How can I configure Spring Security v3 with Okta OAuth to permit the '/api/v1/access_token' endpoint without requiring a token?

Question

I am trying to secure my endpoints with Spring Security v3.

I am working to configure Okta OAuth in the application. I have requests mapped with prefix "/api/". I want to permit "/api/token" without token, as that the the endpoint that delivers the token.

The issue I am facing is, the endpoint /api/token is returning 401 as a response even though the endpoint is permitted.

@Configuration
@EnableWebSecurity(debug = true)
@EnableMethodSecurity(securedEnabled = true)
public class OktaSecurityConfiguration {

    private String[] Permitted = {"token", "/api/**"};
    
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .requestMatchers("/token").permitAll()
                .requestMatchers("/error").permitAll()
                .requestMatchers("/api").authenticated()
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer().jwt();
        Okta.configureResourceServer401ResponseBody(http);
        return http.build();
    
    }
}

why not just add `.requestMatchers("/api/token").permitAll()`? — Toerktumlare, May 23 '23 at 12:40
Does it look like https://stackoverflow.com/a/30366773/3281886 ? — Philipp Grigoryev, May 23 '23 at 18:50

How can I configure Spring Security v3 with Okta OAuth to permit the '/api/v1/access_token' endpoint without requiring a token?

0 Answers0