Since a long time I wanted to integrate an OpenID Connect provider using Spring Security, The last time I tried, I felt it was very complicated and wrote my own library. Since Spring Security 5 has native support for OAuth2 Client and extended its use for OpenID connect, I wanted to see how easy it is to integrate.

For this example we are going to build a simple app, the redirects to google when we try to access a protected endpoint

Step 1:

Create a spring boot project from https://start.spring.io with following dependencies

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-web'
    implementation 'com.fasterxml.jackson.module:jackson-module-kotlin'
    implementation 'org.jetbrains.kotlin:kotlin-reflect'
    implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation 'org.springframework.security:spring-security-test'
}

Step 2:

Create an endpoint that will show current user’s authentication data

@RestController
class HelloController {

    @GetMapping("/me")
    fun hello(currentUser: OAuth2AuthenticationToken): ResponseEntity<OAuth2AuthenticationToken> {
        return ResponseEntity.ok(currentUser)
    }

}

Step 3:

Configure OAuth2 Client information in application.yml. In google’s developer console configure the app’s redirect uri as http://localhost:8080/login/oauth2/code/google

# @see https://console.developers.google.com/apis/ to create your client credentials
logging.level.org.springframework: INFO
spring:
  security:
    oauth2:
      client:
        registration:
          google:
            provider: google
            client-id: <<your-client-id>>
            client-secret: <<your-client-secret>> 
            client-authentication-method: basic
            authorization-grant-type: authorization_code
            scope:
              - openid
              - email
              - profile
              - https://www.googleapis.com/auth/tasks.readonly
        provider:
          google:
            issuer-uri: https://accounts.google.com

Step 4:

Run the application, goto http://localhost:8080/me , complete the login process and you will see this.

{ "authorities": [ { "authority": "ROLE_USER", "attributes": { "at_hash": "28AV0o6xKM8f3UQlljlGuw", "sub": "10080000000000000", "email_verified": true, "iss": "https://accounts.google.com", "given_name": "Syamala", "locale": "en", "picture": "https://lh6.googleusercontent.com/photo.jpg", "aud": [ "client-id" ], "azp": "client-id", "name": "Syamala Umamaheswaran", "exp": "2019-03-24T18:27:19Z", "family_name": "Umamaheswaran", "iat": "2019-03-24T17:27:19Z", "email": "xxxx@gmail.com" }, "idToken": {...}, "userInfo": null } ], "details": null, "authenticated": true, "principal": {}, "authorizedClientRegistrationId": "google", "credentials": "", "name": "10080000000000000" } 

Mind Blown:

As much as it blows my mind that without writing any code for security we are able to integrate with an OpenID Connect provider, I needed to know how this is working so easily. The Devil is in the details, Stay tuned for my next blog post where I explain the behind the scenes and How to access a protected resource and how to refresh tokens automatically.

Complete Source Code @ https://github.com/shyamz-22/oidc-spring-security-5

原文链接：Spring boot + Spring Security 5 + OAuth2/OIDC Client – Basics