By Syed Rizwan

4-how-to-set-up-secure-oauth-20-authentication-in-a-spring-boot-application.html

How to Set Up Secure OAuth 2.0 Authentication in a Spring Boot Application

In today's world of web applications, security is paramount. OAuth 2.0 has emerged as a widely adopted standard for securing APIs and granting third-party applications limited access. In this article, we’ll explore how to set up OAuth 2.0 authentication in a Spring Boot application, illustrating key concepts through clear code examples and step-by-step instructions.

Understanding OAuth 2.0

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows third-party services to exchange user information without sharing passwords. It enables secure delegated access by issuing tokens to clients. These tokens can then be used to access user data on behalf of the user, while keeping their credentials safe.

Common Use Cases:

  • Third-Party Applications: Allowing applications like Google, Facebook, or GitHub to access user data.
  • Single Sign-On (SSO): Users can log in using their existing accounts from social platforms.
  • API Security: Protecting sensitive data and operations on web services.

Setting Up OAuth 2.0 in Spring Boot

Prerequisites

Before starting, ensure you have the following:

  • Java Development Kit (JDK) installed (version 11 or later).
  • Maven or Gradle for dependency management.
  • An IDE like IntelliJ IDEA or Eclipse for coding.

Step 1: Create a New Spring Boot Project

You can create a new Spring Boot project using Spring Initializr. Include the following dependencies:

  • Spring Web: For building web applications.
  • Spring Security: For authentication and authorization.
  • OAuth2 Client: To interact with OAuth2 providers.

Here’s how your pom.xml (if using Maven) should look:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
</dependencies>

Step 2: Configure Application Properties

Next, configure your application properties for OAuth 2.0. This includes specifying the client ID, client secret, and the authorization and token URIs of the OAuth provider.

In src/main/resources/application.yml, add the following:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: YOUR_CLIENT_ID
            client-secret: YOUR_CLIENT_SECRET
            scope:
              - profile
              - email
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/auth
            token-uri: https://oauth2.googleapis.com/token
            user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo

Step 3: Create a Security Configuration Class

Next, create a security configuration class that enables OAuth 2.0 login. This class will define how your application handles security.

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/login").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login();
    }
}

Step 4: Create a Controller

Create a simple controller to handle user requests and display user information after authentication.

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class UserController {

    @GetMapping("/")
    public String home() {
        return "home";
    }

    @GetMapping("/user")
    public String user(@AuthenticationPrincipal OAuth2User principal, Model model) {
        model.addAttribute("name", principal.getAttribute("name"));
        model.addAttribute("email", principal.getAttribute("email"));
        return "user";
    }
}

Step 5: Create HTML Templates

You will need HTML templates to display the home page and user information. Create src/main/resources/templates/home.html and src/main/resources/templates/user.html.

home.html:

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
    <title>Home</title>
</head>
<body>
    <h1>Welcome!</h1>
    <a href="/oauth2/authorization/google">Login with Google</a>
</body>
</html>

user.html:

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
    <title>User Info</title>
</head>
<body>
    <h1>User Information</h1>
    <p>Name: <span th:text="${name}"></span></p>
    <p>Email: <span th:text="${email}"></span></p>
    <a href="/">Logout</a>
</body>
</html>

Step 6: Run the Application

With everything set up, it's time to run your Spring Boot application. Use the command:

mvn spring-boot:run

Visit http://localhost:8080 in your web browser, and you should see the home page. Click on "Login with Google" to be redirected to the Google sign-in page. After successful authentication, you will be redirected to the user information page displaying your name and email.

Troubleshooting Tips

  • Invalid Client ID/Secret: Ensure you have registered your application with Google and obtained valid credentials.
  • Redirect URI Mismatch: Make sure the redirect URI in your application matches what’s configured in the Google Developer Console.
  • Dependency Issues: Ensure all dependencies are correctly specified in your pom.xml or build.gradle file.

Conclusion

Implementing secure OAuth 2.0 authentication in a Spring Boot application enhances user experience by allowing seamless access through trusted providers. By following the steps outlined in this article, you can effectively secure your web application while maintaining a user-friendly interface. Start integrating OAuth 2.0 today and open new gateways for your application’s functionality!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.