This guide provides instructions on setting up the sample application with OAuth 2.0 Login using an OAuth 2.0 Provider or OpenID Connect 1.0 Provider.
The sample application uses Spring Boot 2.5 and the spring-security-oauth2-client module which is new in Spring Security 5.0.
The following sections provide detailed steps for setting up OAuth 2.0 Login for these Providers:
This section shows how to configure the sample application using Spring Authorization Server as the Authentication Provider and covers the following topics:
The sample application is pre-configured to work out of the box with Spring Authorization Server, which runs locally on port 9000. See the authorization-server sample to run the authorization server used in this section.
|
Note
|
Spring Authorization Server supports the OpenID Connect 1.0 specification. |
The redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with Spring Authorization Server and have granted access to the OAuth Client on the Consent page.
The default redirect URI is http://127.0.0.1:8080/login/oauth2/code/login-client. No special setup is required to use the sample locally.
|
Tip
|
The default redirect URI template is {baseUrl}/login/oauth2/code/{registrationId}.
The registrationId is a unique identifier for the ClientRegistration.
|
|
Important
|
If the application is running behind a proxy server, it is recommended to check Proxy Server Configuration to ensure the application is correctly configured.
Also, see the supported URI template variables for redirect-uri.
|
If you wish to customize the OAuth Client to work with a non-local deployment of Spring Authorization Server, you need to configure the application to use the OAuth Client for the authentication flow. To do so:
-
Go to
application.ymland set the following configuration:spring: security: oauth2: client: registration: (1) login-client: (2) provider: spring (3) client-id: login-client client-secret: openid-connect client-authentication-method: client_secret_basic authorization-grant-type: authorization_code redirect-uri: http://127.0.0.1:8080/login/oauth2/code/login-client scope: openid,profile (4) client-name: Spring provider: (5) spring: authorization-uri: http://localhost:9000/oauth2/authorize token-uri: http://localhost:9000/oauth2/token jwk-set-uri: http://localhost:9000/oauth2/jwks
Example 1. OAuth Client properties-
spring.security.oauth2.client.registrationis the base property prefix for OAuth Client properties. -
Following the base property prefix is the ID for the
ClientRegistration, such as login-client. -
The
providerproperty specifies which provider configuration is used by thisClientRegistration. -
The
openidscope is required by Spring Authorization Server to perform authentication using OpenID Connect 1.0. -
spring.security.oauth2.client.provideris the base property prefix for OAuth Provider properties.
-
-
Replace the values in the
client-idandclient-secretproperty with the OAuth 2.0 credentials for your Spring Authorization Server. As well, replacehttp://localhost:9000inauthorization-uri,token-uriandjwk-set-uriwith the actual domain of your authorization server.
Launch the Spring Boot 2.0 sample and go to http://127.0.0.1:8080.
You are then redirected to the default auto-generated login page, which displays a link for Spring.
Click on the Spring link, and you are then redirected to the Spring Authorization Server for authentication.
After authenticating with your credentials (user and password by default), the next page presented to you is the Consent screen.
The Consent screen asks you to either allow or deny access to the OAuth Client. Select "profile" and
click Submit Consent to authorize the OAuth Client to access your basic profile information.
At this point, the OAuth Client retrieves your basic profile information via the ID Token and establishes an authenticated session.
|
Note
|
Spring Authorization Server does not currently support the UserInfo Endpoint, which is optional in OpenID Connect 1.0. See #176 fo more information. |
This section shows how to configure the sample application using Google as the Authentication Provider and covers the following topics:
To use Google’s OAuth 2.0 authentication system for login, you must set up a project in the Google API Console to obtain OAuth 2.0 credentials.
|
Note
|
Google’s OAuth 2.0 implementation for authentication conforms to the OpenID Connect 1.0 specification and is OpenID Certified. |
Follow the instructions on the OpenID Connect page, starting in the section, "Setting up OAuth 2.0".
After completing the "Obtain OAuth 2.0 credentials" instructions, you should have a new OAuth Client with credentials consisting of a Client ID and a Client Secret.
The redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with Google and have granted access to the OAuth Client (created in the previous step) on the Consent page.
