okta oauth2 Spring security all protected pages redirect to login

Question

I am trying to implement okta(custom-provider) oauth2 sso feature using spring security in my application. Application successffully prompts for the user login and authorises the user. I have my spring security config given below. The problem here is except the login and few other urls which are given permitAll(), all the protected pages are getting redirected to 'redirect-uri'(which is the login url) configured in the application.yml given below. I cannot understand why this happens i couldnt find any solution given in the okta documentation as well. I dont see any error messages in the log. Its just everytime i get to access the secured or protected page the redirect happens to http://localhost:8080/login which is the redirect-uri but i need the redirect to go to the corresponding page the user selected. Am i missing anything here?

SecurityConfiguration.java

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**").authorizeRequests()
            .antMatchers("/","/login**","/vendor/**", "https://fonts.googleapis.com/**", "/css/**",
                    "https://www.thymeleaf.org", "/js/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2Login();
    }
}

application.yml

security:
    oauth2:
      client:
        registration:
          custom-client:
            client-id: 
            client-secret: 
            scope: ["openid", "profile", "email", "address", "phone", "groups"]
            provider: custom-provider
            state: xoxoxo
            redirect-uri: http://localhost:8080/login
            client-authentication-method: basic
            authorization-grant-type: authorization_code
            filter-order: 3
        provider:
          custom-provider:
            token-uri: https://did.oktapreview.com/oauth2/v1/token
            authorization-uri: https://did.oktapreview.com/oauth2/v1/authorize
            user-info-uri: https://did.oktapreview.com/oauth2/v1/authorize
            user-name-attribute: name

can someone

Answer 1

Yes sure, there is a wrong thing.

redirect-uri: http://localhost:8080/login

redirect-uri should be a link to the callback endpoint of your OAuth2.0 Client

In terms of Spring Security OAuth2.0 framework it should be the following pattern:

redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"

where "baseUrl" is your URL (http://localhost) and "registrationId" is registration name, in your case it is "custom-client"

Actually, you can specify, as "redirect-uri" parameter, a pattern without certain registrationId and baseUrl, so that your configuration should be looks like that:

security:
    oauth2:
      client:
        registration:
          custom-client:
            client-id: 
            client-secret: 
            scope: ["openid", "profile", "email", "address", "phone", "groups"]
            provider: custom-provider
            state: xoxoxo
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
            client-authentication-method: basic
            authorization-grant-type: authorization_code
            filter-order: 3
        provider:
          custom-provider:
            token-uri: https://did.oktapreview.com/oauth2/v1/token
            authorization-uri: https://did.oktapreview.com/oauth2/v1/authorize
            user-info-uri: https://did.oktapreview.com/oauth2/v1/authorize
            user-name-attribute: name

Also, pay attention to your credentials, it should be filled.