Add Support for Configuring a JHipster App

[mraible]

JHipster uses Spring Boot, but not the Okta Spring Boot starter. Nevertheless, it'd be cool if we could configure a JHipster app with this plugin.

Here's what's required:

• Create ROLE_ADMIN and ROLE_USER groups if they don't exist
• Create a roles claim to include the groups
• Create a new Web app, set the redirect URI to end in /oidc rather than /okta, and set a logout redirect URI to http://localhost:8080

More details at https://www.jhipster.tech/security/#oauth2.

[bdemers]

Love it! Is there an easy way to detect if the project is a JHipster project? check if there is a .jhipster/ dir?

I'm guessing we could move to using type-specific goal names like:

• mvn okta:spring-boot-setup
• mvn okta:jhipster-setup

(it would still be nice to auto detect this though)

[mraible]

I think the easiest way currently is to look for a .yo-rc.json file. That has the answers to the all the question answers when you create a new project.

[mraible]

Or we could look for a package.json and generator-jhipster dependency in it. This could be useful if we want to eventually use this plugin with Node projects.

Other steps that need to happen for JHipster:

1. Create a ROLE_USER and ROLE_ADMIN group (if they don't exist)
2. Create a new Web app with a login redirect URI of http://localhost:8080/login/oauth2/code/oidc
3. Add a groups claim to the ID token

I'm not sure that we want to replace the default Keycloak values in application.yml. It might be more secure to create an okta.env file with environment variables in it.

export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="https://{yourOktaDomain}/oauth2/default"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}"

[mraible]

@bdemers Do you think this would be easier to implement as a separate jhipster goal?

It might be since the setup goal already has a lot going on.

[mraible]

I tried running okta apps create today when I wasn't in a JHipster project. I encountered a stack trace.

Type of Application
> 1: Okta Spring Boot Starter
> 2: Spring Boot
> 3: JHipster
> 4: Other
Enter your choice [Other]: 3
Redirect URI
Common defaults:
 JHipster - http://localhost:8080/login/oauth2/code/oidc
 Spring Security - http://localhost:8080/login/oauth2/code/okta
Enter your Redirect URI [http://localhost:8080/login/oauth2/code/oidc]:
java.lang.NullPointerException
	at com.okta.cli.common.config.EnvFilePropertiesSource.lambda$getProperties$1(EnvFilePropertiesSource.java:85)
	at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176)
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.util.Iterator.forEachRemaining(Iterator.java:133)

Maybe it should detect when there's no project and give a friendlier error message?

[dogeared]

We're going to be pulling out the hardcoded platform support and instead rely on meta information provided by sample projects from a new samples org. We have yet to create any of this yet, but I am sure we will be bugging you @mraible when the time comes!

[mraible]

I tried this today and discovered a couple of issues:

1. The ROLE_ADMIN and ROLE_USER groups are not created. Ideally, both are created and the current user is added to both. You'll be able to log in without these groups, but you won't be able to do anything after than unless you have at least one.
2. The groups claim is added to the access token. It should be added to the ID token.