Okta Spring Boot Starter

Okta, Inc

Last update: Dec 30, 2022

Related tags

Security okta-spring-boot

Overview

Okta Spring Boot Starter

Okta's Spring Boot Starter will enable your Spring Boot application to work with Okta via OAuth 2.0/OIDC.

Release status

This library uses semantic versioning and follows Okta's library version policy.

✔️ The current stable major version series is: 2.x

Version	Status
0.x.x	⚠️ Retired
1.x.0	🕘 Retiring effective September 28, 2021
2.x.0	✔️ Stable

Spring Boot Version Compatibility

Okta Spring Boot SDK Versions	Compatible Spring Boot Versions
1.2.x	2.1.x
1.4.x	2.2.x
1.5.x	2.4.x
2.0.x	2.4.x

The latest release can always be found on the releases page.

What you need

An Okta account (sign up for a forever-free developer account)
An OIDC application (typically a 'Web' application)
An access token

Quickstart

Create a Spring Boot application with Spring initializr:

curl https://start.spring.io/starter.tgz -d dependencies=web,okta -d baseDir=<<yourProjectName>> | tar -xzvf -
cd <<yourProjectName>>

Configure it with Okta CLI:
```
okta apps create
```
Run it:
```
./mvnw spring-boot:run
```

Include the dependency

For Apache Maven:

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
</dependency>

For Gradle:

compile 'com.okta.spring:okta-spring-boot-starter'

Supporting client side applications - OAuth Implicit flow

Are you writing backend endpoints in order to support a client side application? If so follow along, otherwise skip to the next section.

Configure your properties

You can configure your applications properties with environment variables, system properties, or configuration files. Take a look at the Spring Boot documentation for more details.

Only these three properties are required for a web app:

Property	Default	Details
okta.oauth2.issuer	N/A	Authorization Server issuer URL, i.e.: https://{yourOktaDomain}/oauth2/default
okta.oauth2.clientId	N/A	The Client Id of your Okta OIDC application
okta.oauth2.clientSecret	N/A	The Client Secret of your Okta OIDC application

There are many more properties that you can optionally configure as well. Here are some examples:

Property	Default	Details
okta.oauth2.audience	api://default	The audience of your Authorization Server
okta.oauth2.groupsClaim	groups	The claim key in the Access Token's JWT that corresponds to an array of the users groups.
okta.oauth2.postLogoutRedirectUri	N/A	Set to an absolute URI to enable RP-Initiated (SSO) logout.

Create a Controller

The above client makes a request to /hello-oauth, you simply need to create a Spring Boot application and Controller to handle the response:

@SpringBootApplication
@RestController
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

	@GetMapping("/hello-oauth")
	public String hello(@AuthenticationPrincipal OidcUser user) {
	    return "Hello, " + user.getFullName();
	}
}

That's it!

To test things out you can use curl:

$ curl http://localhost:8080/hello-oauth \
   --header "Authorization: Bearer ${accessToken}"

The result should look something like:

Hello, [email protected]

Okta's Spring Security integration will parse the JWT access token from the HTTP request's Authorization: Bearer header value.

Check out a minimal example that uses the Okta Signin Widget and JQuery or this blog post.

Spring MVC

Setup your MVC project by following Quickstart section above.
Configure the URL mappings for handling GET and POST requests.

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication
@RestController
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

	@GetMapping("/")
	public String index(@AuthenticationPrincipal Jwt jwt) {
		return String.format("Hello, %s!", jwt.getSubject());
	}

	@GetMapping("/message")
	@PreAuthorize("hasAuthority('SCOPE_message:read')")
	public String message() {
		return "secret message";
	}

	@PostMapping("/message")
	@PreAuthorize("hasAuthority('SCOPE_message:write')")
	public String createMessage(@RequestBody String message) {
		return String.format("Message was created. Content: %s", message);
	}
}

NOTE: message:read and message:write used above in @PreAuthorize are OAuth scopes. If you are looking to add custom scopes, refer to the documentation.

Configure your Resource Server either for JWT or Opaque Token validation by extending the WebSecurityConfigurerAdapter class and overriding the configure method. If neither JWT nor Opaque Token is specified in configuration, JWT validation will be used by default.

import com.okta.spring.boot.oauth.Okta;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
            // allow anonymous access to the root page
            .antMatchers("/").permitAll()
            // all other requests
            .anyRequest().authenticated()
            .and()
            .oauth2ResourceServer().jwt(); // replace .jwt() with .opaqueToken() for Opaque Token case

        // Send a 401 message to the browser (w/o this, you'll see a blank page)
        Okta.configureResourceServer401ResponseBody(http);
    }
}

Refer Spring Security documentation here for more details on resource server configuration.

Spring WebFlux

To configure a resource server when using Spring WebFlux, you need to use a couple annotations, and define a SecurityWebFilterChain bean.

import com.okta.spring.boot.oauth.Okta;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@EnableWebFluxSecurity 
@EnableReactiveMethodSecurity 
public class SecurityConfiguration {

    @Bean 
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange()
                .anyExchange().authenticated()
                .and()
            .oauth2ResourceServer()
                .jwt();
                
        // Send a 401 message to the browser (w/o this, you'll see a blank page)
        Okta.configureResourceServer401ResponseBody(http);
                
        return http.build();
    }
}

If you want to support SSO and a resource server in the same application, you can do that too!

@EnableWebFluxSecurity 
@EnableReactiveMethodSecurity 
public class SecurityConfiguration {

    @Bean 
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange()
                .anyExchange().authenticated()
                .and()
            .oauth2Login()
                .and()
            .oauth2ResourceServer()
                .jwt();
        return http.build();
    }
}

Full Stack Reactive with Spring WebFlux, WebSockets, and React uses both SSO and a resource server. Its current code uses Spring Security's OIDC support. Changing it to use the Okta Spring Starter reduces the lines of code quite a bit.

Supporting server side applications - OAuth Code flow

Building a server side application and just need to redirect to a login page? This OAuth 2.0 code flow is for you.

Create a Web App on Okta

To create a new OIDC app for Spring Boot on Okta:

Log in to your developer account, navigate to Applications, and click on Add Application.
Select Web and click Next.
Give the application a name and add http://localhost:8080/login/oauth2/code/okta as a login redirect URI.
Click Done.

Configure your properties

You can configure your applications properties with environment variables, system properties, or configuration files. Take a look at the Spring Boot documentation for more details.

Property	Required	Details
okta.oauth2.issuer	true	Authorization Server issuer URL, i.e.: https://{yourOktaDomain}/oauth2/default
okta.oauth2.clientId	true	The Client Id of your Okta OIDC application
okta.oauth2.clientSecret	true	The Client Secret of your Okta OIDC application

Create a simple application

Create a minimal Spring Boot application:

@RestController
@SpringBootApplication
public class ExampleApplication {

    public static void main(String[] args) {
        SpringApplication.run(ExampleApplication.class, args);
    }

    @GetMapping("/")
    public String getMessageOfTheDay(@AuthenticationPrincipal OidcUser user) {
        return user.getName() + ", this message of the day is boring";
    }
}

If you want to allow anonymous access to specific routes you can add a WebSecurityConfigurerAdapter:

@Configuration
static class WebConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/my-anon-page").permitAll()
                .anyRequest().authenticated()
            .and().oauth2Client()
            .and().oauth2Login();
    }
}

If you want to add custom claims to JWT tokens in your custom Authorization Server, see Add Custom claim to a token for more info.

