Open mdeggies opened 7 years ago
mdeggies
commented
7 years ago Hi guys- @mraible @bdemers, do you either of you know what the issue is here? Why isn't hasAccount() working? If this method has not been patched in the okta rc, can you provide another method that this developer can use?
amiryesh
commented
7 years ago Note that this used to work in the past, and has stopped working. I can reproduce the issue using the sample spring-boot app.
mdeggies
commented
7 years ago @mraible can you assist with this?
mraible
commented
7 years ago I'll take a look on Monday and see if I can reproduce.
On Jul 14, 2017, at 15:33, Michele Degges notifications@github.com wrote:
@mraible can you assist with this?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
mraible
commented
7 years ago @mdeggies @amiryesh I just tried updating my okta-spring-boot-angular-pwa-example to RC3 and I'm able to start and authenticate with it.
[mraible:~/dev … -angular-pwa-example/server] master(+1/-1) ± git diff pom.xml
diff --git a/server/pom.xml b/server/pom.xml
index 12c808d..b6ae7c9 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -22,7 +22,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
- <stormpath.version>2.0.0-okta-rc2</stormpath.version>
+ <stormpath.version>2.0.0-okta-rc3</stormpath.version>
</properties>The steps to setup an Okta dev account should match the README, but they're also in my blog post:
https://developer.okta.com/blog/2017/06/13/add-authentication-angular-pwa
mdeggies
commented
7 years ago Thanks @mraible, I was also unable to repro (so assumed I was doing something wrong). We have a screenshare scheduled today to discuss further.
mdeggies
commented
7 years ago @mraible ok, so I was just now able to reproduce. I'll post the clear repro steps in the original issue.
weidongdiao
commented
7 years ago I have the same problem. When I set everything ready and run the spring-boot-default app, after I log in, it shows a 500 error with the information: Key with 'kid' of 9095wbtMW021cUk8X4dUIzrNal0dSupo4 could not be found via the '/oauth2/v1/keys' endpoint.
So why this will happen? Do I need to make any change in the Okta application? Thanks
mdeggies
commented
7 years ago @bdemers this is an issue for a lot of customers. It looks (to me) like there is a problem with the signing key using a stale value (that does not match the value at /oauth2/v1/keys). @dogeared is going to take a look tonight, as we have gotten a lot of questions about this.
mdeggies
commented
7 years ago Hi @weidongdiao, @amiryesh:
Thanks for your patience as we've escalated this. We've discovered the issue and have a fix that will work across all environments.
First, a quick overview of the solution:
In each Okta tenant, you must create and configure a Authorization Server (AS) and ensure that the Okta Application is configured to use the AS in the "Access Policies" section.
Then, the Stormpath SDK should be configured with the Authorization Server ID by setting the following env variable: OKTA_AUTHORIZATIONSERVER_ID=$ID
Here's some more background:
Some time ago, Okta decided to sign org-level access tokens with a backend secret key not available to end users. This move was made to increase security when dealing with org-level tokens. The proper way to validate these tokens is by using the /introspect endpoint. Some orgs have not yet been updated with this change.
One of the purposes of the Authorization Server is to have access to public keys to validate JWTs "locally" (locally, in this context being at the application server, like spring boot).
You can see this in action locally, using these httpie (httpie.org) commands (just make sure to plug in the appropriate values from your org):
http https:/dev-ID.oktapreview.com/oauth2/AUTHORIZATION_SERVER_ID/v1/keys
(Note the kid in the response.)
http --auth <client id>:<client secret> \
-f POST https://dev-ID.oktapreview.com/oauth2/AUTHORIZATION_SERVER_ID/v1/token \
grant_type=password username=<email address> password=<password> scope=offline_accessIf you plug the access token you get back into jsonwebtoken.io, you'll see that the kid matches.
Here's some more detailed information on configuring the AS:
1) Security -> API 2) Click the "Add Authorization Server" button 3) Enter Name, Audience and Description and click the "Save" button 4) Make note of the AS Id (it's the end of the url in your browser) 5) Click on the "AccessPolicies" tab 6) Click the "Add Policy" button 7) Enter a policy Name and Description. Choose to assign to all clients or specific clients. 8) Click the "Add Rule" button 9) Enter a Rule Name and choose the various switches you want to enforce access and token lifetime
Let me know if you have any questions and please confirm that once the AS is configured and the environment settings are updated in the spring boot app, everything is working.
trautvetter
commented
7 years ago Is this the correct notation for Spring Boot application.properties and AWS Environment variables? okta.authorizationserver.id I haven't been able to get this to work in either.
amiryesh
commented
7 years ago I got it working with a capital "S" okta.authorizationServer.id
bdemers
commented
7 years ago We need to update the doc with the instructions on how to create an Authorization Server (if you did NOT run the export/import) (the migration process does this for you)
trautvetter
commented
7 years ago I'm running import export...You're still missing one crucial step.
On 9/08/2017 3:05 AM, Brian Demers notifications@github.com wrote:
We need to update the doc with the instructions on how to create an Authorization Server (if you did NOT run the export/import) (the migration process does this for you)
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/stormpath/stormpath-sdk-java/issues/1346#issuecomment-320984803, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHBrVXif-wzhTfp1lfiU6VtKy_9s2LdWks5sWHk-gaJpZM4OWRxh.
mdeggies
commented
7 years ago @trautvetter, an authorization server is created in Okta for each application you have in Stormpath. If you use the export/import tools, you shouldn't be running into this issue. If you are, please let us know!
trautvetter
commented
7 years ago It worked the very first time I ran the import tool. Several days went by and that Okta app stopped working suddenly. Any subsequent attempt to clear the account of all tokens, auth servers, groups, users etc; and re-run the import tool, failed to get it working again. After that I created a new Okta account and with a clean slate - ran the import tool again. It did not work. That is what led me to this issue, and learning about the requirement for this property: okta.authorizationServer.id. @amiryesh wasn't kidding when 27 days ago he said "This used to work ...". You really should update your documentation. I've wasted so much time on this that my boss has already told me just to get the hell off Okta onto something that works! It's a pity - Stormpath used to be awesome.
git clone https://github.com/stormpath/stormpath-sdk-java.git && git checkout oktacd examples/spring-boot-defaultand update the pom.xml file. Find and replace all occurrences of2.0.1-okta-SNAPSHOTto2.0.0-okta./stormpath-sdk-java&& mvn clean installcd examples/spring-boot-defaultmvn spring-boot:run