Spring security - securing some rest endpoints with OKTA and others with Active Directory in the same API

Question

I have rest API where I need to secure some (UI facing) endpoints with OKTA authentication, and others (backend-facing) with Azure Active Directory. I managed to do it separately (either I can secure the endpoints with OKTA or AAD), but they don't want to work together. As soon as I add okta-spring-boot-starter to POM (or okta-spring-security-oauth2) - AAD security stops working and endpoints are either open or secured with OKTA only. I am trying to do it using WebSecurityConfigurerAdapter implementations for okta and aad:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {


    @Configuration
    @Order(1)
    public static class OktaAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/v1/endpoint1").authenticated()
                    .antMatchers("/v1/endpoint2/**").authenticated();

        }
    }

    @Configuration
    @Order(2)
    public static class ActiveDirectoryAdapter extends WebSecurityConfigurerAdapter {
        @Autowired
        private AADAppRoleStatelessAuthenticationFilter filter;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/v1/endpoint3/**").authenticated()
                    .antMatchers("/v1/endpoint4/**").authenticated()
                    .and()
                    .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class);
        }
    }
}

This configuration however works only for endpoint1 and endpoint2 (secured with okta), other rest points are open (as if 2nd implementation of WebSecurityConfigurerAdapter was ignored). If I remove okta package from pom, AAD configuration starts working. If I switch orders of above configurations then nothing is secured. I suspect okta package does some autoconfiguration, but can't find any information about it. What am I missing?

Answer 1

The Okta Spring Boot Starter is mostly just a light wrapper to help configure the existing Spring Security OAuth autoconfig with a few Okta specific bits.

My first suggestion (if possible) is to try to use Spring Security OAuth for both IdPs, as it doesn't look like the AAD starter works Spring Security's built-in OAuth support (I could be wrong, I only took a quick look). Assuming AAD is just OAuth/OIDC it will just work with a little bit of configuration.

You will still need a solution to protect your given routes 1 & 2 -> Okta 3 & 4 AAD. There are a few ways to do this. You could use scopes (assuming they are different) or some other type of "authority":

http.authorizeRequests()
        .antMatchers("/your/route").hasAuthority("SCOPE_custom");

The Okta Spring Boot Starter should work with other IdPs configured with Spring Security OAuth properties: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-boot-property-mappings

I cannot speak 100% to what the ADD starter adds, but I'm guessing it's similar to Okta. Which is:

• A common set of properties (inline with other vendor offerings)
• Vendor-specific JWT validation (Spring Security only does basic JWT validation, and each vendor has its own recommendations, assuming you are using JWT access tokens)
• A little sugar (for example the Okta starter adds a mapping of Okta groups to Spring Authorities)

As far as JWT validation goes Okta recommends validating JWTs like this: https://scotch.io/tutorials/jwt-vs-opaque-access-tokens-use-both-with-spring-boot#toc-better-jwt-validation

A similar technique could be used (if needed).

Keep us posted!