You could then extract the attributes from the token by doing something like below:

@RestController
public class ExampleController {

    @GetMapping("/email")
    public String getUserEmail(AbstractOAuth2TokenAuthenticationToken authentication) {
        // AbstractOAuth2TokenAuthenticationToken works for both JWT and opaque access tokens
        return (String) authentication.getTokenAttributes().get("sub");
    }
}

Share Sessions Across Web Servers

The Authorization Code Flow (the typical OAuth redirect) uses sessions. If you have multiple instances of your application, you must configure a Spring Session implementation such as Redis, Hazelcast, JDBC, etc.

That's it!

Open up http://localhost:8080 in your favorite browser.

You'll be redirected automatically to an Okta login page. Once you successfully login, you will be redirected back to your app and you'll see the message of the day!

This module integrates with Spring Security's OAuth support, all you need is the mark your application with the standard @EnableOAuth2Client annotation.

Proxy

If you're running your application (with this okta-spring-boot dependency) from behind a network proxy, you could setup properties for it in application.yml:

okta:
  oauth2:
    proxy:
      host: "proxy.example.com"
      port: 7000
      username: "your-username"             # optional
      password: "your-secret-password"      # optional

or, add JVM args to your application like:

-Dokta.oauth2.proxy.host=proxy.example.com
-Dokta.oauth2.proxy.port=port
-Dokta.oauth2.proxy.username=your-username
-Dokta.oauth2.proxy.password=your-secret-password

or, you could set it programmatically like:

System.setProperty("okta.oauth2.proxy.host", "proxy.example.com");
System.setProperty("okta.oauth2.proxy.port", "7000");
System.setProperty("okta.oauth2.proxy.username", "your-username");
System.setProperty("okta.oauth2.proxy.password", "your-secret-password");

See here for the complete list of properties.

Note: Spring WebFlux (and WebClient) does not support these properties. (See spring-projects/spring-security#8882).

If you are running your Spring Boot App behind a reverse proxy, be sure to read this guide.

Inject the Okta Java SDK

To integrate the Okta Java SDK into your Spring Boot application you just need to add a dependency:

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-sdk</artifactId>
</dependency>

Then define the okta.client.token property. See creating an API token for more info.

All that is left is to inject the client (com.okta.sdk.client.Client)! Take a look at this post for more info on the best way to inject your beans.

Extra Credit

Want to build this project?

Just clone it and run:

$ git clone https://github.com/okta/okta-spring-boot.git
$ cd okta-spring-boot
$ mvn install

Comments

Principal is null with Authorization Code Flow using example in README

I have followed the code example in the README and successfully setup the Authorization Code Flow. The user is redirected to the login screen hosted by Okta if a secured route is accessed. Once the user is authenticated through Okta, the user is redirected back to my app successfully.

The problem is, when I try and grab the Principal as defined in the controller example, the Principal is always null. Is there some OAuth Spring Security config that needs to be added??

POM/App info

Springboot 2.0.0.M3
okta-springboot starter 0.2.0
spring-security-oauth2 2.2.0.RELEASE

Controller serving secured page

package com.readingmentor.pir.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class DashboardController {
	
	@RequestMapping("/dashboard")
	public String dashboard(Principal principal) {
                // always null
		System.out.println("Principal " + principal.getName());
		return "dashboard";
	}
	
}

application.yml

okta:
  oauth2:
    issuer: https://dev-315558.oktapreview.com/oauth2/default
    clientId: ***
    clientSecret: ***
  client:
    orgUrl: https://dev-315558.oktapreview.com
    token: ***

__Security configuration

package com.readingmentor.pir.config;

import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Override
	public void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
		.antMatchers(HttpMethod.GET, "/api/programs/*", "/api/programs").permitAll()
		.antMatchers(HttpMethod.POST, "/api/users").permitAll()
		.antMatchers("/api/**", "/dashboard").authenticated()
        .antMatchers("/**").permitAll()
        .anyRequest().authenticated();
	}

}

opened by Prophet32j 32

Okta Spring Boot Starter doesn't work with Spring Boot 2.0

Related to #22 I'm getting this same IllegalAccessError on the Implicit flow configuration.
My app is a springboot starter 2.0.0.M3.

<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>0.2.0</version>
</dependency>

@Configuration
@EnableResourceServer
public class SecurityConfig {
}

okta:
  oauth2:
    issuer: https://my-dev.oktapreview.com/oauth2/default
    clientId: ***
    audience: api://default
    scopeClaim: scp
    rolesClaim: groups

My stack trace

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration': Unsatisfied dependency expressed through field 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:570) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:91) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:356) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1352) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:580) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:499) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:312) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory$$Lambda$120/1093110206.getObject(Unknown Source) ~[na:na]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:755) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:868) ~[spring-context-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549) ~[spring-context-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:122) ~[spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:386) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:327) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1245) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1233) [spring-boot-2.0.0.M3.jar:2.0.0.M3]
	at com.readingmentor.pir.PIRApplication.main(PIRApplication.java:10) [classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_45]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_45]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_45]
	at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_45]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-2.0.0.M3.jar:2.0.0.M3]
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerTokenServices' defined in class path resource [com/okta/spring/oauth/implicit/ResourceServerConfig$LocalTokenValidationConfig.class]: Initialization of bean failed; nested exception is org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:591) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:499) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:312) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory$$Lambda$120/1093110206.getObject(Unknown Source) ~[na:na]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:205) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:255) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1305) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1271) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveMultipleBeans(DefaultListableBeanFactory.java:1198) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1089) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1058) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:567) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	... 25 common frames omitted
Caused by: org.springframework.aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices]: Common causes of this problem include using a final class or a non-visible class; nested exception is org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:209) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.ProxyFactory.getProxy(ProxyFactory.java:110) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.createProxy(AbstractAutoProxyCreator.java:470) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:352) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:301) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:436) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1720) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582) ~[spring-beans-5.0.0.RC3.jar:5.0.0.RC3]
	... 38 common frames omitted
Caused by: org.springframework.cglib.core.CodeGenerationException: java.lang.reflect.InvocationTargetException-->null
	at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:345) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:492) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:93) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:91) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_45]
	at org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:116) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:291) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:480) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:337) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:58) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:205) ~[spring-aop-5.0.0.RC3.jar:5.0.0.RC3]
	... 45 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
	at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) ~[na:na]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_45]
	at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_45]
	at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:459) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:336) ~[spring-core-5.0.0.RC3.jar:5.0.0.RC3]
	... 58 common frames omitted
Caused by: java.lang.IllegalAccessError: class com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices$$EnhancerBySpringCGLIB$$50916add cannot access its superclass com.okta.spring.oauth.implicit.Non500ErrorDefaultTokenServices
	at java.lang.ClassLoader.defineClass1(Native Method) ~[na:1.8.0_45]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:760) ~[na:1.8.0_45]
	... 63 common frames omitted

Any of the developer guides that are on the Okta developer blogs are not up to date and accurate.

