This repository contains all the code for testing a Spring Cloud Configuration Server using Vault as backend, and a demo client application with Okta OIDC authentication.
Please read Secure Secrets With Spring Cloud Config and Vault to see how this app was created.
Prerequisites:
Okta has Authentication and User Management APIs that reduce development time with instant-on, scalable user infrastructure. Okta's intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.
To install this example, run the following commands:
git clone https://github.com/oktadev/okta-spring-vault-example.gitOpen a command line session and navigate into the okta-spring-vault-example/vault-demo-app directory.
To get a free Okta developer account, install the Okta CLI and run okta register to sign up for a new account. If you already have an account, run okta login. Then, run okta apps create. Select the default app name, or change it as you see fit. Choose Web and press Enter.
Select Okta Spring Boot Starter. Accept the default Redirect URI values provided for you. That is, a Login Redirect of http://localhost:8080/login/oauth2/code/okta and a Logout Redirect of http://localhost:8080.
What does the Okta CLI do?
The Okta CLI will create an OIDC Web App in your Okta Org. It will add the redirect URIs you specified and grant access to the Everyone group. You will see output like the following when it’s finished:
Okta application configuration has been written to: /path/to/app/src/main/resources/application.propertiesOpen src/main/resources/application.properties to see the issuer and credentials for your app.
okta.oauth2.issuer=https://dev-133337.okta.com/oauth2/default
okta.oauth2.client-id=0oab8eb55Kb9jdMIr5d6
okta.oauth2.client-secret=NEVER-SHOW-SECRETSNOTE: You can also use the Okta Admin Console to create your app. See Create a Spring Boot App for more information.
Copy the values from src/main/resources/application.properties and delete the file.
Sign up at Auth0 and install the Auth0 CLI. Then run:
auth0 loginThe terminal will display a device confirmation code and open a browser session to activate the device. After you log in, the terminal will display a success message.
Then, create a client app:
auth0 apps create \
--name "Spring Boot + Vault" \
--description "Demo project of a Spring Boot application with Vault protected secrets" \
--type regular \
--callbacks http://localhost:8080/login/oauth2/code/okta \
--logout-urls http://localhost:8080 \
--reveal-secretsPull the Vault image.
docker pull hashicorp/vault:1.14Run a container, make sure to replace {hostPath} with a local directory path, such as /tmp/vault:
docker run --cap-add=IPC_LOCK \
-e 'VAULT_DEV_ROOT_TOKEN_ID=00000000-0000-0000-0000-000000000000' \
-p 8200:8200 \
-v {hostPath}:/vault/logs \
--name my-vault vaultOpen an interactive terminal with Vault:
docker exec -it my-vault /bin/shIn the terminal, store the secrets by executing the following code. Replace with the values returned by Okta CLI.
export VAULT_TOKEN="00000000-0000-0000-0000-000000000000"
export VAULT_ADDR="http://127.0.0.1:8200"
vault kv put secret/vault-demo-app,dev \
okta.oauth2.clientId="{yourClientId}" \
okta.oauth2.clientSecret="{yourClientSecret}" \
okta.oauth2.issuer="{yourIssuerURI}"Run vault-config-server:
cd okta-spring-vault-example/vault-config-server
./mvnw spring-boot:runRun vault-demo-app:
SPRING_CLOUD_CONFIG_TOKEN=00000000-0000-0000-0000-000000000000 \
./mvnw spring-boot:runGo to http://localhost:8080 and log in with Okta.
This example uses the following libraries:
Please post any questions as comments on the blog post, or visit our Okta Developer Forums. You can also post a question to Stack Overflow with the "okta" tag.
Apache 2.0, see LICENSE.