This is a Spring Boot application demonstrating OpenID Connect authentication using Spring Security.
- OpenID Connect authentication with Google
- User profile display with OIDC information
- Secure endpoints with Spring Security
- Thymeleaf templates for UI
- Java 21 or later
- Maven
- SuperOffice application in the Developer Portal
- Contact SuperOffice or access your SuperOffice developer account
- Register a new application with SuperOffice
- Configure the redirect URI as:
http://localhost:8080/login/oauth2/code/superoffice - Get your client ID and client secret
- Make note of the OAuth endpoints (these are already configured in the application.properties file)
You can provide your OAuth 2.0 credentials in one of these ways:
-
Set environment variables:
SUPEROFFICE_CLIENT_ID=your-superoffice-client-id SUPEROFFICE_CLIENT_SECRET=your-superoffice-client-secret -
Or directly edit the
application.propertiesfile:spring.security.oauth2.client.registration.superoffice.client-id=your-superoffice-client-id spring.security.oauth2.client.registration.superoffice.client-secret=your-superoffice-client-secret
- Clone this repository
- Navigate to the project directory
- Run the application using Maven:
Or on Windows:
./mvnw spring-boot:runmvnw.cmd spring-boot:run - Open your browser and go to
http://localhost:8080
- When a user accesses a protected resource, they are redirected to the login page
- The user selects either the Google or GitHub authentication option
- After authenticating with the chosen provider, the user is redirected back to the application
- The application receives the OAuth2/OpenID Connect tokens and creates a security context
- The user information is displayed on the profile page
To add another OAuth2/OIDC provider (e.g., Microsoft, Okta, Auth0), add the appropriate configuration to application.properties. For example:
# Microsoft Azure AD
spring.security.oauth2.client.registration.azure.client-id=your-azure-client-id
spring.security.oauth2.client.registration.azure.client-secret=your-azure-client-secret
spring.security.oauth2.client.registration.azure.scope=openid,profile,email
spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/{tenant-id}/v2.0
Then, add a button to the login page that links to /oauth2/authorization/azure (or the respective registration ID).
When working with OAuth2 access tokens and refresh tokens, follow these best practices:
-
Use Spring's Built-in Token Storage: Spring Security OAuth2 provides the
OAuth2AuthorizedClientServiceto securely store and manage tokens. -
Never Store Tokens in Client-Side Storage: Avoid storing tokens in cookies, local storage, or session storage on the client side.
-
Implement Token Refresh Logic: Configure automatic token refresh using Spring's
OAuth2AuthorizedClientProviderwith refresh token capabilities. -
Secure API Calls: Create service classes that handle token retrieval and authentication for API calls.
-
Token Validation: Validate tokens before use by checking expiration and signature.
The application includes services for making authenticated API calls to external services:
OAuth2TokenService: Retrieves tokens from the authorized client serviceApiClientService: Uses tokens to make authenticated REST API callsApiController: Example controller demonstrating API calls using tokens
Example API call:
// Get the access token from the current user's session
String accessToken = tokenService.getAccessToken(authentication);
// Add the token to the Authorization header
HttpHeaders headers = new HttpHeaders();
headers.setBearerAuth(accessToken);
// Make the authenticated API call
HttpEntity<?> entity = new HttpEntity<>(headers);
ResponseEntity<String> response = restTemplate.exchange(
"https://api.example.com/resource",
HttpMethod.GET,
entity,
String.class
);