Published

opened by Prophet32j 27

IllegalArgumentException: issuer cannot be empty

I'm working with @starbuxman to develop a reactive microservices stack for our Devoxx talk. Using 0.2.0 of this library throws the following error after I integrate things:

Caused by: java.lang.IllegalArgumentException: issuer cannot be empty
    at org.springframework.util.Assert.hasText (Assert.java:276)
    at com.okta.spring.oauth.discovery.OidcDiscoveryClient.<init> (OidcDiscoveryClient.java:36)
    at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.discoveryPropertiesSource (OktaPropertiesMappingEnvironmentPostProcessor.java:137)
    at com.okta.spring.oauth.OktaPropertiesMappingEnvironmentPostProcessor.postProcessEnvironment (OktaPropertiesMappingEnvironmentPostProcessor.java:95)
    at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEnvironmentPreparedEvent (ConfigFileApplicationListener.java:170)
    at org.springframework.boot.context.config.ConfigFileApplicationListener.onApplicationEvent (ConfigFileApplicationListener.java:156)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener (SimpleApplicationEventMulticaster.java:172)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener (SimpleApplicationEventMulticaster.java:165)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent (SimpleApplicationEventMulticaster.java:139)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent (SimpleApplicationEventMulticaster.java:127)
    at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared (EventPublishingRunListener.java:73)
    at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared (SpringApplicationRunListeners.java:54)
    at org.springframework.boot.SpringApplication.prepareEnvironment (SpringApplication.java:349)
    at org.springframework.boot.SpringApplication.run (SpringApplication.java:317)

Steps to reproduce:

git clone [email protected]:mraible/cloud-native-pwas.git
cd cloud-native-pwas/kotlin-reactive/edge-service

Modify pom.xml to add this library:

<dependency>
	<groupId>com.okta.spring</groupId>
	<artifactId>okta-spring-boot-starter</artifactId>
	<version>0.2.0</version>
</dependency>

Add properties to src/main/resources/application.properties:

okta.oauth2.issuer=https://dev-158606.oktapreview.com/oauth2/default
okta.oauth2.clientId=XXX
okta.oauth2.clientSecret=XXX

Run ./mvnw spring-boot:run.

opened by mraible 24

Okta Spring Boot starter doesn't work with GraalVM

Steps to reproduce:

Create a new Spring Boot app using HTTPie:

http https://start.spring.io/starter.zip \
     dependencies==web,okta \
     packageName==com.okta.rest \
     name=spring-boot \
     type=maven-project \
     -o spring-boot.zip

Then, add a HelloController:

package com.okta.rest.controller;

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.security.Principal;

@RestController
public class HelloController {

    @GetMapping("/hello")
    public String hello(@AuthenticationPrincipal Principal principal) {
        return "Hello, " + principal.getName() + "!";
    }
}

Configure it to be an OAuth 2.0 resource server by adding an issuer to application.properties:

okta.oauth2.issuer=https://dev-133337.okta.com/oauth2/default

All the following should work at this point (I got an access token from oidcdebugger.com):

$ mvn spring-boot:run
$ http :8080/hello
$ TOKEN=eyJraWQiOiJxOE1QMjFNNHZCVmxOSkxGbFFWNlN...
$ http :8080/hello Authorization:"Bearer $TOKEN"

To add "build native image support", I followed these docs.

I upgraded my app to use Spring Boot v2.4.0-M2.

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.4.0-M2</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

I updated my configuration to avoid proxies:

@SpringBootApplication(proxyBeanMethods = false)
public class Application {

	public static void main(String[] args) {
		SpringApplication.run(Application.class, args);
	}
}

I added the milestone repos to my pom.xml:

<repositories>
    <repository>
        <id>spring-milestones</id>
        <name>Spring Milestones</name>
        <url>https://repo.spring.io/milestone</url>
    </repository>
</repositories>
<pluginRepositories>
    <pluginRepository>
        <id>spring-milestones</id>
        <name>Spring Milestones</name>
        <url>https://repo.spring.io/milestone</url>
    </pluginRepository>
</pluginRepositories>

I configured the Spring Boot Maven plugin:

<plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
    <configuration>
        <image>
            <builder>paketobuildpacks/builder:tiny</builder>
            <env>
                <BP_BOOT_NATIVE_IMAGE>1</BP_BOOT_NATIVE_IMAGE>
                <BP_BOOT_NATIVE_IMAGE_BUILD_ARGUMENTS>
                    -Dspring.native.remove-yaml-support=true
                    -Dspring.spel.ignore=true
                </BP_BOOT_NATIVE_IMAGE_BUILD_ARGUMENTS>
            </env>
        </image>
    </configuration>
</plugin>

I added the Spring GraalVM dependency:

<dependency>
    <groupId>org.springframework.experimental</groupId>
    <artifactId>spring-graalvm-native</artifactId>
    <version>0.8.0</version>
</dependency>

And built my application.

./mvnw spring-boot:build-image

Then I tried to run it.

docker run -p 8080:8080 docker.io/library/demo:0.0.1-SNAPSHOT

It fails with the following error:

2020-09-21 18:40:59.056  INFO 1 --- [           main] com.okta.rest.Application                : Starting Application using Java 11.0.8 on 089430f03b4c with PID 1 (/workspace/com.okta.rest.Application started by cnb in /workspace)
2020-09-21 18:40:59.056  INFO 1 --- [           main] com.okta.rest.Application                : No active profile set, falling back to default profiles: default
2020-09-21 18:40:59.098  WARN 1 --- [           main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanDefinitionStoreException: @Configuration classes need to be marked as proxyBeanMethods=false. Found: [com.okta.spring.boot.oauth.OktaOAuth2ResourceServerAutoConfig]
2020-09-21 18:40:59.099  INFO 1 --- [           main] ConditionEvaluationReportLoggingListener : 

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2020-09-21 18:40:59.099 ERROR 1 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.BeanDefinitionStoreException: @Configuration classes need to be marked as proxyBeanMethods=false. Found: [com.okta.spring.boot.oauth.OktaOAuth2ResourceServerAutoConfig]
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.enhanceConfigurationClasses(ConfigurationClassPostProcessor.java:436) ~[com.okta.rest.Application:na]
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanFactory(ConfigurationClassPostProcessor.java:273) ~[com.okta.rest.Application:na]
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:299) ~[na:na]
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:134) ~[na:na]
        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:751) ~[na:na]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:569) ~[na:na]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:144) ~[na:na]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:759) ~[com.okta.rest.Application:na]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:751) ~[com.okta.rest.Application:na]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:410) ~[com.okta.rest.Application:na]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:326) ~[com.okta.rest.Application:na]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1280) ~[com.okta.rest.Application:na]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1269) ~[com.okta.rest.Application:na]
        at com.okta.rest.Application.main(Application.java:10) ~[com.okta.rest.Application:na]

opened by mraible 19

Invalid Token Guidance

Hey guys,

I followed https://developer.okta.com/blog/2017/12/06/bootiful-development-with-spring-boot-and-react for setting up a react + spring boot simple application.

