Spring Boot - OAuth2 Authentication and Authorization

OAuth2 is an authorization framework that allows third-party applications to gain limited access to an HTTP service on behalf of a user. It also supports delegated authentication using an external Authorization Server such as Google or GitHub.

Key Components of OAuth2

• Resource Owner: The end user who owns the protected data.
• Client (Application): The application requesting access to resources (your Spring Boot app).
• Authorization Server: Authenticates the user and issues access tokens (e.g., Google OAuth2 service).
• Resource Server: Hosts protected resources and validates access tokens.

OAuth2 Flow in Spring Boot

1. Client Registration: Register your app with an OAuth2 provider (Google, GitHub) to obtain a client ID and client secret.
2. User Authentication: When the user accesses a protected resource, Spring Security redirects them to the provider’s login page.
3. Authorization Code Exchange: After successful login, the provider returns an authorization code to your app.
4. Access Token Retrieval: The Spring Security OAuth2 client exchanges the code for an access token.
5. Access Granted: The token authenticates the user for further requests.

Implementation Steps

Step 1: Create the Spring Boot Project

Use Spring Initializr to create a project:

• Name: spring-boot-oauth2-google
• Language: Java
• Packaging: Jar
• Dependencies: OAuth2 Client, Spring Web, Spring Security, Thymeleaf

Step 2: Add Dependencies

Add the following dependencies into the Spring Boot project.

<dependencies>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-oauth2-client</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-security</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-thymeleaf</artifactId>

</dependency>

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-web</artifactId>

</dependency>

<dependency>

<groupId>org.thymeleaf.extras</groupId>

<artifactId>thymeleaf-extras-springsecurity6</artifactId>

</dependency>

</dependencies>

After the project creation done, then the project structure will look like the below image:

Step 3: Configure Application Properties

Rename application.properties to application.yml and configure Google OAuth2:

spring:

security:

oauth2:

client:

registration:

google:

client-id: YOUR_CLIENT_ID

client-secret: YOUR_CLIENT_SECRET

scope: profile, email

redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"

authorization-grant-type: authorization_code

provider:

google:

authorization-uri: https://accounts.google.com/o/oauth2/v2/auth

token-uri: https://oauth2.googleapis.com/token

user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo

user-name-attribute: sub

server:

port: 8080

• client-id and client-secret: Credentials from your Google developer console.
• scope: Permissions requested (profile and email).
• redirect-uri: URL where Google redirects after login.

Step 4: Configure Spring Security

Create SecurityConfig.java:

• permitAll(): Allows unauthenticated access to home and login pages.
• authenticated(): Restricts other endpoints.
• oauth2Login(): Enables OAuth2 login via the configured provider.
• defaultSuccessUrl("/dashboard"): Redirects users post-login.

Step 5: Create UserController

UserController.java:

Purpose: Returns the authenticated user’s information.

Step 6: Create DashboardController

DashboardController.java

Purpose: Displays user details on the dashboard page.

Step 7: Main Application Class

This is the entry point of the Spring Boot application.

This is the main class of the Spring Boot application, where the application is launched using the SpringApplication.run method.

Step 8: Create HTML Views

index.html(src/main/resources/static):

dashboard.html(src/main/resources/templates):

Step 9: Run the Application

Run the app using the Maven command:

mvn spring-boot:run

Navigate to http://localhost:8080

Click Login with Google

Select a Google account

Click on the Continue button.

You’ll be redirected to /dashboard, where your name and email are displayed.