Support Okta as OIDC

[JasonTypesCodes]

See: jhipster/generator-jhipster#11715

[atomfrede]

We need at least to overwrite application.properties with a dedicated heroku properties and change the issuer, clientsecret. And it looks like the redirect uris are different from the nes we have on the boot backend. If we could align them we can reuse the script, but adapting the script should also be no problem.

https://github.com/jhipster/generator-jhipster-micronaut/blob/master/generators/server/templates/src/main/resources/application.yml.ejs#L43

[atomfrede]

I will handle this together with #85

[atomfrede]

I have an apllication deployed via heroku and setup all in the heroku add on. The micronaut app send the redirect url as http instead of https (the skript configures https).

@JasonTypesCodes do you know it that can be changed?

[JasonTypesCodes]

Which redirect url are you referring to? The one provided to the OIDC?

[atomfrede]

Yes, the one provided to the OIDC, when clicking login. `https://....okta.com/oauth2/default/v1/authorize?scope=openid+email+profile&response_type=code&redirect_uri=http%3A%2F%2Fmhipster-5.herokuapp.com%2Foauth2%2Fcallback%2Foidc&state=....

@mraible Not sure, but at least right now checking the AccessToken instead the IdToken here does not work as the groups claim is only setup for the id token (as documented here).
Switching to tokenResponse.getIdToken() works at least without null pointer exception, but the app does think I am not logged in. The roles are correctly extracted from the token tough.

[JasonTypesCodes]

@atomfrede I presume you are in a situation where there is something between the Micronaut server and the consumer and Micronaut is running in HTTP but the end user to connecting through something else using HTTPS.

One option is to run Micronaut with micronaut.ssl.enabled set to true

Another option is to add your own HttpHostResolver implementation. Something like this should work:

@Replaces(DefaultHttpHostResolver.class)
@Singleton
public class SSLEnforcingHostResolver extends DefaultHttpHostResolver {

    public static final String HTTP = "http://";
    public static final String HTTPS = "https://";

    public SSLEnforcingHostResolver(HttpServerConfiguration serverConfiguration, Provider<EmbeddedServer> embeddedServer) {
        super(serverConfiguration, embeddedServer);
    }

    @Nonnull
    @Override
    public String resolve(@Nullable HttpRequest request) {
        String host = super.resolve(request);
        if (host.startsWith(HTTP)) {
            return host.replaceAll(HTTP, HTTPS);
        }
        return host;
    }
}

You can also add the @Requires annotation to specify the environments to use it in.

[atomfrede]

Thanks will give it a try. Hopefully setting the property is enough

[atomfrede]

The custom host resolver works fine. Another question, which is not clear to me from the documentation. For spring boot we active e.g. heroku,prod profiles/environments. The datasource propoerties from heroku have precedence. When activating prod and heroku the properties from prod configuration are taken. I could overwrite them via system properties, but thats more complicated from the generator/template point of view.

[JasonTypesCodes]

The order that the environments are specified should determine which property is loaded. See: https://docs.micronaut.io/latest/guide/index.html#_environment_priority

[atomfrede]

Thanks @JasonTypesCodes seems to works. I think I provide a small improvement to the docs to make that easier to spot.

[atomfrede]

@JasonTypesCodes Do you have started already to add the user sync with the idp? My first try does it in the user details mapper and works fine.

[JasonTypesCodes]

@atomfrede All of my recent work is merged now. I did not add anything to sync user information with the idp.

[atomfrede]

I provide a small proposal to sync the users such that it would work with users created in keycloak/okta only.