I've checked both the client id and issuer on both React and Spring Boot configurations and they are the same. However, I am still getting an invalid token.

Things to note.

I made sure that my header is Authorization and BEARER MY_AUTHTOKEN.

Spring Boot version: Brussels-SR5

opened by rodoabad 19
Please confirm compatibility with Spring Boot 2.2

We're heading towards an RC1 of Spring Boot 2.2 soon, followed by GA in Q4. Can you please confirm full compatibility of the starter with Spring Boot 2.2?

As soon as we hear from you, we can enable the starter again on start.spring.io, see https://github.com/spring-io/start.spring.io/issues/266

Thanks!

opened by snicoll 18
Support OIDC logout - RP-initiated logout

There was a Spring Security issue related to this a while back, but my search fu is failing me.

We need to (at minimum document) how to revoke Okta's id tokens when a user logs out, and document how to end an Okta session.

Depends on: spring-projects/spring-security#5350
enhancement

opened by bdemers 18
Update to Spring Boot 2.1

Which pulls in Spring Security 5.1

This is a complete rewrite as the Spring Security OAuth modules have changed (so looking at the diffs will look odd, you might be better off treating it as new work and looking at the files)

Fixes: #96

opened by bdemers 18
Spring Sec 5 /Boot 2 + custom WebSecurityConfigurerAdapter -http.oauth2Login() - not configurable
Hello, I am working with Spring Boot 2.0.5 and Okta 0.6.0. I am following a tutorial https://github.com/okta/samples-java-spring/blob/master/okta-hosted-login/src/main/java/com/okta/spring/example/CodeFlowExampleApplication.java but cannot get beyond an issue related to the redirect URI and too many redirects.

The redirect to Okta works successfully, the problems begin on the redirect back to localhost.

The UI I receive from my application is here:

I have set the redirect URI for my OIDC App to localhost:8082/callback and this is the configuration of my yml file: security: oauth2: client: client-id: XXXX client-secret: XXX access-token-uri: https://dev-848116.oktapreview.com/oauth2/XXX/v1/token user-authorization-uri: https://dev-848116.oktapreview.com/oauth2/XXX/v1/authorize client-authentication-scheme: form sso: login-path: /callback

okta: oauth2: issuer: https://dev-848116.oktapreview.com/oauth2/XXX

The Security configuration I am using is here: @Configuration @EnableOAuth2Sso public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

/*public ApplicationSecurity(ApplicationContext applicationContext) { super(applicationContext); }*/ @Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/**") .authorizeRequests() .antMatchers("/callback") .permitAll() .anyRequest() .authenticated(); } /*@EnableGlobalMethodSecurity(prePostEnabled = true) protected static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration { @Override protected MethodSecurityExpressionHandler createExpressionHandler() { return new OAuth2MethodSecurityExpressionHandler(); } }*/

} I have also tried the security configuration by extending the 'OAuth2SsoDefaultConfigurationclass however I can see this class implements theWebSecurityConfigurerAdapter` interface so perhaps no surprises it operates the same way.

It appears to me the http security is being ignored or bypassed. The controller config is very simple, here is the /callback implementation:

@GetMapping("/callback") public String callback(OAuth2Authentication authentication, Model model) { logger.info("Returning principal page: " + authentication.getUserAuthentication().getName()); model.addAttribute("user", authentication.getUserAuthentication().getName()); return "home"; }

Can you please advise what I need to do to resolve this, I'm not sure I need a concrete implementation of the /callback endpoint.
bug enhancement
opened by fcbogle 18
NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecurity' available
👋 Hello, I was directed to submit this as an issue after troubleshooting with Lijia on the Dev Support team. I am hoping this is an environment / configuration issue on my end (I am new to Java / Spring) and not a bug, so I've provided details below on what I have set up as well for context.

I'm submitting a

[x] bug report

[ ] feature request

Background info

I am writing an API and my goal is to be able to validate the access token (JWT) passed to it from a client application with the help of okta-spring-boot-starter and Okta as the default authorization server. This is a Spring Boot Application (backend). The AP client sending the access tokens as part of Bearer is isolated and gets its tokens separately via the Authorization Code flow with PCKE.

Issue

With okta-spring-boot-starter as a dependency, the application is failing to start with this error:

OIDC App Details

client id: 0oaq60t2y0hSwuaHR0x7

client authentication: use PKCE

allowed grant types: Authorization code

Application Properties

Here is my application.properties file:

okta.oauth2.issuer=https://{issuer domain} <---- omitted just for privacy purposes okta.oauth2.client-id=0oaq60t2y0hSwuaHR0x7 server.port=8081

When I run this with https://{issuer domain}/oauth2/default as described in the instructions, the application fails earlier in the run with this error.

Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://slackcorp.okta.com/oauth2/default"

which leads me to believe that the properties I have set up are correct. I'm under the impression that I should be able to use the same value for issuer as what I see in the access token and that value also matches what I currently have for okta.oauth2.issue. Additionally https://{ issuer domain }/.well-known/openid-configuration is accessible via curl and in the browser and returns the application meta data I expect.

I have omitted the client-secret field as my application uses PKCE, and based on this it seems like it's not necessary anymore.

Dependencies

Very straightforward as this is a test project. pom.xml

<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.1.RELEASE</version> <relativePath/>  </parent> <groupId>com.example</groupId> <artifactId>demo</artifactId> <version>0.0.1-SNAPSHOT</version> <name>demo</name> <description>Demo Project to Test Okta Spring Integration</description> <properties> <java.version>11</java.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>com.okta.spring</groupId> <artifactId>okta-spring-boot-starter</artifactId> <version>2.0.1</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>

WebSecurityConfigurerAdapter

Also following instructions, I have set up this class: com.example.demo.config.WebSecurityConfig

@EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() // allow anonymous access to the root page .antMatchers("/").permitAll() // other requests .anyRequest().authenticated() .and() // creates a BearerTokenAuthenticationFilter to intercept requests, extract bearer token jwt .oauth2ResourceServer().jwt(); //Sends 401 response to client for unauthorized requests Okta.configureResourceServer401ResponseBody(http); } }

Application

@SpringBootApplication(scanBasePackages = {"com.example.demo"}) @RestController public class DemoApplication {

public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); }

/**

Simple example REST endpoint that returns a static message. This controller also serves as an example for checking

an OAuth scope and client roles (parsed from an access token).

@return a static welcome message */ @GetMapping("/hello-auth") public String hello(@AuthenticationPrincipal OidcUser user) { return "Hello, " + user.getFullName(); }

@GetMapping("/hello-world") public String helloWord() { return String.format("Hello World"); } }

Expected behavior

I expect that the application should build and run successfully without errors, given the basic configuration I have outlined above.

What went wrong?

An exception is thrown as the required HttpSecurity bean is not available. I think I have followed the setup instructions for the SDK, but it's possible I have misconfigured something.

