Conversation
Still a bunch of things to do before merging, lots of cleaning (and tests) But it is at a point where we can chat more about this approach.
Still need to think about how the mvc/thymeleaf module is structured, the current 'optional' dependency is not great
Ran PMD and Findbugs, fixed minor issues
| */ | ||
| @GetMapping("/") | ||
| @PreAuthorize("#oauth2.clientHasRole('Everyone') || #oauth2.hasScope('email')") | ||
| // @PreAuthorize("#oauth2.clientHasRole('Everyone') || #oauth2.hasScope('email')") |
There was a problem hiding this comment.
looks like delete this line
| import java.security.Principal; | ||
|
|
||
| @RestController | ||
| public class WelcomeResource { |
There was a problem hiding this comment.
Should this be: WelcomeController or WelcomeResourceController?
| return new Welcome("The message of the day is boring.", principal.getName()); | ||
| } | ||
|
|
||
| @XmlRootElement |
There was a problem hiding this comment.
Ha! that works for both JSON and XML IIRC, but let me see if that is still needed
There was a problem hiding this comment.
i'm wrong... I swear it was needed at one point...
| import java.security.Principal; | ||
|
|
||
| @RestController | ||
| public class WelcomeResource { |
There was a problem hiding this comment.
WelcomeResourceController or WelcomeController
oauth2/pom.xml
Outdated
| <name>Okta Spring Boot :: OAuth2</name> | ||
|
|
||
| <properties> | ||
| <spring-boot.version>1.5.4.RELEASE</spring-boot.version> |
| import java.util.Map; | ||
|
|
||
| @ConfigurationProperties("okta") | ||
| public class OktaOAuthProperties { |
There was a problem hiding this comment.
I'm a little confused on the difference between OkatOAuthProperties and OAuthProperties and why OAuthProperties is embedded in OktaOAuthProperties.
There was a problem hiding this comment.
This brings up a few questions, i'm not sure the best way to handle the properties object.
But your point is valid, the top level should be renamed to OktaProperties (on it)
The odd nested OAuthProperties getOauth2()/oauth2 to make Spring's ConfigurationProperties work out of the box.
it might be worth breaking this up into multiple classes, one for each okta.* so one for okta.client, okta.oauth2 and another for okta.web (this last one is already separate)
The okta.client properties are defined by the the SDK's spec so they are reused where possible
| } | ||
|
|
||
|
|
||
| public OAuthProperties getOauth2() { |
There was a problem hiding this comment.
seems like this should be: getOAuthProperties() or getOAuth2Properties (which also means that the variable should probs be renamed too)
There was a problem hiding this comment.
See above, that might help clear up the confusion (instead of forcing them all in a single class)?
| import org.testng.annotations.Test | ||
|
|
||
| import static org.hamcrest.MatcherAssert.assertThat | ||
| import static org.hamcrest.Matchers.* |
There was a problem hiding this comment.
not as critical for tests, but we've had a standard in the past of making imports explicit
There was a problem hiding this comment.
yeah, just too many damn static methods in hamcrest, easy enough to clean up the imports though
| import org.testng.annotations.Test | ||
|
|
||
| import static org.hamcrest.MatcherAssert.assertThat | ||
| import static org.hamcrest.Matchers.* |
There was a problem hiding this comment.
same note on expanding imports
| protected boolean shouldExecute(HttpServletRequest request, HttpServletResponse response, | ||
| Object handler, ModelAndView modelAndView) { | ||
|
|
||
| if (modelAndView == null || !modelAndView.isReference() /*|| STORMPATH_JSON_VIEW_NAME.equals(modelAndView.getViewName()) */) { |
There was a problem hiding this comment.
time to let go of STORMPATH comments ;)
|
@dogeared all clear, but, take a look at this comment if you missed it in the scroll back: Thoughts on how these properties should be structured ? |
mraible
left a comment
mraible
left a comment
There was a problem hiding this comment.