In the "Set a redirect URI" sub-section, ensure that the Authorized redirect URIs field is set to http://127.0.0.1:8080/login/oauth2/code/google.
|
Tip
|
The default redirect URI template is {baseUrl}/login/oauth2/code/{registrationId}.
The registrationId is a unique identifier for the ClientRegistration.
|
|
Important
|
If the application is running behind a proxy server, it is recommended to check Proxy Server Configuration to ensure the application is correctly configured.
Also, see the supported URI template variables for redirect-uri.
|
Now that you have a new OAuth Client with Google, you need to configure the application to use the OAuth Client for the authentication flow. To do so:
-
Go to
application.ymland set the following configuration:spring: security: oauth2: client: registration: (1) google: (2) client-id: google-client-id client-secret: google-client-secret
Example 2. OAuth Client properties-
spring.security.oauth2.client.registrationis the base property prefix for OAuth Client properties. -
Following the base property prefix is the ID for the
ClientRegistration, such as google.
-
-
Replace the values in the
client-idandclient-secretproperty with the OAuth 2.0 credentials you created earlier.
Launch the Spring Boot 2.0 sample and go to http://127.0.0.1:8080.
You are then redirected to the default auto-generated login page, which displays a link for Google.
Click on the Google link, and you are then redirected to Google for authentication.
After authenticating with your Google account credentials, the next page presented to you is the Consent screen. The Consent screen asks you to either allow or deny access to the OAuth Client you created earlier. Click Allow to authorize the OAuth Client to access your email address and basic profile information.
At this point, the OAuth Client retrieves your email address and basic profile information from the UserInfo Endpoint and establishes an authenticated session.
This section shows how to configure the sample application using GitHub as the Authentication Provider and covers the following topics:
To use GitHub’s OAuth 2.0 authentication system for login, you must Register a new OAuth application.
When registering the OAuth application, ensure the Authorization callback URL is set to http://127.0.0.1:8080/login/oauth2/code/github.
The Authorization callback URL (redirect URI) is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with GitHub and have granted access to the OAuth application on the Authorize application page.
|
Tip
|
The default redirect URI template is {baseUrl}/login/oauth2/code/{registrationId}.
The registrationId is a unique identifier for the ClientRegistration.
|
|
Important
|
If the application is running behind a proxy server, it is recommended to check Proxy Server Configuration to ensure the application is correctly configured.
Also, see the supported URI template variables for redirect-uri.
|
Now that you have a new OAuth application with GitHub, you need to configure the application to use the OAuth application for the authentication flow. To do so:
-
Go to
application.ymland set the following configuration:spring: security: oauth2: client: registration: (1) github: (2) client-id: github-client-id client-secret: github-client-secret
Example 3. OAuth Client properties-
spring.security.oauth2.client.registrationis the base property prefix for OAuth Client properties. -
Following the base property prefix is the ID for the
ClientRegistration, such as github.
-
-
Replace the values in the
client-idandclient-secretproperty with the OAuth 2.0 credentials you created earlier.
Launch the Spring Boot 2.0 sample and go to http://127.0.0.1:8080.
You are then redirected to the default auto-generated login page, which displays a link for GitHub.
Click on the GitHub link, and you are then redirected to GitHub for authentication.
After authenticating with your GitHub credentials, the next page presented to you is "Authorize application". This page will ask you to Authorize the application you created in the previous step. Click Authorize application to allow the OAuth application to access your personal user data information.
At this point, the OAuth Client retrieves your personal user information from the UserInfo Endpoint and establishes an authenticated session.
|
Tip
|
For detailed information returned from the UserInfo Endpoint, see the API documentation for "Get the authenticated user". |
This section shows how to configure the sample application using Facebook as the Authentication Provider and covers the following topics:
To use Facebook’s OAuth 2.0 authentication system for login, you must first Add a New App.
Select "Create a New App" and then the "Create a New App ID" page is presented. Enter the Display Name, Contact Email, Category and then click "Create App ID".
|
Note
|
The selection for the Category field is not relevant but it’s a required field - select "Local". |
The next page presented is "Product Setup". Click the "Get Started" button for the Facebook Login product. In the left sidebar, under Products → Facebook Login, select Settings.