Steps to reproduce

Use Spring initializer to start a new Spring project (see pom.xml for dependencies)

Add the application.properties

Add the WebSecurityConfigurerAdapter

mvn clean install

SDK Version

2.0.1
help wanted
opened by srajiang 17
Support opaque access tokens

Not entirely sure this is an issue with this starter but can't figure out how to get this work. So I log in to my web (springboot) app (using okta authorization code flow), then I "Clear User Sessions" from Okta's developer console UI, which is supposed to revoke all existing tokens. However, this user is able to continue using the app using the same token. I'd expect the app to redirect to the login page again.

Googling on this a little bit, I ran into a post suggesting setting this property okta.oauth2.localTokenValidation to false which didn't do anything, and I actually don't see this property listed at all in com.okta.spring.boot.oauth.config.OktaOAuth2Properties in the 1.0.1-SNAPSHOT version so it was perhaps removed.

I am guessing the app is not re-validating the token with the OKTA server on every request? Is that what's going on? Isn't that the default behavior?

Using SpringBoot 2.1.1.RELEASE, okta starter 1.0.1-SNAPSHOT
Analysis

opened by cah-calixto-melean 16
Bump rest-assured-bom from 5.2.0 to 5.3.0
Bumps rest-assured-bom from 5.2.0 to 5.3.0.

Changelog

Sourced from rest-assured-bom's changelog.

Changelog 5.3.0 (2022-11-18)

Added (much) improved support for CSRF tokens when sent as a header and not in a form

Enable the use of relaxedHTTPSValidation with two-way ssl (issue #1631) (thanks to Mathieu Amblard for pull request)

Lastest Spring Framework 6 is now supported again (thanks to Marcin Grzejszczak for pull request)

Removed content assignment from asPrettyString() (thanks to Bartłomiej Chabowski for pull request)

Allow contentType() to accept Spring MediaType in Spring MockMvc module (thanks to Hantsy Bai for pull request)

Upgraded kotlin from 1.7.10 to 1.7.20 in the kotlin module

Upgraded groovy from 4.0.1 to 4.0.6

Updated jackson from version 2.13.2 to 2.13.4

Changelog 5.2.1 (2022-11-18)

Lastest Spring Framework 6 is now supported again (thanks to Marcin Grzejszczak for pull request)

Commits

ebbedc7 [maven-release-plugin] prepare release rest-assured-5.3.0

1e1f325 Updated jackson from version 2.13.2 to 2.13.4

83fcc55 Removing @ignore

7bd9124 [ci skip] Preparing for release

fb926ec [ci skip] Updated changelog to reflect the latest changes

00bc18b [ci skip] Updated changelog to reflect the latest changes

481a55a [ci skip] Updated changelog to reflect the latest changes

afbf13b chore: add contentType to accept Spring MedieType (#1625)

14ef2c6 Upgraded groovy from 4.0.1 to 4.0.6

da69e1b Upgraded kotlin from 1.7.10 to 1.7.20 in the kotlin module

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies java
opened by dependabot[bot] 0
Bump rest-assured-all from 5.2.0 to 5.3.0
Bumps rest-assured-all from 5.2.0 to 5.3.0.

Changelog

Sourced from rest-assured-all's changelog.

Changelog 5.3.0 (2022-11-18)

Added (much) improved support for CSRF tokens when sent as a header and not in a form

Enable the use of relaxedHTTPSValidation with two-way ssl (issue #1631) (thanks to Mathieu Amblard for pull request)

Lastest Spring Framework 6 is now supported again (thanks to Marcin Grzejszczak for pull request)

Removed content assignment from asPrettyString() (thanks to Bartłomiej Chabowski for pull request)

Allow contentType() to accept Spring MediaType in Spring MockMvc module (thanks to Hantsy Bai for pull request)

Upgraded kotlin from 1.7.10 to 1.7.20 in the kotlin module

Upgraded groovy from 4.0.1 to 4.0.6

Updated jackson from version 2.13.2 to 2.13.4

Changelog 5.2.1 (2022-11-18)

Lastest Spring Framework 6 is now supported again (thanks to Marcin Grzejszczak for pull request)

Commits

ebbedc7 [maven-release-plugin] prepare release rest-assured-5.3.0

1e1f325 Updated jackson from version 2.13.2 to 2.13.4

83fcc55 Removing @ignore

7bd9124 [ci skip] Preparing for release

fb926ec [ci skip] Updated changelog to reflect the latest changes

00bc18b [ci skip] Updated changelog to reflect the latest changes

481a55a [ci skip] Updated changelog to reflect the latest changes

afbf13b chore: add contentType to accept Spring MedieType (#1625)

14ef2c6 Upgraded groovy from 4.0.1 to 4.0.6

da69e1b Upgraded kotlin from 1.7.10 to 1.7.20 in the kotlin module

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies java
opened by dependabot[bot] 0
Bump testng from 7.3.0 to 7.7.1
Bumps testng from 7.3.0 to 7.7.1.

Release notes

Sourced from testng's releases.

TestNG v7.7.1

What's Changed

Streamline overloaded assertion methods for Groovy by @krmahadevan in cbeust/testng#2858

Full Changelog: https://github.com/cbeust/testng/compare/7.7.0...7.7.1

TestNG v7.7.0

What's Changed

Replace FindBugs by SpotBugs by @gruenich in cbeust/testng#2781

Gradle: Drop forUseAtConfigurationTime() by @gruenich in cbeust/testng#2783

Added ability to provide custom message to assertThrows\expectThrows methods by @anatolyuzhakov in cbeust/testng#2793

Fix issue 2801 - Only resolve hostname once by @spkrka in cbeust/testng#2802

[SECURITY] Fix Zip Slip Vulnerability by @JLLeitschuh in cbeust/testng#2806

GITHUB-2807 - Failsafe buildStackTrace by @seregamorph in cbeust/testng#2808

Prevent overlogging of debug msgs in Graph impl by @krmahadevan in cbeust/testng#2813

Streamline dataprovider invoking in abstract classes by @krmahadevan in cbeust/testng#2814

Streamline TestResult due to expectedExceptions by @krmahadevan in cbeust/testng#2815

Unexpected test runs count with retry analyzer by @krmahadevan in cbeust/testng#2816

Make PackageUtils compliant with JPMS by @krmahadevan in cbeust/testng#2817

Ability to retry a data provider during failures by @krmahadevan in cbeust/testng#2820

Refactoring by @krmahadevan in cbeust/testng#2821

Fixing bug with DataProvider retry by @krmahadevan in cbeust/testng#2822

Add config key for callback discrepancy behavior by @krmahadevan in cbeust/testng#2823

Upgrading versions by @krmahadevan in cbeust/testng#2824

Fix #2770: FileAlreadyExistsException on copy by @melloware in cbeust/testng#2827

JarFileUtils.delete(File f) throw actual exception (instead of FileNotFound) when file cannot be deleted #2825 by @speedythesnail in cbeust/testng#2826

GITHUB-2830 - Failsafe parameter.toString by @seregamorph in cbeust/testng#2831

Changing assertion message of the osgitest by @krmahadevan in cbeust/testng#2832

hidden spotbugs in release #2829 by @bobshie in cbeust/testng#2833

Enhancing the Matrix by @krmahadevan in cbeust/testng#2834

Avoid Compilation errors on Semeru JDK flavour. by @krmahadevan in cbeust/testng#2835

