Category: Spring Boot backend development

Hello! In this blog post, we will learn how to implement secure login and logout features using OAuth 2.0 with Spring Boot. We will start by understanding what OAuth is and its basic concepts, followed by a detailed look at how to use OAuth2 in Spring Boot through practical code examples.

1. What is OAuth?

OAuth (Open Authorization) is an authentication protocol that allows users to securely share their information with a third-party service. For example, when a user wants to share their information from Service A with Service B, they can grant access to Service B without directly providing their login credentials from Service A.

1.1 Background of OAuth

In the past, users had to manage separate login credentials for each service they subscribed to. This could lead to security issues and created a cumbersome experience for users. OAuth was designed to address these problems by enabling more secure sharing of information through token-based authentication and authorization.

1.2 How OAuth Works

OAuth generally operates through the following process:

• Authentication Request: The client sends a request to access the resource server on behalf of the user.
• User Authentication: A login screen is displayed to the user, who then enters their authentication information.
• Token Issuance: Upon successful user authentication, the authorization server issues an access token to the client.
• Resource Request: The client uses the issued token to send a request to the resource server.

2. Key Components of OAuth 2.0

OAuth 2.0 consists of the following components:

• Client: The application requesting access to the resource.
• Resource Server: The server hosting the protected data.
• Authorization Server: The server that issues authentication tokens to the client.
• User: The owner of the data that the client wants to access.

3. Implementing OAuth2 with Spring Boot

Now, let’s implement OAuth2 using Spring Boot. In this example, we will use Google OAuth2 to implement login and logout.

3.1 Project Setup

We will use Spring Initializr (https://start.spring.io/) to create a Spring Boot project. We will add the following dependencies:

• Spring Web
• Spring Security
• Spring Boot DevTools
• OAuth2 Client

3.2 Configure application.yml

After the project is created, set the Google OAuth2 client ID and client secret in the src/main/resources/application.yml file.

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: YOUR_CLIENT_ID
            client-secret: YOUR_CLIENT_SECRET
            scope: profile, email
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/auth
            token-uri: https://oauth2.googleapis.com/token
            user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
            user-info-authentication-method: header

3.3 Configure WebSecurityConfigurerAdapter

We configure Spring Security to enable OAuth2 support. We will extend WebSecurityConfigurerAdapter and define the necessary configurations.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/login").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login()
                .loginPage("/login")
                .defaultSuccessUrl("/home", true);
    }
}

3.4 Add Login Controller

Add a controller to redirect after login.

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class HomeController {
    
    @GetMapping("/")
    public String index() {
        return "index"; // Return index page view
    }

    @GetMapping("/home")
    public String home() {
        return "home"; // Return home page view
    }
}

3.5 Create HTML Views

Create two HTML files to be used in Spring Boot. Generate the src/main/resources/templates/index.html file.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>OAuth Login</title>
</head>
<body>
    <h1>Welcome!</h1>
    <a href="/oauth2/authorization/google">Login with Google</a>
</body>
</html>

Next, create the src/main/resources/templates/home.html file.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Home</title>
</head>
<body>
    <h1>Hello, <span th:text="${#authentication.details.name}"></span>!</h1>
    <a href="/logout">Logout</a>
</body>
</html>

3.6 Run the Application

When you build and run the project, you will see a Google login link on the application’s main page. Clicking this will redirect you to the Google login page, and upon successful login, you will return to the home page.

4. Conclusion

We have successfully implemented login and logout features using Spring Boot and OAuth2. OAuth2 enables secure sharing of data between various services, providing an enhanced user experience. Additionally, you can choose an authentication method that fits your business logic by utilizing various features of OAuth2.

If you want more resources and information, please refer to the official Spring Boot documentation and various materials on OAuth2. Feel free to leave your questions in the comments, and I will do my best to help with what I know. Thank you!

In modern web applications, security and user authentication are very important elements. In particular, there are many cases where user authentication needs to be conducted through various methods such as social login and API integration. One of the commonly used protocols in this context is OAuth2. In this course, we will implement login and logout functionality using OAuth2 with Spring Boot and learn more about the authorization code grant type.

1. What is OAuth2?

OAuth2 is a popular authentication protocol that allows internet users to permit third-party applications to access their information without sharing their passwords. It enables delegated access so that applications can securely access user information.

2. Understanding the OAuth2 Process

The main OAuth2 process is divided into the following steps:

• 1) Client Registration: The client application registers with the OAuth provider and is issued a unique client ID and secret key.
• 2) Authentication Request: When the user clicks the authentication button in the client application, the authentication request is sent to the OAuth server.
• 3) User Authentication: The OAuth server prompts the user to perform authentication and displays a consent screen.
• 4) Issuing Authorization Code: If the user grants permission, the OAuth server returns an authorization code to the client.
• 5) Issuing Access Token: The client uses the authorization code to request an access token.
• 6) API Access: The client uses the access token to access the API and retrieve user data.

