OAuth2 Experiment using Spring Boot

OAuth 2.0 logo

I wanted to capture the basics set up of an OAuth2 with OIDC secured web service.

Well I actually wanted to fully spike a single page application accessing a secured web service with with PKCE Flow, but first I wanted a clean server side model I knew worked.

Most examples of this I have found when searching seemed to always stand up a local authentication server or would include some proprietary library. The guide on spring.io is really good, but still does more than is needed. The intention here is to keep the code as simple and as standards based as possible.

The code for this is being described below can be found in a GitLab repository where I have implemented a very simple service to identify the essential configuration required to secure a REST endpoint in Spring Boot.

As such, the project brings in only core spring libraries.

  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
  </dependency>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
  </dependency>

The application configuration below shows the necessary configuration for both Okta and GitHub as OAuth providers.

spring:
  security:
    oauth2:
      client:
        registration:
          github:
            clientId: github-client-id
            clientSecret: github-client-secret
          okta:
            client-id: okta-client-id
            client-authentication-method: none
            authorization-grant-type: authorization_code
        provider:
          okta:
            authorization-uri: https://your-subdomain.okta.com/oauth2/v1/authorize
            token-uri: https://your-subdomain.okta.com/oauth2/v1/token
            user-info-uri: https://your-subdomain.okta.com/oauth2/v1/userinfo
            jwk-set-uri: https://your-subdomain.okta.com/oauth2/v1/keys

Obviously, to use GitHub’s OAuth 2.0 authentication system for login, you must first Add a new GitHub app

Select “New OAuth App” and then the “Register a new OAuth application” page is presented. Enter an app name and description. Then, enter your app’s home page, which should be http://localhost:8080, in this case and the Authorization callback URL as http://localhost:8080/login/oauth2/code/github and click Register Application.

The OAuth redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with GitHub and have granted access to the application on the Authorize application page.

Similarly to use Okta, you need to create an OIDC application on Okta. If you don’t have an Okta developer account, create one at developer.okta.com/signup.

From your Okta admin console, in the top menu, click on Applications.

  • Click the green Add Application button
  • Select Single-Page App application, and click Next
  • Give the app a Name. Any name. I used OAuth Experiment.
  • Change the value for Login redirect URIs to http://localhost:8080/callback
  • Check Authorization Code (and leave Implicit clicked)
  • Click Done

Take note of the Client ID at the bottom of the page on the General tab.

That’s the value you’ll need in the application configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: 0oa2odkdbj8DDqUz84x6 # okta-client-id
            client-authentication-method: none
            authorization-grant-type: authorization_code

The process to connect is described on the Okta help section in more detail.

After configuring the provider(s) and the service is started, the endpoint http://localhost:8080/message should present a login challenge and once authenticated, the user id provided by the authentication provider.

comments powered by Disqus