Add addition yml extension by @speedythesnail in cbeust/testng#2837

Support getting dependencies info for a test by @krmahadevan in cbeust/testng#2839

Honour regex in dependsOnMethods by @krmahadevan in cbeust/testng#2838

Ensure All tests run all the time by @krmahadevan in cbeust/testng#2842

Deprecate support for running Spock Tests by @krmahadevan in cbeust/testng#2846

Streamline dependsOnMethods for configurations by @krmahadevan in cbeust/testng#2845

Ensure ITestContext available for JUnit4 tests by @krmahadevan in cbeust/testng#2848

Deprecate support for running JUnit tests by @krmahadevan in cbeust/testng#2849

New Contributors

@gruenich made their first contribution in cbeust/testng#2781

@anatolyuzhakov made their first contribution in cbeust/testng#2793

@spkrka made their first contribution in cbeust/testng#2802

@JLLeitschuh made their first contribution in cbeust/testng#2806

@seregamorph made their first contribution in cbeust/testng#2808

@melloware made their first contribution in cbeust/testng#2827

@speedythesnail made their first contribution in cbeust/testng#2826

... (truncated)

Changelog

Sourced from testng's changelog.

7.7.1 Fixed: GITHUB-2854: overloaded assertEquals methods do not work from Groovy (Krishnan Mahadevan)

7.7.0 Fixed: GITHUB-2852: [SECURITY] Fix Zip Slip Vulnerability (Jonathan Leitschuh) Fixed: GITHUB-2792: JUnitTestClass sets XmlTest as null when running JUnit 4 Tests using TestNG (Krishnan Mahadevan) Fixed: GITHUB-2847: Deprecate support for running JUnit tests (Krishnan Mahadevan) Fixed: GITHUB-2844: Deprecate support for running Spock Tests (Krishnan Mahadevan) Fixed: GITHUB-550: Weird @BeforeMethod and @AfterMethod behaviour with dependsOnMethods (Krishnan Mahadevan) Fixed: GITHUB-893: TestNG should provide an Api which allow to find all dependent of a specific test (Krishnan Mahadevan) New: Added .yml file extension for yaml suite files, previously only .yaml was allowed for yaml (Steven Jubb) Fixed: GITHUB-141: regular expression in "dependsOnMethods" does not work (Krishnan Mahadevan) Fixed: GITHUB-2770: FileAlreadyExistsException when report is generated (melloware) Fixed: GITHUB-2825: Programmatically Loading TestNG Suite from JAR File Fails to Delete Temporary Copy of Suite File (Steven Jubb) Fixed: GITHUB-2818: Add configuration key for callback discrepancy behavior (Krishnan Mahadevan) Fixed: GITHUB-2819: Ability to retry a data provider in case of failures (Krishnan Mahadevan) Fixed: GITHUB-2308: StringIndexOutOfBoundsException in findClassesInPackage - Surefire/Maven - JDK 11 fails (Krishnan Mahadevan) Fixed: GITHUB:2788: TestResult.isSuccess() is TRUE when test fails due to expectedExceptions (Krishnan Mahadevan) Fixed: GITHUB-2800: Running Test Classes with Inherited @Factory and @DataProvider Annotated Non-Static Methods Fail (Krishnan Mahadevan) New: Ability to provide custom error message for assertThrows\expectThrows methods (Anatolii Yuzhakov) Fixed: GITHUB-2780: Use SpotBugs instead of abandoned FindBugs Fixed: GITHUB-2801: JUnitReportReporter is too slow Fixed: GITHUB-2807: buildStackTrace should be fail-safe (Sergey Chernov) Fixed: GITHUB-2830: TestHTMLReporter parameter toString should be fail-safe (Sergey Chernov) Fixed: GITHUB-2798: Parallel executions coupled with retry analyzer results in duplicate retry analyzer instances being created (Krishnan Mahadevan)

7.6.1 Fixed: GITHUB-2761: Exception: ERROR java.nio.file.NoSuchFileException: /tmp/testngXmlPathInJar-15086412835569336174 (Krishnan Mahadevan) 7.6.0 Fixed: GITHUB-2741: Show fully qualified name of the test instead of just the function name for better readability of test output.(Krishnan Mahadevan) Fixed: GITHUB-2725: Honour custom attribute values in TestNG default reports (Krishnan Mahadevan) Fixed: GITHUB-2726: @AfterClass config method is executed for EACH @Test method when parallel == methods (Krishnan Mahadevan) Fixed: GITHUB-2752: TestListener is being lost when implenting both IClassListener and ITestListener (Krishnan Mahadevan) New: GITHUB-2724: DataProvider: possibility to unload dataprovider class, when done with it (Dzmitry Sankouski) Fixed: GITHUB-217: Configure TestNG to fail when there's a failure in data provider (Krishnan Mahadevan) Fixed: GITHUB-2743: SuiteRunner could not be initial by default Configuration (Nan Liang) Fixed: GITHUB-2729: beforeConfiguration() listener method should be invoked for skipped configurations as well(Nan Liang) Fixed: assertEqualsNoOrder for Collection and Iterators size check was missing (Adam Kaczmarek) Fixed: GITHUB-2709: Testnames not working together with suites in suite (Martin Aldrin) Fixed: GITHUB-2704: IHookable and IConfigurable callback discrepancy (Krishnan Mahadevan) Fixed: GITHUB-2637: Upgrade to JDK11 as the minimum JDK requirements (Krishnan Mahadevan) Fixed: GITHUB-2734: Keep the initial order of listeners (Andrei Solntsev) Fixed: GITHUB-2359: Testng @BeforeGroups is running in parallel with testcases in the group (Anton Velma) Fixed: Possible StringIndexOutOfBoundsException in XmlReporter (Anton Velma) Fixed: GITHUB-2754: @AfterGroups is executed for each "finished" group when it has multiple groups defined (Anton Velma)

7.5 Fixed: GITHUB-2701: Bump gradle version to 7.3.3 to support java17 build (ZhangJian He) Fixed: GITHUB-2646: Streamline Logging Across TestNG (Krishnan Mahadevan) Fixed: GITHUB-2658: Inheritance + dependsOnMethods (Krishnan Mahadevan)

... (truncated)

Commits

b94395d Bump version to 7.7.1 for release

89dc584 Streamline overloaded assertion methods for Groovy

5ac0021 Adding release notes

c0e1e77 Adjust version reference in deprecation msgs.

011527d Bump version to 7.7.0 for release

7846c44 Deprecate support for running JUnit tests

8630a7e Ensure ITestContext available for JUnit4 tests

7070b02 Streamline dependsOnMethods for configurations

d7e0bb1 Deprecate support for running Spock Tests

ca7a3a2 Ensure All tests run all the time

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies java
opened by dependabot[bot] 0
Bump mockito-core from 4.9.0 to 4.11.0
Bumps mockito-core from 4.9.0 to 4.11.0.