3. Configuring OAuth2 in Spring Boot

The process of configuring OAuth2 using Spring Boot involves adding the necessary dependencies first.

pom.xml
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
    

3.1. Configuring application.yml

Add the information of the OAuth2 authentication provider and the client information to the configuration file. Typically, information for social login providers such as Google is set here.

application.yml
spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: YOUR_CLIENT_ID
            client-secret: YOUR_CLIENT_SECRET
            scope: profile, email
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/auth
            token-uri: https://oauth2.googleapis.com/token
            user-info-uri: https://www.googleapis.com/userinfo
            user-name-attribute: sub
    

3.2. Security Configuration

Use Spring Security to apply security configuration.

WebSecurityConfig.java
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/", "/login").permitAll() // Allow all users to access / and /login
            .anyRequest().authenticated() // All other requests require authentication
            .and()
            .oauth2Login(); // Support OAuth2 login
    }
}
    

4. Handling Login and Logout

Now, we can implement basic login and logout functionality. When a user accesses the /login URL, authentication is attempted through the OAuth2 provider. Upon successful authentication, the user is redirected to the main dashboard.

4.1. Login Page

Let’s create a simple login page that includes an authentication button.

login.html
<html>
<head>
  <title>Login Page</title>
</head>
<body>
  <h1>Login</h1>
  <a href="/oauth2/authorization/google">Login with Google</a> 
</body>
</html>
    

4.2. Logout

Additional configuration is required for logout handling.

WebSecurityConfig.java
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/", "/login", "/logout").permitAll()
        .anyRequest().authenticated()
        .and()
        .oauth2Login()
        .and()
        .logout()
        .logoutSuccessUrl("/"); // Redirect to home after logout
}
    

5. What is the Authorization Code Grant Type?

OAuth2 offers several grant types, and one of the most popular methods is the Authorization Code Grant.

5.1. Explanation of the Authorization Code Grant Type

The authorization code grant typically follows these steps:

• The user clicks the login button in the client application.
• The client application redirects the user to the OAuth2 server’s authentication screen.
• The user enters authentication information and submits it to the OAuth2 server.
• The OAuth2 server returns an authorization code to the client upon user authentication.

5.2. Advantages of the Authorization Code Grant

The main advantages of the authorization code grant are as follows:

• High security level: The authorization code is stored only on the server with the client secret, making communication with the resource server more secure.
• Support for refresh tokens: Access tokens can be refreshed using refresh tokens once they expire.

6. Conclusion

In this course, we have learned how to implement login and logout functionality using OAuth2 with Spring Boot, as well as the authorization code grant type. OAuth2 is an essential protocol for authentication and authorization in modern web applications, providing security and user convenience. By combining various authentication methods based on user needs, more secure and convenient services can be created.

Recommended Resources

• Official Spring Security Documentation
• Official OAuth 2.0 Documentation
• Baeldung’s OAuth2 Course

Login Page

Log in with Google

In today’s web applications, authentication and authorization are crucial elements, and OAuth2 is a widely used standard for implementing them. In this course, we will explore in detail how to implement OAuth2-based login and logout functionality using Spring Boot. The goal of this course is to apply a secure authentication method through OAuth2 in a Spring Boot application and learn how to test it.

1. What is OAuth2?

OAuth2 (Open Authorization 2.0) is an authorization framework that allows internet users to use their accounts with other services without exposing their information to third-party applications. Essentially, OAuth2 operates based on access tokens, which allow users to access their data. During this process, there is no need to share the user’s password.

1.1 Components of OAuth2

• Resource Owner: The owner of the resource, usually the user.
• Client: The application that requests the service on behalf of the resource owner.
• Authorization Server: The server that authenticates the client’s request and issues an access token after consent.
• Resource Server: The server that can access the protected resources (e.g., user data).

1.2 OAuth2 Flow

The authentication flow of OAuth2 proceeds as follows:

1. The user sends an authentication request to the Authorization Server through the client.
2. If the user successfully authenticates, the Authorization Server issues an access token to the client.
3. The client sends the issued access token to the Resource Server to access the protected resources.

2. Setting up Spring Boot Environment

To set up the Spring Boot environment, we first need to add the necessary dependencies. To do this, we will use Spring Initializr to create a project.

2.1 Creating a Project in Spring Initializr

Create a Spring Boot project with the following settings:

• Project: Maven Project
• Language: Java
• Spring Boot: 2.6.3 (select the latest version)
• Dependencies: Spring Web, Spring Security, Spring Data JPA, H2 Database

2.2 Modifying the pom.xml File

Next, add the OAuth2-related dependencies to the pom.xml file:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

3. OAuth2 Configuration

To configure OAuth2, modify the application.yml file to include the Authorization Server and Resource Server information.

