indiepopart/spring-vault-2.7.3

Tutorial: Secure Secrets With Spring Cloud Config and Vault

This repository contains all the code for testing a Spring Cloud Configuration Server using Vault as backend, and a demo client application with Okta OIDC authentication.

Please read Secure Secrets With Spring Cloud Config and Vault to see how this app was created.

Prerequisites:

• Java OpenJDK 17
• Okta CLI 0.10.0
• Docker 20.10.12
• HTTPie 3.2.1
• Vault 1.12.0

Okta has Authentication and User Management APIs that reduce development time with instant-on, scalable user infrastructure. Okta's intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.

• Getting Started
• Links
• Help
• License

Getting Started

To install this example, run the following commands:

git clone https://github.com/oktadev/okta-spring-vault-example.git

Create the OIDC Application in Okta

Open a command line session at the root of vault-demo-app.

Before you begin, you’ll need a free Okta developer account. Install the Okta CLI and run okta register to sign up for a new account. If you already have an account, run okta login. Then, run okta apps create. Select the default app name, or change it as you see fit. Choose Web and press Enter.

Select Okta Spring Boot Starter. Accept the default Redirect URI values provided for you. That is, a Login Redirect of http://localhost:8080/login/oauth2/code/okta and a Logout Redirect of http://localhost:8080.

What does the Okta CLI do?

The Okta CLI will create an OIDC Web App in your Okta Org. It will add the redirect URIs you specified and grant access to the Everyone group. You will see output like the following when it’s finished:

Okta application configuration has been written to: /path/to/app/src/main/resources/application.properties

Open src/main/resources/application.properties to see the issuer and credentials for your app.

okta.oauth2.issuer=https://dev-133337.okta.com/oauth2/default
okta.oauth2.client-id=0oab8eb55Kb9jdMIr5d6
okta.oauth2.client-secret=NEVER-SHOW-SECRETS

NOTE: You can also use the Okta Admin Console to create your app. See Create a Spring Boot App for more information.

Copy the values from src/main/resources/application.properties and delete the file.

Run Vault

Pull the Vault image.

docker pull vault

Run a container, make sure to replace {hostPath} with a local directory path, such as /tmp/vault:

docker run --cap-add=IPC_LOCK \
-e 'VAULT_DEV_ROOT_TOKEN_ID=00000000-0000-0000-0000-000000000000' \
-p 8200:8200 \
-v {hostPath}:/vault/logs \
--name my-vault vault

Open an interactive terminal with Vault:

docker exec -it my-vault /bin/sh

In the terminal, store the secrets by executing the following code. Replace with the values returned by Okta CLI.

export VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
export VAULT_ADDR="http://127.0.0.1:8200"
vault kv put secret/vault-demo-app,dev \
okta.oauth2.clientId="{yourClientId}" \
okta.oauth2.clientSecret="{yourClientSecret}" \
okta.oauth2.issuer="{yourIssuerURI}"

Run the applications with Maven

Run vault-config-server:

cd spring-vault/vault-config-server
./mvnw spring-boot:run

Run vault-demo-app:

SPRING_CLOUD_CONFIG_TOKEN=00000000-0000-0000-0000-000000000000 \
./mvnw spring-boot:run

Go to http://localhost:8080 and log in with Okta.

Links

This example uses the following libraries:

• HashiCorp Vault
• Okta Spring Boot Starter
• Spring Cloud Config

Help

Please post any questions as comments on the blog post, or visit our Okta Developer Forums. You can also post a question to Stack Overflow with the "okta" tag.

License

Apache 2.0, see LICENSE.