Release notes

Sourced from mockito-core's releases.

v4.11.0

Changelog generated by Shipkit Changelog Gradle Plugin

4.11.0

2022-12-28 - 1 commit(s) by Andy Coates

Improve vararg handling: approach 2 [(#2807)](mockito/mockito#2807)

Mocking varargs method with any(String[].class) doesn't work as expected [(#2796)](mockito/mockito#2796)

(Argument)Matchers regression from 1.10.19 to 2.18.3 for varargs [(#1498)](mockito/mockito#1498)

Cannot verify varargs parameter as an array [(#1222)](mockito/mockito#1222)

ArgumentCaptor can't capture varargs-arrays [(#584)](mockito/mockito#584)

Verification of an empty varargs call fails when isNotNull() is used [(#567)](mockito/mockito#567)

v4.10.0

Changelog generated by Shipkit Changelog Gradle Plugin

4.10.0

2022-12-14 - 13 commit(s) by Andrei Solntsev, Andriy Redko, Andy Coates, Christopher Lambert, Marcono1234, Vladimir Glinskikh, dependabot[bot]

Add new artifact mockito-subclass (to use mock-maker-subclass MockMaker) [(#2821)](mockito/mockito#2821)

Bump gradle from 7.5.1 to 7.6 [(#2817)](mockito/mockito#2817)

Fix incorrect Javadoc inline tag for MockitoJUnitRunner [(#2816)](mockito/mockito#2816)

Bump shipkit-auto-version from 1.2.1 to 1.2.2 [(#2811)](mockito/mockito#2811)

Bump com.github.ben-manes.versions from 0.42.0 to 0.44.0 [(#2810)](mockito/mockito#2810)

Bump kotlinVersion from 1.7.21 to 1.7.22 [(#2809)](mockito/mockito#2809)

Bump junit from 1.1.3 to 1.1.4 [(#2806)](mockito/mockito#2806)

Simplify MatcherApplicationStrategy [(#2803)](mockito/mockito#2803)

Bump kotlinVersion from 1.7.10 to 1.7.21 [(#2801)](mockito/mockito#2801)

Bump espresso-core from 3.4.0 to 3.5.0 [(#2800)](mockito/mockito#2800)

Bump versions.bytebuddy from 1.12.16 to 1.12.19 [(#2799)](mockito/mockito#2799)

Upgrade errorprone from 2.14.0 to 2.16 [(#2794)](mockito/mockito#2794)

automatically detect class to mock [(#2779)](mockito/mockito#2779)

Commits

483e15f Add type() method to ArgumentMatcher (#2807)

a4e2e48 Add mockito-subclass artifact (#2821)

e2e6289 Bump gradle from 7.5.1 to 7.6 (#2817)

ee9ba74 Fix incorrect Javadoc inline tag for MockitoJUnitRunner (#2816)

2567f05 Bump shipkit-auto-version from 1.2.1 to 1.2.2 (#2811)

bdcb31e Bump com.github.ben-manes.versions from 0.42.0 to 0.44.0 (#2810)

34b8a8d Bump kotlinVersion from 1.7.21 to 1.7.22 (#2809)

83a41fd Bump junit from 1.1.3 to 1.1.4 (#2806)

8f4af18 Simplify MatcherApplicationStrategy (#2803)

0ce902a Bump kotlinVersion from 1.7.10 to 1.7.21 (#2801)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependencies java
opened by dependabot[bot] 0
Custom JWT authentication converter is ignored
I'm submitting a

[X] bug report

[ ] feature request

Background info

With okta-spring-boot-starter it is not possible to use a custom JwtAuthenticationConverter like described in this tutorial: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

Expected behavior

A custom converter is used (Converter<Jwt, AbstractAuthenticationToken>).

What went wrong?

Configuration is ignored.

Steps to reproduce

See chapter 8 here: https://www.baeldung.com/spring-security-map-authorities-jwt#using_custom_jwtauthenticationconverter

SDK Version

Spring Boot: 2.7.5 okta-spring-boot-starter: 2.1.6
help wanted
opened by Draudastic26 3
Spring boot 3
:information_source: If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.

I'm submitting a

[ ] bug report

[x] feature request

Background info

Please upgrade this library to work with Spring boot 3. WebSecurityConfigurerAdapter was deprecated and was removed in Spring boot 3.

Expected behavior

I should be able use okta-spring-boot with the current version of spring boot (i.e. 3).

What went wrong?

Example fails to compile due to removed class WebSecurityConfigurerAdapter

Steps to reproduce

SDK Version

java 17 spring boot 3 okta-spring-boot 2.1.6
opened by JeffAtDeere 2

Releases(okta-spring-boot-parent-2.1.6)

okta-spring-boot-parent-2.1.6(Aug 18, 2022)
What's Changed

Bump mockito-core from 4.3.1 to 4.4.0 by @dependabot in https://github.com/okta/okta-spring-boot/pull/419

Bump rest-assured-all from 4.5.1 to 5.0.0 by @dependabot in https://github.com/okta/okta-spring-boot/pull/425

Bump spring-boot.version from 2.6.4 to 2.6.5 by @dependabot in https://github.com/okta/okta-spring-boot/pull/424

Update to Spring Boot 2.6.6 by @bdemers in https://github.com/okta/okta-spring-boot/pull/428

Bump okta.sdk.version from 8.1.0 to 8.2.0 by @dependabot in https://github.com/okta/okta-spring-boot/pull/430

Bump wiremock-jre8 from 2.32.0 to 2.33.1 by @dependabot in https://github.com/okta/okta-spring-boot/pull/436

Bump rest-assured-all from 5.0.0 to 5.0.1 by @dependabot in https://github.com/okta/okta-spring-boot/pull/434

Bump actions/setup-java from 2 to 3 by @dependabot in https://github.com/okta/okta-spring-boot/pull/435

Bump mockito-core from 4.4.0 to 4.5.0 by @dependabot in https://github.com/okta/okta-spring-boot/pull/437

Bump spring-boot.version from 2.6.6 to 2.6.7 by @arvindkrishnakumar-okta in https://github.com/okta/okta-spring-boot/pull/438

Bump mockito-core from 4.5.0 to 4.5.1 by @dependabot in https://github.com/okta/okta-spring-boot/pull/439

Upgrade Springboot to 2.7.3 by @arvindkrishnakumar-okta in https://github.com/okta/okta-spring-boot/pull/459

Upgrade deps and suppress false positive CVEs by @arvindkrishnakumar-okta in https://github.com/okta/okta-spring-boot/pull/466

pkce by default by @bdemers in https://github.com/okta/okta-spring-boot/pull/464

Bump spring-cloud-config-server from 3.1.1 to 3.1.3 by @dependabot in https://github.com/okta/okta-spring-boot/pull/449

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.1.5(Mar 7, 2022)
Bumped Springboot to 2.6.4 #412