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: YOUR_CLIENT_ID
            client-secret: YOUR_CLIENT_SECRET
            scope:
              - profile
              - email
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/auth
            token-uri: https://oauth2.googleapis.com/token
            user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
            user-name-attribute: sub

4. Spring Security Configuration

Configure Spring Security to handle authentication and authorization. Below is an example of a basic security configuration class:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/login").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login();
    }
}

5. Retrieving User Information

Once the user successfully authenticates, retrieve user information through the OAuth2 client. To do this, create a controller.

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class UserController {
    @GetMapping("/user")
    public OAuth2User getUser(@AuthenticationPrincipal OAuth2User principal) {
        return principal;
    }
}

6. Testing and Running

Run the application and access http://localhost:8080 in your web browser. The user will be redirected to the Google login page by clicking the login button. After logging in, they can check their user information via the /user endpoint.

Conclusion

In this course, we explored how to implement login and logout functionality using OAuth2 with Spring Boot. Throughout this process, we learned the basic concepts of OAuth2, setting up the required dependencies, configuring Spring Security, and retrieving user information. This allows you to add a more secure login feature to your web applications.

References

• Spring Security
• OAuth 2.0 Specification
• Spring Boot Guides

1. Introduction

Recently, with the increasing development of web applications based on microservices architecture and cloud services, the popularity of frameworks like Spring Boot is rising.
Spring Boot is a framework that helps to quickly develop applications without complex configuration.
In this tutorial, we will learn in detail how to implement login and logout functionalities using OAuth2 in backend development with Spring Boot.

2. What is OAuth2?

OAuth2 is an authentication protocol that allows users to control access to the client application.
With OAuth2, users can perform authentication and authorization for specific resources without sharing their credentials with the application.
This is a way to enhance security and significantly improve user experience.

2.1 Key Components of OAuth2

• Resource Owner: The user who grants permission to a client application
• Client: The application attempting to access the Resource Owner’s resources
• Resource Server: The server that stores the user’s resources
• Authorization Server: The server that processes the user’s authentication information and issues tokens to the client

3. Setting Up a Spring Boot Project

To start a Spring Boot application, first create a new project.
You can generate a Maven or Gradle based project using Spring Initializr.

3.1 Adding Dependencies

To implement OAuth2 authentication, you need to add the following dependencies:

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.0.RELEASE'
}

3.2 Configuring application.properties

Next, open the src/main/resources/application.properties file to add the necessary configurations for OAuth2 authentication.
Refer to the example configuration below.

spring.security.oauth2.client.registration.google.client-id={YOUR_CLIENT_ID}
spring.security.oauth2.client.registration.google.client-secret={YOUR_CLIENT_SECRET}
spring.security.oauth2.client.registration.google.scope=profile, email
spring.security.oauth2.client.registration.google.redirect-uri=http://localhost:8080/login/oauth2/code/google
spring.security.oauth2.client.provider.google.authorization-uri=https://accounts.google.com/o/oauth2/auth
spring.security.oauth2.client.provider.google.token-uri=https://oauth2.googleapis.com/token
spring.security.oauth2.client.provider.google.user-info-uri=https://www.googleapis.com/oauth2/v3/userinfo

4. Implementing OAuth2 Login

Now, let’s implement OAuth2 login in the application. This can be easily configured through Spring Security.

4.1 Security Configuration

Create a new Java class to configure the security settings.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/login**", "/error**").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login();
    }
}

5. Retrieving User Profile

Once the user logs in, you can request user information from the OAuth2 server to retrieve the profile.
We will write a controller for this purpose.

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class UserProfileController {
    @GetMapping("/user")
    public String user(@AuthenticationPrincipal OAuth2User principal, Model model) {
        model.addAttribute("name", principal.getAttribute("name"));
        model.addAttribute("email", principal.getAttribute("email"));
        return "userProfile";
    }
}

6. Implementing Logout

The logout functionality is provided by Spring Security by default, and it can be easily implemented through configuration.
Add the logout URL and related settings as shown below.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/login**", "/error**").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login()
                .and()
            .logout()
                .logoutSuccessUrl("/")
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID");
    }

7. Conclusion

In this tutorial, we explored a simple way to implement login and logout functionalities using OAuth2 with Spring Boot.
Using Spring Boot and OAuth2 allows for easy integration with external authentication systems, greatly enhancing application security and improving user experience.
Consider applying OAuth2 to your projects to provide safer and more convenient services!

8. Additional Resources

For more information, please refer to the official documentation and other resources.

• Spring Boot Official Documentation
• Spring Security Official Documentation
• OAuth 2.0 Official Documentation