Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Opaque Token Validation Support for Servlet Web Application Type #185

Merged
merged 105 commits into from
Oct 14, 2020
Merged

Add Opaque Token Validation Support for Servlet Web Application Type #185

merged 105 commits into from
Oct 14, 2020

Conversation

arvindkrishnakumar-okta
Copy link
Contributor

@arvindkrishnakumar-okta arvindkrishnakumar-okta commented Sep 10, 2020
edited
Loading

Issue:

OKTA-323350

Expected behavior implemented in this PR:

Issuer/Org URL Client Specified Config Resource Server Start Mode
Root Opaque Opaque
Root Jwt Server won't start
Root Unset Opaque
Non-root Jwt Jwt
Non-root Opaque Opaque
Non-root Unset Neither Jwt nor Opaque

ℹ️ Note: When the server is configured/set to start in Opaque Token mode, if the property okta.oauth2.client-secret is not set (empty), then the startup would fail with error and this is the desired behavior. This is because, we will need the client-secret at runtime to hit the introspection endpoint to validate the Opaque token and we do not want the user to see a 401 error at that stage with a missing client-secret. To prevent that, we are validating that before the server startup and would not let the server to start in such a case.

Note: This covers only Servlet web application type (does not cover "Reactive/Webflux" applications).

@arvindkrishnakumar-okta arvindkrishnakumar-okta mentioned this pull request Sep 10, 2020
Closed
@bdemers
Copy link
Contributor

bdemers commented Oct 8, 2020

Are there changes to support WebFlux in this PR?

@arvindkrishnakumar-okta arvindkrishnakumar-okta force-pushed the add_opaque_token_validation_support branch from 49fe956 to 8476284 Compare October 8, 2020 19:36
@arvindkrishnakumar-okta
Copy link
Contributor Author

arvindkrishnakumar-okta commented Oct 8, 2020
edited
Loading

Are there changes to support WebFlux in this PR?

I would introduce them as part of a separate JIRA/PR (OKTA-336738).

@arvindkrishnakumar-okta arvindkrishnakumar-okta changed the title Add Opaque Token Validation Support Add Opaque Token Validation Support for Servlet Web Applications Oct 12, 2020
@arvindkrishnakumar-okta arvindkrishnakumar-okta changed the title Add Opaque Token Validation Support for Servlet Web Applications Add Opaque Token Validation Support for Servlet Web Application Type Oct 12, 2020
@arvindkrishnakumar-okta
Copy link
Contributor Author

Ready for review!

bdemers
bdemers suggested changes Oct 12, 2020
View reviewed changes
Copy link
Contributor

@bdemers bdemers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

couple nits,
Some of which should be resolved by #207.

oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2Configurer.java Outdated Show resolved Hide resolved
oauth2/src/main/java/com/okta/spring/boot/oauth/WebClientUtil.java Outdated Show resolved Hide resolved
oauth2/src/test/groovy/com/okta/spring/boot/oauth/AutoConfigConditionalTest.groovy Outdated
@@ -265,7 +261,8 @@ class AutoConfigConditionalTest implements HttpMock {
webContextRunner().withPropertyValues(
"okta.oauth2.issuer=https://test.example.com/",
"spring.security.oauth2.client.provider.okta.issuerUri=${mockBaseUrl()}", // work around to not validate the https url
"okta.oauth2.client-id=test-client-id")
"okta.oauth2.client-id=test-client-id",
"okta.oauth2.client-secret=test-client-secret")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update the test propertyokta.oauth2.issuer to be something that the previous code was expected (so the test functions the same way), then add a new test (if needed for the newer code)

This will ensure the previous functionality continues to work unchanged

...om/okta/spring/boot/oauth/env/OktaOAuth2PropertiesMappingEnvironmentPostProcessorTest.groovy Outdated Show resolved Hide resolved
...om/okta/spring/boot/oauth/env/OktaOAuth2PropertiesMappingEnvironmentPostProcessorTest.groovy Show resolved Hide resolved
oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2Configurer.java Outdated Show resolved Hide resolved
bdemers and others added 2 commits October 12, 2020 14:39
@bdemers @arvindkrishnakumar-okta
Ensuring the Okta Env Post Processor only sets valid properties
5e1481a 
Updated conditional property logic to take a list of strings, this ensures that BOTH issuer and secret are set before remapping properties
@arvindkrishnakumar-okta
addressed review comments
dc6cd54
@arvindkrishnakumar-okta arvindkrishnakumar-okta force-pushed the add_opaque_token_validation_support branch from bb6cbba to dc6cd54 Compare October 12, 2020 21:58
@arvindkrishnakumar-okta
Copy link
Contributor Author

couple nits,
Some of which should be resolved by #207.

fixed.

bdemers
bdemers approved these changes Oct 14, 2020
View reviewed changes
Copy link
Contributor

@bdemers bdemers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@arvindkrishnakumar-okta arvindkrishnakumar-okta merged commit e77aec3 into release_v2 Oct 14, 2020
@bdemers bdemers mentioned this pull request Oct 14, 2020
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdemers bdemers bdemers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arvindkrishnakumar-okta @bdemers @snyk-bot @robertjd