Oauth2 configuration behind a corporate proxy

[amalagaura]

I am configuring OAuth2 using Okta. But specifically we are having issues because I know that the server needs to reach out to the issuer-uri. In order to do that in our environment we need to configure a proxy.

I have tried adding httpsProxy settings in JAVA_OPTS but it is still failing. I have tried the following:

JAVA_OPTS=-Dhttp.proxyHost=proxyhost -Dhttps.proxyHost=proxyhost -Dhttp.proxyPort=80 -Dhttps.proxyPort=80

I think the rest is configured correctly because I got a proper error when I did not add a redirect URI in the Okta config.

spring:
   security:
      oauth2:
         client:
            registration:
               okta:
                  client-id: abcd
                  client-secret: abcd
            provider:
               okta:
                  issuer-uri: https://domain.okta.com/oauth2/something

[Haarolean]

@amalagaura Hey, could you please share the full config? The first one looks like an env variable, but the second part is application.yml.

[amalagaura]

Thanks @Haarolean

Yes the first one is the env var JAVA_OPTS which I set in our Kubernetes Deployment config. It only has JAVA_OPTS and SPRING_CONFIG_LOCATION which is set to the below file:

env:
  - name: SPRING_CONFIG_LOCATION
    value: /file/config.yaml
  - name: JAVA_OPTS
    value: "-Dhttp.proxyHost=proxyhost -Dhttps.proxyHost=proxyhost -Dhttp.proxyPort=80 -Dhttps.proxyPort=80"

kafka:
  clusters:
    ~~~Clusters are working~~~
auth:
  type: OAUTH2
spring:
   security:
      oauth2:
         client:
            registration:
               okta:
                  client-id: abcd
                  client-secret: abcd
            provider:
               okta:
                  issuer-uri: https://domain.okta.com/oauth2/something

management:
   health:
      ldap:
         enabled: false

[amalagaura]

I enabled trace logging but I am unable to see any oauth2 related logging when the failed request is made.

The error is "Invalid credentials" and it shows the issuer-uri URL on the page. The URL it redirects to is /login?error

[Haarolean]

Yeah, logging oauth2 stuff in spring is not that easy :/

[amalagaura]

OK we got it working. Somehow we thought we needed a proxy to reach Okta, but that appears incorrect.

We were missing the Scopes. We saw the error on the URL when we went to the Chrome network tab. Please close this. Thank you.

[Haarolean]

Glad you solved it :)