Minor code formatting comments. Didn't try the examples. Does Travis run integration tests to prove they work?
| import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; | ||
| import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client; | ||
| import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler; | ||
|
|
| customLoginRoute: /login | ||
|
|
||
| # default is '/login' | ||
| redirectUri: /login/okta |
There was a problem hiding this comment.
Why do the defaults need to be changed? Does it work when these aren't specified, or are these settings specific to this example?
There was a problem hiding this comment.
Actually, I want to pick your brain about this. I'm not super happy with the way this works at the moment. (this is also related to your next comment).
I'm trying to keep the the hosted page stuff optional, and default to a standard redirect (takes less config, easier to debug, etc).
This project still redirects, it just redirects to the oauth2 filter at: /login/okta which grabs the state and then renders the widget template login.html
Longer term it would be nice to handle this all in the same request, and just forward to the login.html template (to save a hop, and configuration)
| oauth2: | ||
| client: | ||
| # Need to figure out how to set this, this needs to be an absolute URI | ||
| userAuthorizationUri: http://localhost:8080/login |
There was a problem hiding this comment.
This is a Spring Security setting, or ours?
There was a problem hiding this comment.
Spring, it needs an absolute URI. (Ideally we need a better solution for this)
| </dependencies> | ||
|
|
||
| <build> | ||
| <defaultGoal>spring-boot:run</defaultGoal> |
There was a problem hiding this comment.
My fave! I tried to get the Spring Boot guys to do this, but they refused.
| } | ||
| } | ||
|
|
||
|
|
| protected void init() { | ||
|
|
||
| // update properties based on discovery if needed | ||
|
|
| protected void configure(HttpSecurity http) throws Exception { | ||
|
|
||
| // FIXME: MVC bleed | ||
| http.authorizeRequests().antMatchers("/okta/*.css").permitAll(); |
There was a problem hiding this comment.
Ours, I ran into an ordering issue (?) where a WebSecurityConfigurerAdapter from the thymeleaf module was not getting applied correctly (and blocking the css). A little googling showed that I should apply() other WebSecurityConfigurerAdapter. Thoughts?
| return new ResourceServerConfigurerAdapter() { | ||
| @Override | ||
| public void configure(final ResourceServerSecurityConfigurer config) { | ||
| config.resourceId(OAuthProperties.getOauth2().getAudience()); // set audience |
There was a problem hiding this comment.
Comment doesn't match - remove.
| @Test | ||
| void basicParseTest() { | ||
|
|
||
|
|
| <dependency> | ||
| <groupId>com.okta.spring</groupId> | ||
| <artifactId>okta-spring-boot-starter</artifactId> | ||
| <version>0.2.0-SNAPSHOT</version> |
There was a problem hiding this comment.
Should this be ${project.version} to simplify things?
There was a problem hiding this comment.
Nope, ${project.version} is not recommended for dependencies. There are cases where if you use a parent from this project in a separately versioned project (other git repo), then then ${project.version} will not resolve correctly. (there is another edge case too, but I forget).
Older versions of the release plugin did update these correctly as well, but that has been fixed.
|
Thanks for the reviews so far guys! After I get a green merge light I'd like to continue using this as a feature branch and NOT merge to 1.) Extra config when using a hosted login page If you agree, i'll create issues for each of these and we can merge this to master once they are resolved |
Attempted to use the built in Spring OIDC discovery, but it didn't support all of the fields Okta has Updated current code to reflect that pattern though
Set default Order(80) on OktaHttpSecurityConfigurationAdapter to make one less line of code to explain
bdemers
changed the title
Realize there is too much code here...
|
Way to much code in here, both for a pull request and in general. |
3 participants
Lots of stuff in here, any feedback is great high level or low.
There are a couple of important changes in this one:
1.) Add call discovery endpoint to simplify spring security oauth config
2.) Support custom 'authorities' claim in ID token
3.) Add support for a customizable hosted login page (using the Okta widget), works like any other Spring redirect.
4.) Renamed the modules, so we can support having a singular Spring Boot Starter for all of your Okta needs (Spring Sec, Spring Sec + Thymeleaf, and non Spring Sec in the future)