By Syed Rizwan

3-setting-up-oauth-20-authentication-in-a-spring-boot-application.html

Setting up OAuth 2.0 Authentication in a Spring Boot Application

In today's digital landscape, securing your applications is more critical than ever. OAuth 2.0 has emerged as a robust framework for handling authentication and authorization, allowing users to grant access to their resources without sharing their credentials. This article will guide you through setting up OAuth 2.0 authentication in a Spring Boot application, providing you with clear code examples, step-by-step instructions, and actionable insights.

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.

Key Terms:

  • Resource Owner: Typically the user who owns the data.
  • Client: The application requesting access to the resource owner's data.
  • Authorization Server: The server that issues access tokens to the client after successfully authenticating the resource owner.
  • Resource Server: The server hosting the resource owner's data, which accepts and validates access tokens.

Use Cases for OAuth 2.0:

  • Social Login: Allowing users to log in using their social media accounts (like Google or Facebook).
  • API Access: Granting applications access to user data without sharing passwords.
  • Mobile Applications: Securely accessing user data in mobile apps without exposing sensitive information.

Setting Up OAuth 2.0 in a Spring Boot Application

Prerequisites

Before we dive into the implementation, ensure that you have: - Java Development Kit (JDK) 11 or later installed. - Maven for dependency management. - Basic knowledge of Spring Boot and RESTful APIs. - An OAuth 2.0 provider (like Google, GitHub, or your own custom OAuth server).

Step 1: Create a Spring Boot Project

You can set up a Spring Boot project using Spring Initializr. Follow these steps:

  1. Go to Spring Initializr.
  2. Select your project metadata (Group, Artifact, Name, etc.).
  3. Add dependencies:
  4. Spring Web
  5. Spring Security
  6. Spring Boot DevTools (optional for development)

  7. OAuth2 Client

  8. Click on "Generate" to download your project.

Step 2: Configure Application Properties

Open the application.properties (or application.yml) file in your project and add the following configuration:

spring.security.oauth2.client.registration.google.client-id=YOUR_CLIENT_ID
spring.security.oauth2.client.registration.google.client-secret=YOUR_CLIENT_SECRET
spring.security.oauth2.client.registration.google.scope=email,profile
spring.security.oauth2.client.registration.google.redirect-uri=http://localhost:8080/login/oauth2/code/google
spring.security.oauth2.client.provider.google.authorization-uri=https://accounts.google.com/o/oauth2/auth
spring.security.oauth2.client.provider.google.token-uri=https://oauth2.googleapis.com/token
spring.security.oauth2.client.provider.google.user-info-uri=https://www.googleapis.com/oauth2/v3/userinfo
spring.security.oauth2.client.provider.google.user-name-attribute=sub

Replace YOUR_CLIENT_ID and YOUR_CLIENT_SECRET with the credentials you obtain from your OAuth provider.

Step 3: Create Security Configuration

Next, create a class to configure Spring Security. Create a new Java class named SecurityConfig.java:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/", "/login**", "/error**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2Login();
    }
}

This configuration allows unauthenticated access to the home page and login page while securing all other endpoints.

Step 4: Create a Controller

Create a controller to handle requests. Create a new Java class named HomeController.java:

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class HomeController {

    @GetMapping("/")
    public String home() {
        return "home";
    }

    @GetMapping("/user")
    public String user(@AuthenticationPrincipal OAuth2User principal, Model model) {
        model.addAttribute("name", principal.getAttribute("name"));
        return "user";
    }
}

Step 5: Create HTML Views

Create home.html and user.html in the src/main/resources/templates directory.

home.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Home</title>
</head>
<body>
    <h1>Welcome to the OAuth 2.0 Demo</h1>
    <a href="/oauth2/authorization/google">Login with Google</a>
</body>
</html>

user.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>User Info</title>
</head>
<body>
    <h1>Hello, <span th:text="${name}"></span></h1>
</body>
</html>

Step 6: Run the Application

You can now run your Spring Boot application. Use the command line or your IDE to start the application:

mvn spring-boot:run

Navigate to http://localhost:8080, and you should see the home page. Click on "Login with Google," and you will be redirected to the Google login page. After authenticating, you will be redirected back to your application, where you can see your user information.

Troubleshooting Common Issues

  • Redirect URI Mismatch: Ensure that the redirect URI in your application matches the one configured in your OAuth provider.
  • Invalid Client ID/Secret: Double-check your credentials and ensure they are correctly configured in application.properties.
  • Spring Security Exceptions: Pay attention to the console logs for any Spring Security-related exceptions, which can often indicate misconfigurations.

Conclusion

Setting up OAuth 2.0 authentication in a Spring Boot application is a straightforward process that greatly enhances the security of your application. By following the steps outlined in this article, you've created a secure application that allows users to log in using their Google accounts. Explore more features of Spring Security and OAuth 2.0 to further optimize your application's security and user experience.

By embracing OAuth 2.0, you not only secure your application but also provide a seamless login experience for your users, making it a win-win for everyone involved. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.