When using an Org Authorization Server the Endpoint URLs are Incorrect
emanor-okta opened this issue · 8 comments
ℹ️ If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests only.
I'm submitting a
- bug report
- feature request
Background info
When using an Org Authorization Server as opposed to a custom Authorization Server the Endpoint URLs are built incorrectly. Using the latest Okta Hosted Sample with the below configurations,
OKTA_OAUTH2_ISSUER=https://{DOMAIN}.okta.com
OKTA_OAUTH2_CLIENT_ID=0oa1zj...
OKTA_OAUTH2_CLIENT_SECRET=ec9Ki3T66...
The /authorize URL will be built as https://{DOMAIN}.okta.com/v1/authorize?response_type=...
Should be https://{DOMAIN}.okta.com/oauth2/v1/authorize?response_type=...
If I manually change the browser URL I will get redirected to my login. After login I will get 404 when okta-spring-boot tries to retrieve the /token endpoint. I assume the URL is built without 'oauth2' for this endpoint as well.
Expected behavior
Endpoint URLs should be built with /oauth2/v1/.. when using the Org Authorization server.
What went wrong?
With the wrong URLs a 404 is received.
Steps to reproduce
- Clone latest Okta Hosted Sample
- Use latest okta-spring-boot
- Set issuer to be the Org Authorization Server (https://{DOMAIN}.okta.com)
- Start spring boot, navigate to localhost:8080
- Click login
SDK Version
2.0.1
Thanks @emanor-okta! Will take a look.
Internal Ref: OKTA-383228
@emanor-okta
The authorization URI is obtained by adding /v1/authorize to your okta.oauth2.issuer.
I'm afraid, but https://{DOMAIN}.okta.com is not the correct format for the okta.oauth2.issuer property.
According to the documentation, the issuer should look like: https://{yourOktaDomain}/oauth2/default. As a consequence of this the authorization-uri would be: https://{yourOktaDomain}/oauth2/default/v1/authorize and everything will work fine.
@VitaliiTytarenko-okta https://{yourOktaDomain}.okta.com is a valid Issuer URL (See https://developer.okta.com/docs/concepts/auth-servers/#org-authorization-server).
Recommend reading https://support.okta.com/help/s/article/Difference-Between-Okta-as-An-Authorization-Server-vs-Custom-Authorization-Server?language=en_US
Then, this is not a bug, but a feature. We can implement this, but as for now, the application doesn't support such format.
Fix merged to master, will be published in next release.
Will this fix only go to the 2.x release branch? We use Okta Spring Boot Starter 1.4.0 as we have Spring Boot 2.2 and we get the same problem with the URL being incorrect when using the Org Authorization Server. I currently use a work-around by overriding the URLs in spring.security.oauth2.client.provider.okta.<*-uri>.
I would recommend you upgrade.
It is very unlikely that we will make changes to an older version.
But let me see, maybe we can find a solution for you...
I would recommend you upgrade.
It is very unlikely that we will make changes to an older version.
But let me see, maybe we can find a solution for you...
Thanks for the response Vitalii. We're in the progress of upgrading but it takes time because of technical considerations. We do have a work-around currently by overriding the correct URL in our Spring Security OAuth2 properties