๐Spring Boot OAuth2 Client
Configuring a Spring Boot backend as a OAuth2 Client. The idea being that a frontend application (e.g. Angular UI) does not handle any of the oauth stuff. It simply has a active session with the backend via a session cookie (JSESSIONID).
Basic flow
The user open the frontend unauthenticated.
FE calls some backend endpoints
BE endpoints return 401 unauthenticated
Frontend handles 401 response and redirects user to specific authorization endpoint in backend.
Backend redirects user to login server
Users logs in
Login redirects user to call BE endpoint with CODE
BE gets token & priviledges from login server
User is now authenticated and has session with backend
Configuration
application.yaml
Trigger auth for testing: http://localhost:8045/backend/api/v1/oauth2/authorization/your-login
Spring Security
Minimal
A minimal starting configuration looks like this:
Logout
Spring Boot provides a Logout endpoint. By default it uses a POST request with CSRF to prevent someone else from doing an attack and logging a user out.
To get this to work properly we need to configure CSRF in the security chain, otherwise we'll always get a 403 when trying to POST a logout request.
The logout endpoint is then located at: http://localhost:8045/backend/api/v1/logout
In order to test it with Postman we need to set the X-XSRF-TOKEN as a header which is provided by the backend and stored as a cookie.
Debugging
Inspect raw JWT & userinfo attributes
The following classes are useful to debug the oauth flow and to inspect the raw JWT:
OAuth2LoginAuthenticationProvider.authenticate(..)
DefaultOAuth2UserService.loadUser(..)
Last updated