Proxy configuration not working on Spring Boot 2.2x, Spring Security 5.2.x, Okta-spring-boot-starter 1.3.x

[car51901]

I am configuring a REST app as a resource server. I have integration with Okta working for a POC REST app, using Spring Boot 2.0.5 (w spring security 5.0.8), okta-spring-boot-starter 0.6.0, and spring-security-oauth2-autoconfigure 2.0.5. That’s what your example article is using, and I can get an access token from my okta developer auth service, and authenticate to the REST app with it, and everything works great.

I'm on corp network, so have to configure the https proxy host and port for the JVM, e.g. https.proxyHost, https.proxyPort, without setting those, i get connection failures hitting the okta auth service.

I’ve copied the app, upgraded to Spring boot 2.2.x (with spring security 5.2.2) and okta-spring-boot-start 1.3.0, and get connection timeout trying to hit the openid config, e.g. https://dev-nnnnnn.okta.com/oauth2/default/.well-known/openid-configuration. The JVM proxy system properties seem to be ignored with these versions of the dependencies, as I set them and still get connection failure.

Appears to be known issue with Spring Security, see issue link. Suggestion from one of the Spring Security authors, seems like a lot of manual config, and frankly the implementation isn't clear. Appears Spring Security, and the Okta extensions, create a default RestTemplate, does not seem possible to easily override it with a template that is configured to use a proxy.

Would hope that the Okta security classes could just check for the jvm proxy system properties, and configure the RestTemplate to use proxy, if needed.

[car51901]

related issue/thread on Spring Security
spring-projects/spring-security#7027

[arvindkrishnakumar-okta]

@car51901 Thanks for the question!

Spring Security's built-in RestTemplate would respect JVM proxy settings set via -Dhttps.proxyHost and -Dhttps.proxyPort (refer https://github.com/okta/okta-spring-boot#proxy). This setup should work fine unless you
are using Spring Cloud Gateway/Spring Webflux or Reactive/Netty Webclient in your project (known limitation). It appears Spring Security officially has no plans to expose the underlying HttpClient (used by RestTemplate) for the reasons listed here.

Spring Security team has published a well detailed reference of how to customize RestTemplate or WebClient at spring-projects/spring-security#8882 (comment).

Let me know if you're looking for anything in particular for your use-case.

[arvindkrishnakumar-okta]

Related Issue: spring-projects/spring-security#9101

[car51901]

Well, but it doesn't, i have a POC spring boot app I could zip and give you, that fails to honor the proxy config. It could also be the Okta userService class that extends DefaultOAuth2UserService. I could also have something setup wrong. Let me review/read through the comments on the #8882 issue, and see if I can get that to work first.

[arvindkrishnakumar-okta]

@car51901 sure, keep us posted!

[car51901]

closed by mistake, reopened

[arvindkrishnakumar-okta]

@car51901 I did analyze this and was able to reproduce this issue. Will create an internal ticket to add a workaround in our SDK to support Proxy.

Meanwhile, out of curiosity, any luck with the recommendations at spring-projects/spring-security#8882 (comment)?

[car51901]

@arvindkrishnakumar-okta

no and yes. added the security config from #8882, but request is failing with "Invalid CSRF token found for http://127.0.0.1:8080/api/...." even though disabled it in the configure method, e.g.

 http.csrf().disable()
                .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
                .oauth2Login(oauth2Login -> oauth2Login.userInfoEndpoint(userInfoEndpoint -> 
                           userInfoEndpoint.userService(oauth2UserService()).oidcUserService(oidcUserService()))
                      .tokenEndpoint(tokenEndpoint -> 
                           tokenEndpoint.accessTokenResponseClient(authorizationCodeTokenResponseClient())));

However, I did get authentication to work using the okta libs. Been running app via spring boot maven plugin, run goal, and figured out that Maven boot plugin is forking a new jvm and the system properties not getting passed (though it seemed to work before). Works when I set system props in the plugin config.:

            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <mainClass>demo.okta.oktarestdemo.OktaRestDemoApplication</mainClass>
                    <executable>true</executable>
                    <fork>true</fork>
                    <systemPropertyVariables>
                        <https.proxyHost>myproxy</https.proxyHost>
                        <https.proxyPort>8080</https.proxyPort>
                    </systemPropertyVariables>
                </configuration>
                ...

[arvindkrishnakumar-okta]

@car51901 do you have any follow-up questions for us on this? If not, can we close this?