Open mdeggies opened 7 years ago
Hi guys- @mraible @bdemers, do you either of you know what the issue is here? Why isn't hasAccount() working? If this method has not been patched in the okta rc, can you provide another method that this developer can use?
Note that this used to work in the past, and has stopped working. I can reproduce the issue using the sample spring-boot app.
@mraible can you assist with this?
I'll take a look on Monday and see if I can reproduce.
On Jul 14, 2017, at 15:33, Michele Degges notifications@github.com wrote:
@mraible can you assist with this?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
@mdeggies @amiryesh I just tried updating my okta-spring-boot-angular-pwa-example to RC3 and I'm able to start and authenticate with it.
[mraible:~/dev … -angular-pwa-example/server] master(+1/-1) ± git diff pom.xml
diff --git a/server/pom.xml b/server/pom.xml
index 12c808d..b6ae7c9 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -22,7 +22,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
- <stormpath.version>2.0.0-okta-rc2</stormpath.version>
+ <stormpath.version>2.0.0-okta-rc3</stormpath.version>
</properties>
The steps to setup an Okta dev account should match the README, but they're also in my blog post:
https://developer.okta.com/blog/2017/06/13/add-authentication-angular-pwa
Thanks @mraible, I was also unable to repro (so assumed I was doing something wrong). We have a screenshare scheduled today to discuss further.
@mraible ok, so I was just now able to reproduce. I'll post the clear repro steps in the original issue.
I have the same problem. When I set everything ready and run the spring-boot-default app, after I log in, it shows a 500 error with the information: Key with 'kid' of 9095wbtMW021cUk8X4dUIzrNal0dSupo4 could not be found via the '/oauth2/v1/keys' endpoint.
So why this will happen? Do I need to make any change in the Okta application? Thanks
@bdemers this is an issue for a lot of customers. It looks (to me) like there is a problem with the signing key using a stale value (that does not match the value at /oauth2/v1/keys). @dogeared is going to take a look tonight, as we have gotten a lot of questions about this.
Hi @weidongdiao, @amiryesh:
Thanks for your patience as we've escalated this. We've discovered the issue and have a fix that will work across all environments.
First, a quick overview of the solution:
In each Okta tenant, you must create and configure a Authorization Server (AS) and ensure that the Okta Application is configured to use the AS in the "Access Policies" section.
Then, the Stormpath SDK should be configured with the Authorization Server ID by setting the following env variable: OKTA_AUTHORIZATIONSERVER_ID=$ID
Here's some more background:
Some time ago, Okta decided to sign org-level access tokens with a backend secret key not available to end users. This move was made to increase security when dealing with org-level tokens. The proper way to validate these tokens is by using the /introspect endpoint. Some orgs have not yet been updated with this change.
One of the purposes of the Authorization Server is to have access to public keys to validate JWTs "locally" (locally, in this context being at the application server, like spring boot).
You can see this in action locally, using these httpie (httpie.org) commands (just make sure to plug in the appropriate values from your org):
http https:/dev-ID.oktapreview.com/oauth2/AUTHORIZATION_SERVER_ID/v1/keys
(Note the kid in the response.)
http --auth <client id>:<client secret> \
-f POST https://dev-ID.oktapreview.com/oauth2/AUTHORIZATION_SERVER_ID/v1/token \
grant_type=password username=<email address> password=<password> scope=offline_access
If you plug the access token you get back into jsonwebtoken.io
, you'll see that the kid matches.
Here's some more detailed information on configuring the AS:
1) Security -> API 2) Click the "Add Authorization Server" button 3) Enter Name, Audience and Description and click the "Save" button 4) Make note of the AS Id (it's the end of the url in your browser) 5) Click on the "AccessPolicies" tab 6) Click the "Add Policy" button 7) Enter a policy Name and Description. Choose to assign to all clients or specific clients. 8) Click the "Add Rule" button 9) Enter a Rule Name and choose the various switches you want to enforce access and token lifetime
Let me know if you have any questions and please confirm that once the AS is configured and the environment settings are updated in the spring boot app, everything is working.
Is this the correct notation for Spring Boot application.properties and AWS Environment variables? okta.authorizationserver.id I haven't been able to get this to work in either.
I got it working with a capital "S" okta.authorizationServer.id
We need to update the doc with the instructions on how to create an Authorization Server (if you did NOT run the export/import) (the migration process does this for you)
I'm running import export...You're still missing one crucial step.
On 9/08/2017 3:05 AM, Brian Demers notifications@github.com wrote:
We need to update the doc with the instructions on how to create an Authorization Server (if you did NOT run the export/import) (the migration process does this for you)
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/stormpath/stormpath-sdk-java/issues/1346#issuecomment-320984803, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHBrVXif-wzhTfp1lfiU6VtKy_9s2LdWks5sWHk-gaJpZM4OWRxh.
@trautvetter, an authorization server is created in Okta for each application you have in Stormpath. If you use the export/import tools, you shouldn't be running into this issue. If you are, please let us know!
It worked the very first time I ran the import tool. Several days went by and that Okta app stopped working suddenly. Any subsequent attempt to clear the account of all tokens, auth servers, groups, users etc; and re-run the import tool, failed to get it working again. After that I created a new Okta account and with a clean slate - ran the import tool again. It did not work. That is what led me to this issue, and learning about the requirement for this property: okta.authorizationServer.id. @amiryesh wasn't kidding when 27 days ago he said "This used to work ...". You really should update your documentation. I've wasted so much time on this that my boss has already told me just to get the hell off Okta onto something that works! It's a pity - Stormpath used to be awesome.
git clone https://github.com/stormpath/stormpath-sdk-java.git && git checkout okta
cd examples/spring-boot-default
and update the pom.xml file. Find and replace all occurrences of2.0.1-okta-SNAPSHOT
to2.0.0-okta
./stormpath-sdk-java
&& mvn clean installcd examples/spring-boot-default
mvn spring-boot:run