For the field Valid OAuth redirect URIs, enter http://127.0.0.1:8080/login/oauth2/code/facebook then click Save Changes.
The OAuth redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with Facebook and have granted access to the application on the Authorize application page.
|
Tip
|
The default redirect URI template is {baseUrl}/login/oauth2/code/{registrationId}.
The registrationId is a unique identifier for the ClientRegistration.
|
|
Important
|
If the application is running behind a proxy server, it is recommended to check Proxy Server Configuration to ensure the application is correctly configured.
Also, see the supported URI template variables for redirect-uri.
|
Now that you have created a new application with Facebook, you need to configure the sample application to use the application for the authentication flow. To do so:
-
Go to
application.ymland set the following configuration:spring: security: oauth2: client: registration: (1) facebook: (2) client-id: facebook-client-id client-secret: facebook-client-secret
Example 4. OAuth Client properties-
spring.security.oauth2.client.registrationis the base property prefix for OAuth Client properties. -
Following the base property prefix is the ID for the
ClientRegistration, such as facebook.
-
-
Replace the values in the
client-idandclient-secretproperty with the OAuth 2.0 credentials you created earlier.
Launch the Spring Boot 2.0 sample and go to http://127.0.0.1:8080.
You are then redirected to the default auto-generated login page, which displays a link for Facebook.
Click on the Facebook link, and you are then redirected to Facebook for authentication.
After authenticating with your Facebook credentials, the next page presented to you is "Authorize application". This page will ask you to Authorize the application you created in the previous step. Click Authorize application to allow the OAuth application to access your public profile and email address information.
At this point, the OAuth Client retrieves your personal user information from the UserInfo Endpoint and establishes an authenticated session.
This section shows how to configure the sample application using Okta as the Authentication Provider and covers the following topics:
To use Okta’s OAuth 2.0 authentication system for login, you must first create a developer account.
Sign in to your account sub-domain and navigate to Applications → Applications and then select the "Add Application" button. From the "Add Application" page, select the "Create New App" button and enter the following:
-
Platform: Web
-
Sign on method: OpenID Connect
Select the Create button.
On the "General Settings" page, enter the Application Name (for example, "Spring Security Okta Login") and then select the Next button.
On the "Configure OpenID Connect" page, enter http://127.0.0.1:8080/login/oauth2/code/okta for the field Redirect URIs and then select Finish.
The redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with Okta and have granted access to the application on the Authorize application page.
|
Tip
|
The default redirect URI template is {baseUrl}/login/oauth2/code/{registrationId}.
The registrationId is a unique identifier for the ClientRegistration.
|
|
Important
|
If the application is running behind a proxy server, it is recommended to check Proxy Server Configuration to ensure the application is correctly configured.
Also, see the supported URI template variables for redirect-uri.
|
From the "General" tab of the application, select the "Assignments" tab and then select the Assign button. Select Assign to People and assign your account to the application. Then select the Save and Go Back button.
Now that you have created a new application with Okta, you need to configure the sample application to use the application for the authentication flow. To do so:
-
Go to
application.ymland set the following configuration:spring: security: oauth2: client: registration: (1) okta: (2) client-id: okta-client-id client-secret: okta-client-secret provider: (3) okta: authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo user-name-attribute: sub jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys
Example 5. OAuth Client properties-
spring.security.oauth2.client.registrationis the base property prefix for OAuth Client properties. -
Following the base property prefix is the ID for the
ClientRegistration, such as okta. -
spring.security.oauth2.client.provideris the base property prefix for OAuth Provider properties.
-
-
Replace the values in the
client-idandclient-secretproperty with the OAuth 2.0 credentials you created earlier. As well, replacehttps://your-subdomain.oktapreview.cominauthorization-uri,token-uri,user-info-uriandjwk-set-uriwith the sub-domain assigned to your account during the registration process.
Launch the Spring Boot 2.0 sample and go to http://127.0.0.1:8080.
You are then redirected to the default auto-generated login page, which displays a link for Okta.
Click on the Okta link, and you are then redirected to Okta for authentication.
After authenticating with your Okta account credentials, the OAuth Client retrieves your email address and basic profile information from the UserInfo Endpoint and establishes an authenticated session.