This repository contains all the code for testing a Spring Cloud Configuration Server using Vault as backend, and a demo client application with Okta OIDC authentication.
Please read Secure Secrets With Spring Cloud Config and Vault to see how this app was created.
Prerequisites:
Okta has Authentication and User Management APIs that reduce development time with instant-on, scalable user infrastructure. Okta's intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.
To install this example, run the following commands:
git clone https://github.com/oktadev/okta-spring-vault-example.git
Open a command line session and navigate into the okta-spring-vault-example/vault-demo-app
directory.
To get a free Okta developer account, install the Okta CLI and run okta register
to sign up for a new account. If you already have an account, run okta login
. Then, run okta apps create
. Select the default app name, or change it as you see fit. Choose Web and press Enter.
Select Okta Spring Boot Starter. Accept the default Redirect URI values provided for you. That is, a Login Redirect of http://localhost:8080/login/oauth2/code/okta
and a Logout Redirect of http://localhost:8080
.
What does the Okta CLI do?
The Okta CLI will create an OIDC Web App in your Okta Org. It will add the redirect URIs you specified and grant access to the Everyone group. You will see output like the following when it’s finished:
Okta application configuration has been written to: /path/to/app/src/main/resources/application.properties
Open src/main/resources/application.properties
to see the issuer and credentials for your app.
okta.oauth2.issuer=https://dev-133337.okta.com/oauth2/default
okta.oauth2.client-id=0oab8eb55Kb9jdMIr5d6
okta.oauth2.client-secret=NEVER-SHOW-SECRETS
NOTE: You can also use the Okta Admin Console to create your app. See Create a Spring Boot App for more information.
Copy the values from src/main/resources/application.properties
and delete the file.
Sign up at Auth0 and install the Auth0 CLI. Then run:
auth0 login
The terminal will display a device confirmation code and open a browser session to activate the device. After you log in, the terminal will display a success message.
Then, create a client app:
auth0 apps create \
--name "Spring Boot + Vault" \
--description "Demo project of a Spring Boot application with Vault protected secrets" \
--type regular \
--callbacks http://localhost:8080/login/oauth2/code/okta \
--logout-urls http://localhost:8080 \
--reveal-secrets
Pull the Vault image.
docker pull hashicorp/vault:1.14
Run a container, make sure to replace {hostPath}
with a local directory path, such as /tmp/vault
:
docker run --cap-add=IPC_LOCK \
-e 'VAULT_DEV_ROOT_TOKEN_ID=00000000-0000-0000-0000-000000000000' \
-p 8200:8200 \
-v {hostPath}:/vault/logs \
--name my-vault vault
Open an interactive terminal with Vault:
docker exec -it my-vault /bin/sh
In the terminal, store the secrets by executing the following code. Replace with the values returned by Okta CLI.
export VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
export VAULT_ADDR="http://127.0.0.1:8200"
vault kv put secret/vault-demo-app,dev \
okta.oauth2.clientId="{yourClientId}" \
okta.oauth2.clientSecret="{yourClientSecret}" \
okta.oauth2.issuer="{yourIssuerURI}"
Run vault-config-server
:
cd okta-spring-vault-example/vault-config-server
./mvnw spring-boot:run
Run vault-demo-app
:
SPRING_CLOUD_CONFIG_TOKEN=00000000-0000-0000-0000-000000000000 \
./mvnw spring-boot:run
Go to http://localhost:8080
and log in with Okta.
This example uses the following libraries:
Please post any questions as comments on the blog post, or visit our Okta Developer Forums. You can also post a question to Stack Overflow with the "okta" tag.
Apache 2.0, see LICENSE.