I have a Spring Boot application with java 17, okta-starter and thymleaf running. My Problem is now to secure some parts of the website with scopes, like in this quick-start. I have added my audience in the application.yml but I only get 403 not authorized on the specific URL.
SecurityConfiguration:
@Configuration
@EnableMethodSecurity
@EnableWebSecurity
@Order(1)
public class SecurityController {
@Value("${okta.oauth2.issuer}")
private String issuer;
@Value("${okta.oauth2.client-id}")
private String clientId;
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/api/ws").permitAll()
.requestMatchers(HttpMethod.GET,"/api/public/**").permitAll()
.requestMatchers(HttpMethod.POST,"/api/public/**").permitAll()
.requestMatchers("/test/blank").hasAuthority("SCOPE_access:devtest")
.anyRequest().authenticated()
)
.logout(logout -> {
logout.addLogoutHandler(logoutHandler());
logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
})
.cors().and()
.oauth2ResourceServer((oauth2) ->
oauth2.jwt(withDefaults()));
return http.build();
}
application.yml:
# src/main/resources/application.yml
okta:
oauth2:
issuer: https://issuer.com
client-id: longclientid
client-secret: longclientsecret
audience: https://api.customdomain.com/v1/api
server:
port: 8080
error:
whitelabel:
enabled: false
spring:
messages:
basename:
security:
oauth2:
client:
registration:
okta:
client-id: longclientid
client-secret: longclientsecret
scope: openid, profile, email
resourceserver:
jwt:
issuer-uri: https://issuer.com
audiences: https://api.customdomain.com/v1/api