Steps
1. Clone the existing repo as shown below
$ git clone https://github.com/papicella/mfa-boot-fsi
Cloning into 'mfa-boot-fsi'...
remote: Enumerating objects: 47, done.
remote: Counting objects: 100% (47/47), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 47 (delta 2), reused 47 (delta 2), pack-reused 0
Unpacking objects: 100% (47/47), done.
2. Create a free account of https://developer.okta.com/
Once created login to the dev account. Your account URL will look like something as follows
https://dev-{ID}-admin.okta.com
3. You will need your default authorization server settings. From the top menu in the developer.okta.com dashboard, go to API -> Authorization Servers and click on the default server
You will need this data shortly. Image above is an example those details won't work for your own setup.
4. From the top menu, go to Applications and click the Add Application button. Click on the Web button and click Next. Name your app whatever you like. I named mine "pas-okta-springapp". Otherwise the default settings are fine. Click Done.
From this screen shot you can see that the default's refer to localhost which for DEV purposes is fine.
You will need the Client ID and Client secret from the final screen so make a note of these
5. Edit the "./mfa-boot-fsi/src/main/resources/application-DEV.yml" to include the details as per #3 and #4 above.
You will need to edit
- issuer
- client-id
- client-secret
application-DEV.yaml
spring:
security:
oauth2:
client:
provider:
okta:
user-name-attribute: email
okta:
oauth2:
issuer: https://dev-213269.okta.com/oauth2/default
redirect-uri: /authorization-code/callback
scopes:
- profile
- openid
client-id: ....
client-secret: ....
6. In order to pick up this application-DEV.yaml we have to set the spring profile correctly. That can be done using a JVM property as follows.
-Dspring.profiles.active=DEV
In my example I use IntelliJ IDEA so I set it on the run configurations dialog as follows
7. Finally let's setup MFA which we do as follows by switching to classic UI as shown below
8. Click on Security -> Multifactor and setup another Multifactor policy. In the screen shot below I select "Email Policy" and make sure it is "Required" along with the default policy
9. Now run the application making sure you set the spring active profile to DEV.
...
2020-07-10 13:34:57.528 INFO 55990 --- [ restartedMain] pas.apa.apj.mfa.demo.DemoApplication : The following profiles are active: DEV
...
10. Navigate to http://localhost:8080/
11. Click on the "Login" button
Verify you are taken to the default OKTA login page
12. Once logged in the second factor should then ask for a verification code to be sent to your email. Press the "Send me the code" button
13. Once you enter the code sent to your email you will be granted access to the application endpoints
14. Finally to deploy the application to Tanzu Application Service perform these steps below
- Create a manifest.yaml as follows
---
applications:
- name: pas-okta-boot-app
memory: 1024M
buildpack: https://github.com/cloudfoundry/java-buildpack.git#v4.16
instances: 2
path: ./target/demo-0.0.1-SNAPSHOT.jar
env:
JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 11.+}}'
- Package the application as follows
$ ./mvnw -DskipTests package
- In the DEV OTKA console create a second application which will be for the deployed application on Tanzu Application Service which refers to it's FQDN rather then localhost as shown below
- Edit "application.yml" to ensure you set the following correctly for the new "Application" we created above.
You will need to edit
- issuer
- client-id
- client-secret
- Push the application using "cf push -f manifest.yaml"
$ cf apps
Getting apps in org papicella-org / space apple as papicella@pivotal.io...
OK
name requested state instances memory disk urls
pas-okta-boot-app started 1/1 1G 1G pas-okta-boot-app.cfapps.io
That's It!!!!
No comments:
Post a Comment