okta-spring-boot icon indicating copy to clipboard operation
okta-spring-boot copied to clipboard

Published 20 hours ago verified publisher icon okta

Okta properties aliases that are equivalent to Spring Security properties are not working with native-images

Open ivangfr opened this issue 3 years ago • 5 comments

Background info

Hi, I've updated my project okta-springboot from spring-boot 2.5.7, spring-native 0.10.5 and okta-spring 2.1.3 to spring-boot 2.6.3, spring-native 0.11.2 and okta-spring 2.1.4.

After building successfully the Docker native image, we can see that some security filters present in JVM docker image with AOT mode disabled logs are not present in Native docker image with AOT mode enabled logs.

I've opened the issue #1469 to spring-native.

In my app, I am using okta properties such as

okta.oauth2.issuer=...
okta.oauth2.client-id=...
okta.oauth2.client-secret=...

@bdemers helped us there saying that "those Okta properties are basically aliases of the equivalent Spring Sec props and it doesn't currently work with native-images"

That is it. Please, feel free to ask for any more information you might need. Thanks

Steps to reproduce

  • git clone https://github.com/ivangfr/okta-springboot.git
  • cd okta-springboot
  • ./mvnw clean spring-boot:build-image --projects simple-service -DskipTests
  • Configure application in Okta
  • Run docker Native image 
    docker run --rm --name simple-service -p 8080:8080 \
    -e OKTA_CLIENT_ID=${OKTA_CLIENT_ID} \
    -e OKTA_CLIENT_SECRET=${OKTA_CLIENT_SECRET} \
    -e OKTA_DOMAIN=${OKTA_DOMAIN} \
    ivanfranchin/simple-service:1.0.0

SDK Version

Java 11

ivangfr avatar Jan 29 '22 09:01 ivangfr

Hi @ivangfr, Thanks for such detailed info.

Related comment from @bdemers is here

sergiishamrai-okta avatar Jan 31 '22 09:01 sergiishamrai-okta

Internal ref: OKTA-465620

sergiishamrai-okta avatar Jan 31 '22 09:01 sergiishamrai-okta

I tried to use the Spring Security property names with the Okta Spring Boot starter today and can confirm it doesn't work.

spring.security.oauth2.client.provider.okta.issuer-uri=...
spring.security.oauth2.client.registration.okta.client-id=...
spring.security.oauth2.client.registration.okta.client-secret=...

This isn't related to Spring Native because it happens when you start the app using mvn spring-boot:run too.

It does work is if you use Spring Security's dependencies. Replace the Okta Spring Boot starter with the following dependencies:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Use Spring Security's property names in your application.properties:

spring.security.oauth2.client.provider.okta.issuer-uri=...
spring.security.oauth2.client.registration.okta.client-id=...
spring.security.oauth2.client.registration.okta.client-secret=...
spring.security.oauth2.client.registration.okta.scope=openid,profile,email

And add a SecurityConfiguration class (this is for WebFlux):

package com.example.sample;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.web.server.SecurityWebFilterChain;

@EnableWebFluxSecurity
public class SecurityConfiguration {

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
            .authorizeExchange(ae -> ae.anyExchange().authenticated())
            .oauth2Login(Customizer.withDefaults())
            .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::jwt)
            .build();
    }

    @Bean
    ReactiveJwtDecoder reactiveJwtDecoder(@Value("${spring.security.oauth2.client.provider.okta.issuer-uri}") String issuerUri) {
        return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
    }
}

Then everything works.

This seems to be a regression since the starter worked fine when we hacked on it with Josh Long in June 2021.

https://developer.okta.com/blog/2021/09/16/spring-native-okta-starter

mraible avatar Feb 01 '22 20:02 mraible

@bdemers I updated my native-java-examples' PR with our Spring Boot starter and can confirm it's still broken with Spring Boot 2.6.6 and Spring Native 0.11.3. I feel like I should mention this in the update to my blog post. Thoughts?

mraible avatar Apr 01 '22 00:04 mraible

@mraible it's probably worth mentioning in your post, I don't think this issue is going to get resolved any time soon: https://github.com/spring-projects-experimental/spring-native/issues/1367

bdemers avatar Apr 01 '22 15:04 bdemers