The project is a use case to enlight a problem that I have questioned in stackoverflow
The application, to summarize, tries to configure the Spring Security + Webflux in order to support some resources permiting full access, other resources with Basic Auth and finally other Resources using OAuth2.
The code uses Okta, as the IDP, also includes Okta spring starter in order to autoconfigure the whole access required and localhost callbacks to complete the whole OAuth2 process with Okta.
The idea is to expose 3 GET resources, answering "Dummy call from ${the nature of the call}", as follow:
- /permitall full access no restriction
- /securebasic endpoint secured using HttpBasic Auth, also it is configured in order to the Browser pops the default login form
- /secureoauth endpoint secured using OAuth2.0 supported by Okta, our endpoint will redirect us to Okta Login page and will redirect us back to the resource
The suggestion in stackoverflow needed to have some points in consideration:
- The ServerHttpSecurity should be split into several ordered Beans
We can also applies the configuration in several different config classes, but we manage to do it in 1 class with different Beans
- We have to understand that we are configuring the Authentication AND Authorization policies
That means that the Security check if you are authenticated or if contains the expected Authorization Header but then will also check if you can access the resource even though
- So taking into account the previous point you need to understand then that there are 2 methods in the ServerHttpSecurity builder that helps us to indicates whether the Authentication should be done using that rule and if you hace access to it
- The securityMatcher will tell the Exchange chain if the authentication should be applied using this method
- After the authorizeExchange you decide the access strategy and to which resources will apply
You can run the project using the command:
./gradlew bootRunThe task is already configured to read the .envVar file where you should provide the Okta configuration.
- Go to https://developer.okta.com/
- Create an account (you can use Google or GitHub)
- Login
- In the side menu Directory -> People you can add a dummy user
- Go applications using side menu Application -> Applications
- Click on "Create App Integration"
- Choose OIDC option, next
- Choose Web Application option in case of server side
- Provide the application name
- In the "Sign-in redirect URIs" add http://localhost:8080/login/oauth2/code/okta
- Click on save button
- In your recently created application you can see:
- Under the General tab the Client Id, Client Secret
- Under the Sign On tab the Issuer url
- These are the data you should provide in the .envVar file