Combining Okta and OAuth gives you solid authentication for your apps. Here, we’ll see how to use them to add more security to a Spring Boot application.
If you’ re building a Spring Boot application, you’ ll eventually need to add user authentication. You can do this with OAuth 2.0 (henceforth: OAuth) . OAuth is a standard that applications can use to provide client applications with “secure delegated access”. It works over HTTP and authorizes devices, APIs, servers, and applications with access tokens rather than credentials.
Very simply, OAuth is a protocol that supports authorization workflows. It gives you a way to ensure that a specific user has specific permission.
OAuth doesn’ t validate a user’s identity — that’s taken care of by an authentication service like Okta. Authentication is when you validate a user’s identity (like asking for a username/password to log in) , whereas authorization is when you check to see what permissions an existing user already has.
In this tutorial, you’ ll build an OAuth client for a Spring Boot application, plus add authentication with the Okta Platform API. You can sign up for a forever-free Okta developer account here.
If you don’ t want to code along, feel free to grab the source code from GitHub! You can also watch a video of this tutorial.
Spring Cloud Security is a project from the good folks at Pivotal that “offers a set of primitives for building secure applications and services with minimum fuss”. Not only is it easy to use in platforms like Cloud Foundry, but it builds on Spring Boot, Spring Security, and OAuth. Because it builds on OAuth, it’s easy to integrate it with an authentication API like Okta’s.
The Spring Cloud Security project includes a great quickstart that will help you get started with very few lines of code.
Creating a Spring Boot application is dirt simple if you use the Spring CLI. It allows you to write Groovy scripts that get rid of the boilerplate Java and build file configuration. This allows you, the developer, to focus on the necessary code. Refer to the project’s official documentation for installation instructions. To install Spring CLI, I recommend using SDKMAN!:
Or Homebrew if you’ re on a Mac.
Create a helloWorld.groovy file that has a Controller in it.
The @Grab annotation invokes Grape to download dependencies and having Spring Security in the classpath causes its default security rules to be used. That is, protect everything, allow a user with the username user, and generate a random password on startup for said user.
Run this app with the following command:
Navigate to http: //localhost: 8080 and you’ ll be prompted to login with your browser’s basic authentication dialog. Enter user for the username and copy/paste the generated password from your console. If you copied and pasted the password successfully, you’ ll see Hello World in your browser.
Enter the name and Resource URI of your choosing. The names aren’ t important at this time. I used the following values:
The Metadata URI you see in this screenshot will come in handy later when you need to specify accessTokenUri and userAuthorizationUri values.
The next screen should look similar to the following screenshot.
Your clientId and clientSecret values for this app will be just below the fold.
Create a helloOAuth.groovy file that uses Spring Security and its OAuth2 support .
Adding the @EnableOAuth2Sso annotation causes Spring Security to look for a number of properties. Create application.yml in the same directory and specify the following key/value pairs.
Start your app with spring run helloOAuth.groovy and navigate to http: //localhost: 8080. You’ ll be redirected to Okta, but likely see the following error.
This happens because Spring Security sends a redirect_uri value of http: //localhost: 8080/login. Navigate to your Okta developer instance and change your OIDC app to have this as a Redirect URI.
If you hit http: //localhost: 8080 again, this time you’ ll get an error that doesn’ t explain as much.
Enter a name and description and set it to apply to all clients.
Try http: //localhost: 8080 again and this time it should work. If it does — congrats!
You can make one additional change to the helloOAuth.groovy file to prove it’s really working: change the home () method to return Hello $name where $name is from javax.security. Principal.
This should result in your app showing a result like the following.
The source code for this tutorial and the examples in it are available on GitHub .