Bumped Spring cloud config server to 3.1.1 #416

Bumped logback-classic to 1.2.11 #415

Bumped Okta Mgmt SDK version to 8.1.0 #410

Bumped assertj-core from 3.21.0 to 3.22.0 #387

Bumped ognl to 3.3.2 #392

Bumped testng from 7.0.0 to 7.3.0

Bumped maven-jar-plugin from 3.2.0 to 3.2.2 #394

Add nightly CRON to test latest Spring Boot version #395

Bumped actions/checkout from 2.4.0 to 3 #414

Bumped mockserver-netty to 5.12.0 #409

Bumped rest-assured to 4.5.1 #408

Bumped mockito-core to 4.3.1 #404

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.1.4(Dec 22, 2021)
Upgraded Springboot to 2.6.2

Bump okta.sdk.version to 8.0.0

Bump okta.commons.version from 1.2.8 to 1.2.9

Bump mockito-core to 4.2.0

Bump ognl from 3.2.21 to 3.3.0

Bump wiremock-jre8 from 2.31.0 to 2.32.0

Bump spring-cloud-config-server from 3.0.5 to 3.1.0

Bump okta-commons library to 1.3.0

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.1.3(Nov 10, 2021)
Bump Okta Management SDK from 5.0.0 to 6.0.0 #357

Bump Spring Boot from 2.5.5 to 2.5.6 #359

Bump mockito-core from 3.12.4 to 4.0.0 #356

Bump embedded tomcat version from 9.0.53 to 9.0.54 #361

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.1.2(Oct 7, 2021)
Add note about Spring Native to README #312

Bump okta.commons.version from 1.2.7 to 1.2.8 #347

Bump assertj-core from 3.20.2 to 3.21.0 #348

Retire 1.x.x - README update #352

Bump spring-cloud-config-server from 3.0.4 to 3.0.5 #351

Upgrade to Springboot 2.5.5 #354

README Update - add version number in Gradle build #138

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.1.1(Sep 15, 2021)
#311 - Change OidcUserService to use Qualifer bean.

#314 - Update README with a note on postLogoutRedirectUri property.

#317 - Bump jackson-bom from 2.12.3 to 2.12.4

#319 - Fix Authorization Server link in README

Upgraded okta.commons.version to 1.2.7

Upgraded wiremock-jre8 to 2.31.0

Upgraded mockito-core to 3.12.4

Upgraded assertj-core to 3.20.2

Upgraded json-path to 4.4.0

Upgraded xml-path to 4.4.0

Upgrade rest-assured to 4.4.0

#308 - Fixed

#330 - Add relative path support for postLogoutRedirectUri

#338 - Add works with OpenJDK badge

#340 - Upgraded to Springboot 2.5.4

#341 - Upgraded Java Mgmt SDK dependency to 5.0.0

#343 - Address few CVEs

#344 - Removed proxyBeanMethods = false from @Configuration usage (not needed since Spring Native 0.8.3)

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.1.0(Jun 17, 2021)
Update to Spring Boot 2.5.1

Ensured compatibility with standard Spring OAuth properties spring.security.oauth2.* (as well as okta.oauth2.* properties)

Works with both types of Okta issuer URLs: Okta Org and Okta Custom Authorization Servers)

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.0.1(Feb 11, 2021)
Issues Fixed:

#224 - Improved exception message thrown at startup failure.

#239 - README updated with Springboot version compatibility information.

#244 - Upgraded to Springboot version 2.4.2

#142 - Fixed SDK client load issue if orgUrl is not set and token is set.

#233 - Adds HTTP Proxy Support.

#247 - Update okta-commons-java library to version 1.2.5

#249 - Fixed CVE false positive errors.

#250 - README updated with notes on SDK usage with reverse proxy.

#251 - Upgraded Java Mgmt SDK dependency to version 3.0.2

#252 - Cleaned up OWASP suppression list.

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-2.0.0(Dec 28, 2020)
Upgraded to Spring Boot version 2.4.1

Upgraded to Okta Java Management SDK version 3.0.1

Added Opaque Token support (remote JWT validation) for Servlet Application type.

Other minor improvements, README updates and fixes.

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.5.1(Nov 24, 2020)

Fixes #218: Groups no longer converted to Authorities
Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.5.0(Nov 20, 2020)

Upgraded to Spring Boot version 2.4.0 (fixes #214)
Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.4.0(Feb 4, 2020)
Fixes #136: Cannot set custom userInfoEndpoint user/oidc user service

Add new AuthoritiesProvider interface to make it easier to add custom GrantedAuthority to the user. Just add a bean that implements the new AuthoritiesProvider:

@Bean AuthoritiesProvider myCustomAuthoritiesProvider() { return (user, userRequest) -> lookupExtraAuthoritesByName(user.getAttributes().get("email")); }
Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.3.0(Oct 18, 2019)
Updated to Spring Boot 2.2.0.RELEASE

Added new config property postLogoutRedirectUri, if set an RP-Initiated (SSO) logout will be configured automatically

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.2.1(Jun 4, 2019)
Add support for Spring Boot 2.2.0.M3

Update to Jackson 2.9.9

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.2.0(May 10, 2019)
Adds a check for required properties before configuring OAuth flows #121

Add Resource Server 401 response body

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.1.0(Feb 6, 2019)
Added support for Spring WebFlux

Now running CI against Java 8 and 11

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-1.0.0(Dec 17, 2018)
This version represents a re-write of this library in order to support Spring Boot 2.1 (Spring Security 5.1) which uses a different OAuth2/OIDC library.

The @ResourceServer annotation is no longer used (See the Readme for an updated example)

Spring Security ONLY support local access token validation, the property okta.oauth2.localTokenValidation is no longer supported

The property okta.oauth2.roles-claim has been replaced with okta.oauth2.groups-claim

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.6.1(Oct 3, 2018)

Added validation to detect common copy/paste errors for okta.oauth2.* properties
Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.6.0(Jul 2, 2018)
Fixed parsing issue when using Spring Boot 2 and kabab case instead of camel case, i.e. okta.oauth2.client-id vs okta.oauth2.clientId

Added support for using OAuth2SsoCustomConfiguration (providing a WebSecurityConfigurerAdapter containing a @EnableOAuth2Sso annotation.

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.5.0(Jun 7, 2018)
Added support for Spring Boot 2.0, our samples have been updated too!

To use Spring Boot 2.0 you will need to include the following dependency:

<dependency> <groupId>org.springframework.security.oauth.boot</groupId> <artifactId>spring-security-oauth2-autoconfigure</artifactId> <version>2.0.1.RELEASE</version> </dependency>

(Spring Boot 1.5 is also still supported)
Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.4.1(May 16, 2018)
Update dependencies See: https://spring.io/blog/2018/04/05/multiple-cve-reports-published-for-the-spring-framework

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.4.0(May 16, 2018)
Adds ability to inject the Client from Okta's Management SDK

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.3.0(May 16, 2018)
Add support to inject the Okta Java SDK (if on classpath)

Fixed issue stopping configuration from being loaded from Spring Cloud Config

Source code(tar.gz)
Source code(zip)
okta-spring-boot-parent-0.2.0(May 16, 2018)
Add support for authorization code flow

Standardized Okta OAuth 2.0 properties as okta.oauth2.*

Added integration test suite

Source code(tar.gz)
Source code(zip)
okta-spring-security-parent-0.1.0(May 16, 2018)

Initial Release
Source code(tar.gz)
Source code(zip)