Update to Spring Boot 2.1 #99
Conversation
|
Is this backward compatible with Spring Boot 2.0? FWIW, I updated Build a Basic CRUD App with Angular 7.0 and Spring Boot 2.1 to use Spring Boot 2.1 with the 0.6.1 version, and it works fine. I also updated the following posts, but they use Spring Security 5.1 directly without our starter. |
|
Possibly, with the exception of the resource server. I still need to make a final pass through this and the samples repo, but I'll try 2.0 and Spring Sec 5.0 to see where we stand |
|
@mraible Just tried with 2.0.5, no luck, there was an issue loading the ResourceServer auto config, which could be worked around by adding something like:
But then I ran into another issue with thymeleaf-security, so i'd say 2.1 is the min. |
|
In that case, I suggest we bump the version to 1.0 to indicate a breaking change.
… On Nov 7, 2018, at 13:51, Brian Demers ***@***.***> wrote:
@mraible Just tried with 2.0.5, no luck, there was an issue loading the ResourceServer auto config, which could be worked around by adding something like:
@ConditionalOnClass({JwtAuthenticationToken.class, OAuth2ResourceServerProperties.class})
But then I ran into another issue with thymeleaf-security, so i'd say 2.1 is the min.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Agreed |
|
@bdemers I tried upgrading three of my Spring Boot 2.1 examples to use this version. Here's what I found (links are to PRs with the code changes):
|
|
I'm updating my apps to boot 2.1.1 and this version of the starter and there appears to be a change that's breaking our functionality. With the 0.6 starter and boot 2.0, the JWT token that gets generated after successful authentication (auth code flow) has the "aud" (audience) property set to "api://default" which is the default audience configured for my default authorization server in Okta. With this new starter (1.0.0-SNAPSHOT) and boot 2.1.1, the "aud" property in the token is now set to the "client id" of the application instead, and breaks a few things for me I can elaborate on. But why is the behavior different different? Can I configure it to behave the way it was? Basically I use the same token to call into other resource servers on behalf of the user and now those servers reject the token because the "audience" no longer matches the expected "api://default". I am guessing this has more to do with spring boot and spring security than the okta starter itself but it's a kind of a breaking change anyway for me. Any thoughts? |
|
Hey @cah-calixtomelean! It sounds like your code might be grabbing an id_token instead of an access token. Can you share the the snippet of code you are using to get the token? |
@bdemers you are absolutely correct, I was doing that (used to work); that said, I changed the code to the following yesterday and it appeared to "fix it" though I'm not sure that's the best way, what do you think?
|
|
@cah-calixtomelean That looks about right to me, it is similar to what Matt and Joe wrote about here: It does seem overly verbose. @mraible thoughts/ideas? A side note, this is a breaking change release (as is the new Spring Security OAuth project) |
|
I believe there are two ways to get an access token, but I haven't tried either, so I'm not sure. OAuth2RestTemplate.getOAuth2ClientContext().getAccessToken()Or if you're using Spring Boot 2.1: public ResponseEntity<?> method(@AuthenticationPrincipal(expression = "accessToken") OAuth2AccessToken accessToken) { ... } |
that's the thing, |
|
Sorry, I'm wrong. It was just a guess. Maybe @rwinch knows a simpler way to get an access token in Spring Boot 2.1? |
|
@bdemers any plans to update this example? that method security stuff ( EDIT: never mind. changing |
|
You can get get the access token using @RegisteredOAuth2AuthorizedClient. I'd also take a look at the WebClient integration and the oauth2webclient sample. |
|
@cah-calixtomelean yup, we will get our docs and blog posts updated soon! The |
used okta-commons-lang ApplicationInfo instead
Which pulls in Spring Security 5.1
This is a complete rewrite as the Spring Security OAuth modules have changed (so looking at the diffs will look odd, you might be better off treating it as new work and looking at the files)
Fixes: #96