Okta Integration
This tutorial shows how to restrict access to a Vaadin view by using SSO Kit together with Okta.
Pre-Requisites
You will need access to SSO Kit and a Vaadin application with SSO Kit installed. You can install SSO Kit by following the instructions in the Getting Started guide. You also need an Okta account. For this, you can choose between three types of Okta accounts: a developer account; a trial account; and a commercial account. You may use any of these for this tutorial.
Creating an Okta Workspace
You can access your Okta workspace after registering with Okta. A workspace includes an Authorization Server and administrator account. The workspace is behind a URL like dev-12345678.okta.com
Creating a New Application Integration
To integrate Okta with your Vaadin application, go to your Okta workspace and select Applications from the sidebar menu. In the view that opens, select Create App Integration and choose OIDC - OpenIdConnect for the Sign-in method by ticking the box next to it. SSO Kit uses the OpenID Connect (OIDC) protocol standard built on top of OAuth 2.0 to leverage the Spring Security framework for configuring role-based user authorization.
Next, select Web Application as the Application type and move to the next step by clicking Next.
Setting Sign-In and Sign-Out URIs
Add a name and check Client credentials as the Grant type. Then give http://localhost:8080/login/oauth2/code/okta as the Sign-in redirect URI and http://localhost:8080 as the Sign-out redirect URI. These are the addresses where the user is directed when they try to sign into the application and when they sign out.
There are settings related to groups. They can be used to group users into categories, for example, to split access privileges between different user groups. However, skip group assignments for now. That’s covered at the end of this page.
When ready, select Save to create your application.
Connecting Okta to your Vaadin Application
Select your newly created application from the Applications menu and copy the Client ID by clicking Copy to clipboard next to the Client ID and paste it into your application.properties
file.
Repeat this process with the Secret by clicking Copy to clipboard next to the hidden Secret.
Then add your Okta workspace URL by first selecting Security and then API from the sidebar menu. You can find the URL in the Authorization Servers tab under Issuer URI.
Your application.properties
file should then look something like this:
# SSO Kit configuration
spring.security.oauth2.client.registration.okta.client-secret=[paste your secret value here]
spring.security.oauth2.client.provider.okta.issuer-uri=https://dev-12345678.okta.com/oauth2/default
spring.security.oauth2.client.registration.okta.client-id=[paste your client ID here]
spring.security.oauth2.client.registration.okta.scope=openid
vaadin.sso.login-route=/oauth2/authorization/okta
Views protected by the @PermitAll
security annotation will now redirect to Okta for login.
Assigning Users to the Application
You need to assign the users you wish to authorize within your application. You can test the integration by assigning yourself as a user. Go to your Okta Web application and choose the Assignments tab where you can find a list of your user accounts, including your Okta administrator account. Assign the application to your administrator user by selecting the Assign drop-down menu, choosing the Assign to People option, and selecting your administrator account from the list.
You may now run your application and access protected views by signing in with your Okta administrator account once prompted.
Adding New Users
In the Okta developer dashboard, select Directory from the sidebar menu and select People. Click Add Person and fill in the user details. Okta requires a valid email address for every user.
Adding New Groups
You may group users by specifying rules and restrictions. Start by selecting Directory from the sidebar menu and then Groups. Okta creates a default group when you sign up for a workspace named "Everyone" where all current users are assigned without any rules.
Create a new Group by clicking Add group. After providing a name and a description, you will be redirected to the Group details where you can assign users to the Group and assign the Group to an application.