also make your UI not make remote calls until you have a user context. I only suggested it though because it sounded like you were creating a SPA.

-Brian

On Dec 5, 2017, at 6:47 PM, Josh Hardy notifications@github.com wrote:

The implicit flow doesn't let me lock down UI routes and do data injection, right? If a user visits a route before the SPA is loaded, I want to inject data into the UI specific for that route and that user. In order to do that I need to know the user. with an implicit flow I don't know the requesters identity until after the SPA is loaded, right? Or am I missing something?

Sent from my iPhone

On Dec 5, 2017, at 4:46 PM, bsakweson notifications@github.com wrote:

It is all good guys. It turns out I was expecting to see the complete user profile after login but that seem not be to the case. I am making a second call with access token to get user profile.

On Tue, Dec 5, 2017 at 5:34 PM, Josh Hardy notifications@github.com wrote:

Debugging inside of Spring, I see that calls are made to the access token URI endpoint, and I can see the access token that's being returned. How do I get that access token? Am I doing something wrong? There are no cookies or any injected tokens passed to my browser.

If I can grab this token and send it myself, then I can manually add the Authorization header in my React app.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31#issuecomment-349464267, or mute the thread https://github.com/notifications/unsubscribe-auth/ANectN3mUZwpJrrXMk7QpJLkqOf6OU9qks5s9cTcgaJpZM4QoIZe .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

Prophet32j commented 6 years ago

I serve my SPA after authentication has happened.

  1. user visits login and logs in
  2. User is authenticated and is redirected to secured route
  3. User principal is grabbed from session information and user profile is loaded from Okta 3a. If there’s additional database data that is required for this route, load this now
  4. User profile is injected into Thymeleaf template along with any additional data
  5. SPA loads injected data into redux

Is this type of flow allowed with Implicit? As I understand the implicit flow, authentication happens between Okta and Browser, never informing my server. The id_token is handed to the browser to be sent in all API/resource requests.

So with the implicit flow, I would have to load the UI first, then have the user authenticate, then request the user’s data.

Right?

Sent from my iPad

On Dec 5, 2017, at 8:24 PM, Brian Demers notifications@github.com wrote:

I’m not following 100%, you can inject data into your resource for implicit flows. You can also make your UI not make remote calls until you have a user context. I only suggested it though because it sounded like you were creating a SPA.

-Brian

On Dec 5, 2017, at 6:47 PM, Josh Hardy notifications@github.com wrote:

The implicit flow doesn't let me lock down UI routes and do data injection, right? If a user visits a route before the SPA is loaded, I want to inject data into the UI specific for that route and that user. In order to do that I need to know the user. with an implicit flow I don't know the requesters identity until after the SPA is loaded, right? Or am I missing something?

Sent from my iPhone

On Dec 5, 2017, at 4:46 PM, bsakweson notifications@github.com wrote:

It is all good guys. It turns out I was expecting to see the complete user profile after login but that seem not be to the case. I am making a second call with access token to get user profile.

On Tue, Dec 5, 2017 at 5:34 PM, Josh Hardy notifications@github.com wrote:

Debugging inside of Spring, I see that calls are made to the access token URI endpoint, and I can see the access token that's being returned. How do I get that access token? Am I doing something wrong? There are no cookies or any injected tokens passed to my browser.

If I can grab this token and send it myself, then I can manually add the Authorization header in my React app.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31#issuecomment-349464267, or mute the thread https://github.com/notifications/unsubscribe-auth/ANectN3mUZwpJrrXMk7QpJLkqOf6OU9qks5s9cTcgaJpZM4QoIZe .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

bdemers commented 6 years ago

@Prophet32j how did you make out?

Prophet32j commented 6 years ago

Brian, I haven’t gone back and addressed any additional with flows since I removed the Okta starter and rolled with a basic spring OAuth spring security setup.

I can tell you that I tried to upgrade my spring dependencies and that broke everything so I had to roll it back and figure it out later this summer when I’m ready to ship my app.

Currently I’m still requiring auth before the UI is served so I can dynamically inject data into the UI on load.

On Thu, May 31, 2018 at 4:11 PM Brian Demers notifications@github.com wrote:

@Prophet32j https://github.com/Prophet32j how did you make out?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31#issuecomment-393681856, or mute the thread https://github.com/notifications/unsubscribe-auth/AEVI2q6kUdtHb80AeGRksjBZ2n0tit6Hks5t4Fx-gaJpZM4QoIZe .

bdemers commented 6 years ago

Sounds like you have an Auth Code Flow app? and your SPA uses a cookie to reference the session?

Prophet32j commented 6 years ago

Yes that is exactly what I’m doing. I’ll have to handle the session with Redis when I get more than one instance on my springboot app, but that’s not hard.

Eventually I want to transition to JWT.

On Fri, Jun 1, 2018 at 8:14 AM Brian Demers notifications@github.com wrote:

Sounds like you have an Auth Code Flow app? and your SPA uses a cookie to reference the session?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/okta/okta-spring-boot/issues/31#issuecomment-393876592, or mute the thread https://github.com/notifications/unsubscribe-auth/AEVI2pLgfdhZ4nhu4bO7vxGHGtVAVr8Eks5t4T4zgaJpZM4QoIZe .