Okta properties aliases that are equivalent to Spring Security properties are not working with native-images #406
Comments
|
Internal ref: OKTA-465620 |
|
I tried to use the Spring Security property names with the Okta Spring Boot starter today and can confirm it doesn't work. spring.security.oauth2.client.provider.okta.issuer-uri=...
spring.security.oauth2.client.registration.okta.client-id=...
spring.security.oauth2.client.registration.okta.client-secret=...This isn't related to Spring Native because it happens when you start the app using It does work is if you use Spring Security's dependencies. Replace the Okta Spring Boot starter with the following dependencies: <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>Use Spring Security's property names in your spring.security.oauth2.client.provider.okta.issuer-uri=...
spring.security.oauth2.client.registration.okta.client-id=...
spring.security.oauth2.client.registration.okta.client-secret=...
spring.security.oauth2.client.registration.okta.scope=openid,profile,emailAnd add a package com.example.sample;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.web.server.SecurityWebFilterChain;
@EnableWebFluxSecurity
public class SecurityConfiguration {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange(ae -> ae.anyExchange().authenticated())
.oauth2Login(Customizer.withDefaults())
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::jwt)
.build();
}
@Bean
ReactiveJwtDecoder reactiveJwtDecoder(@Value("${spring.security.oauth2.client.provider.okta.issuer-uri}") String issuerUri) {
return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
}
}Then everything works. This seems to be a regression since the starter worked fine when we hacked on it with Josh Long in June 2021. https://developer.okta.com/blog/2021/09/16/spring-native-okta-starter |
|
@bdemers I updated my native-java-examples' PR with our Spring Boot starter and can confirm it's still broken with Spring Boot 2.6.6 and Spring Native 0.11.3. I feel like I should mention this in the update to my blog post. Thoughts? |
|
@mraible it's probably worth mentioning in your post, I don't think this issue is going to get resolved any time soon: spring-attic/spring-native#1367 |
Background info
Hi, I've updated my project okta-springboot from spring-boot
2.5.7, spring-native0.10.5and okta-spring2.1.3to spring-boot2.6.3, spring-native0.11.2and okta-spring2.1.4.After building successfully the Docker native image, we can see that some security filters present in JVM docker image with AOT mode disabled logs are not present in Native docker image with AOT mode enabled logs.
I've opened the issue #1469 to spring-native.
In my app, I am using okta properties such as
@bdemers helped us there saying that "those Okta properties are basically aliases of the equivalent Spring Sec props and it doesn't currently work with native-images"
That is it. Please, feel free to ask for any more information you might need. Thanks
Steps to reproduce
SDK Version
Java 11
The text was updated successfully, but these errors were encountered: