Spring boot + Spring Security 5 + OAuth2/OIDC Client – Basics

Since a long time I wanted to integrate an OpenID Connect provider using Spring Security, The last time I tried, I felt it was very complicated and wrote my own library. Since Spring boot 5 had native support for OAuth2 Client and extended its use for OpenID connect, I wanted to see how easy it is to integrate.
For this example we are going to build a simple app, the redirects to google when we try to access a protected endpoint

Step 1:

Create a spring boot project from https://start.spring.io with following dependencies
dependencies {
implementation ‘org.springframework.boot:spring-boot-starter-oauth2-client’
implementation ‘org.springframework.boot:spring-boot-starter-security’
implementation ‘org.springframework.boot:spring-boot-starter-web’
implementation ‘com.fasterxml.jackson.module:jackson-module-kotlin’
implementation ‘org.jetbrains.kotlin:kotlin-reflect’
implementation ‘org.jetbrains.kotlin:kotlin-stdlib-jdk8’
testImplementation ‘org.springframework.boot:spring-boot-starter-test’
testImplementation ‘org.springframework.security:spring-security-test’
}

Step 2:

Create an endpoint that will show current user’s authentication data
@RestController
class HelloController {

@GetMapping(“/me")
fun hello(currentUser: OAuth2AuthenticationToken): ResponseEntity {
return ResponseEntity.ok(currentUser)
}

}

Step 3:

Configure OAuth2 Client information in application.yml
# @see https://console.developers.google.com/apis/ to create your client credentials
logging.level.org.springframework: INFO
spring:
security:
oauth2:
client:
registration:
google:
provider: google
client-id: <<your-client-id>>
client-secret: <<your-client-secret>>
client-authentication-method: basic
authorization-grant-type: authorization_code
scope:
– openid
– email
– profile
– https://www.googleapis.com/auth/tasks.readonly
provider:
google:
issuer-uri: https://accounts.google.com

Step 4:

Run the application, goto http://localhost:8080/me , complete the login process and you will see this.
{
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"at_hash": "28AV0o6xKM8f3UQlljlGuw",
"sub": "10080000000000000",
"email_verified": true,
"iss": "https://accounts.google.com",
"given_name": "Syamala",
"locale": "en",
"picture": "https://lh6.googleusercontent.com/photo.jpg",
"aud": [
"client-id"
],
"azp": "client-id",
"name": "Syamala Umamaheswaran",
"exp": "2019-03-24T18:27:19Z",
"family_name": "Umamaheswaran",
"iat": "2019-03-24T17:27:19Z",
"email": "xxxx@gmail.com"
},
"idToken": {…},
"userInfo": null
}
],
"details": null,
"authenticated": true,
"principal": {},
"authorizedClientRegistrationId": "google",
"credentials": "",
"name": "10080000000000000"
}

Mind Blown:

As much as it blows my mind that without writing any code for security we are able to integrate with an OpenID provider, I needed to know how this is working so easily. The Devil is in the details, Stay tuned for my next blog post where I explain the behind the scenes and How to access a protected resource and how to refresh tokens automatically.
Complete Source Code @ https://github.com/shyamz-22/oidc-spring-security-5

Link: https://dev.to/shyamala_u/spring-boot–spring-security-5–oauth2oidc-client—basics-4ibo