Well I actually wanted to fully spike a single page application accessing a secured web service with with PKCE Flow, but first I wanted a clean server side model I knew worked.
Most examples of this I have found when searching seemed to always stand up a local authentication server or would include some proprietary library. The guide on spring.io is really good, but still does more than is needed. The intention here is to keep the code as simple and as standards based as possible.
The code for this is being described below can be found in a GitLab repository where I have implemented a very simple service to identify the essential configuration required to secure a REST endpoint in Spring Boot.
As such, the project brings in only core spring libraries.
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-client</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency>
spring: security: oauth2: client: registration: github: clientId: github-client-id clientSecret: github-client-secret okta: client-id: okta-client-id client-authentication-method: none authorization-grant-type: authorization_code provider: okta: authorization-uri: https://your-subdomain.okta.com/oauth2/v1/authorize token-uri: https://your-subdomain.okta.com/oauth2/v1/token user-info-uri: https://your-subdomain.okta.com/oauth2/v1/userinfo jwk-set-uri: https://your-subdomain.okta.com/oauth2/v1/keys
Obviously, to use GitHub’s OAuth 2.0 authentication system for login, you must first Add a new GitHub app
Select “New OAuth App” and then the “Register a new OAuth application” page is presented.
Enter an app name and description. Then, enter your app’s home page, which should be
http://localhost:8080, in this case and the Authorization callback URL as
http://localhost:8080/login/oauth2/code/github and click Register Application.
The OAuth redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with GitHub and have granted access to the application on the Authorize application page.
Similarly to use Okta, you need to create an OIDC application on Okta. If you don’t have an Okta developer account, create one at developer.okta.com/signup.
From your Okta admin console, in the top menu, click on Applications.
- Click the green Add Application button
- Select Single-Page App application, and click Next
- Give the app a Name. Any name. I used OAuth Experiment.
- Change the value for Login redirect URIs to
- Check Authorization Code (and leave Implicit clicked)
- Click Done
Take note of the Client ID at the bottom of the page on the General tab. That’s the value you’ll need in the application configuration:
spring: security: oauth2: client: registration: okta: client-id: 0oa2odkdbj8DDqUz84x6 # okta-client-id client-authentication-method: none authorization-grant-type: authorization_code
The process to connect is described on the Okta help section in more detail.
After configuring the provider(s) and the service is started, the endpoint
http://localhost:8080/message should present a login challenge and once authenticated, the user id
provided by the authentication provider.