Last Updated on April 12th, 2023

Let’s assume that you want to provide access of your resources to a third party application. How will you ensure that the third party application will not misuse your resources? Once you complete going through this article, you will find a secure way to provide access to your resources. Also, you will learn ‘How to implement OAuth in Spring Boot Project?’ which is what all about. OAuth is a mechanism for providing access to resources in a very secure manner. But it is not related to authentication at all rather authorizations.

For example, You have a bunch of confidential pages stored at Google Drive and you want the document review team to review them and update you with review comments. You might be thinking the easiest solution to send them through email or any other way like file transfer technique etc. But this is not the correct way as I mentioned that these are confidential pages. Hence, we can’t send them through network at all due to security reasons. You have to find a way so that review team access them from Google Drive only. Additionally, the review team should get access to review them and send review comments to you accordingly. We will find all the way to make it possible in this article ‘How to implement OAuth in Spring Boot Project?’.

What can you expect from this article as a whole?

Once you complete going through this article, You will be able to answer following :

1) What is OAuth all about?

2) What places can we observe the use of OAuth in the internet?

3) What is an Access Token?

4) Additionally, How does an OAuth technique use Access Tokens to authorize a client?

5) What are the terminologies like Resource, Resource Owner, Resource Server, Authorization Server, Client etc. used in OAuth technique?

6) How does an OAuth concept work in real time?

7) Finally How to implement OAuth in Spring Boot Project to access Social media App’s resources?

8) Example of a Facebook authorization to a Spring Boot application using OAuth?

9) How to test implemented OAuth?

10)Also, Where can we use @EnableOAuth2Sso ?

What is OAuth ?

OAuth is a technique to authorize web applications, servers, devices, APIs etc. via access tokens rather than credentials. We can also call it as an open standard for authorization, but not an API or a service. Further with OAuth, you can log into third party websites with your Google, Facebook, Twitter, Microsoft accounts etc. without essentially providing your passwords. It’s also a safer and more secure way for people to give you access to their resource data. Hence, OAuth is a simple way to publish and interact with protected resource data. If you want to provide access of an API to 3rd party clients/applications, you should implement OAuth also.

Moreover OAuth is meant for a service to authorize another service on user’s behalf as a delegated access for services. It uses HTTPS for communication and Access token for authorization. OAuth is commonly used for Access Delegation. Like you can provide access of your resource to other application or website without providing your user id and password.

Where can we notice the use of OAuth technique?

In fact, we can observe the use of OAuth during the registration process of a user in a website. Likely many websites or applications nowadays provide the possibility of authenticating to another website or application via your social site account like Google/Facebook/Twitter/etc. Indeed It’s more helpful & convenient as user doesn’t have to further create another account and remember credentials. Instead, users can just use e.g. Google account to get access to various services. This is possible via OAuth.

What is an Access Token?

Access Token is a random String or digit generated by the authorization server. You might have used or seen someone to use a small digital device in the organization. In fact, this small device generates a token (like a random password) to get access client side working environment. Briefly, this device is nothing but a kind of access token generator. Also, it has a limited lifetime and a confidential nature.

In fact, this token is sent by the client (who wants to access resource) as a parameter or as a header in the request to the resource server. Its responsibility of authorization server to define the scope of an access token. The client application should provide the scope & limits it requires along with the request to the authorization server. Based on this parameter an authorization server limits the access rights of an application.

What are all about the terminologies like Resource, Resource owner, Resource Server, Authorization Server & a Client ?

While implementing the OAuth concept in an application, we must come across all these terminologies. Therefore, we must have a clear idea on what are these and how they operate with each other. So, first let’s talk about a use case to understand them one by one in a better way.

For example, let’s consider the aforementioned requirement. As you have a bunch of confidential pages stored at Google Drive and you want the document review team to review them and update them with review comments. Remember that you can’t send these confidential pages through network either by sending an email or by any other possible means. You have to use OAuth technique now.

Resource/Protected Resource

A Resource is something that is protected from the real world due to security reasons. We require OAuth technique to access a resource. Some people also call it as a Protected Resource. For example, The confidential pages stored at Google Drive are Resource as per our use case.

Resource owner

Resource Owner is the person, who owns the resource or has full access to it. Some people in the industry also call it User. As per our use case You are the resource owner.

Resource Server

Resource server is a server which holds/stores the resource. Sometime we also call it Resource Host. According to our case Google Drive is the resource server.

Client

A client is an application that needs access to the resource on behalf of its owner to provide the required services. In our use case an application/software which review team will use to review your documents is a Client. Briefly, we can also say it as a Document Review Service.

Authorization Server

Authorization Server is a server which provides Access Token to the client to access resources from the resource server. Generally it is coupled within the resource server or the resource server itself acts as an authorization server. But sometimes it exists as a separate entity. In both cases, it’s responsibility is same and works for resource server only.

How does OAuth concept work?

We will use aforementioned use case to understand the working flow of OAuth in detail. Further to illustrate it observe the flow diagram given below. Step Numbers in the description are matched with the step numbers given in the diagram simultaneously to understand it in a better way. Also, we have divided all the steps in two sub-headings to make it simpler as a whole.

Getting Access Token from the Authorization Server

1) The user is asking the client to access my resource from the resource server (Google Drive) and review the documents.

2) The client goes to the authorization server to get access of the resources on behalf of resource owners.

3) Authorization Sever will check if the resource owner wants client to access his/her resource. Also asks the resource owner what all are the resources you want client to access on your behalf.

4) Resource Owner replies Yes, I am the person who wants client to access some of my particular resources.

5) After getting confirmation from resource owner, the Authorization server sends an Authorization token to the client.

6) Then the client asks the Authorization server for an Access Token sending the same Authorization token along with its request.

7) Authorization Server provides Access Token to the client to access required resources.

Getting Access to resources from the Resource Sever

8) The client sends a request to resource Server with Access token provided by the Authorization server to access the resources of resource owner.

9) Resource Server validates the Access token provided by the client with Authorization Server

10) Authorization Server validates the Access token and sends confirmation to Resource Server

11) Consequently Resource Server provides access of resources to the client.

12) Finally, Client (Document Review Service) reviews the documents using its internal application/software and provides review comments to Resource Owner(user).

How to implement OAuth in Spring Boot Project?

After getting all the required knowledge of various terminologies it’s time to implement OAuth 2.0. Let’s implement it in Facebook. First of all, the OAuth client should create a Facebook application. In fact the Facebook application will contain the client id and a client secret which are prerequisite to make OAuth requests.

What Software/Technologies would you need?

♦STS (Spring Tool Suite) : Version-> 4.7.1.RELEASE
⇒Dependent Starters : Spring Security, Spring Web, Cloud OAuth2, Spring Boot DevTools
♦JDK8 or later versions (Extremely tested on JDK8, JDK11 and JDK14)

Step#1 : Create App in Facebook

1) Go to register as a facebook developer. You can follow the registration steps for Facebook developer.
2) Click on ‘My Apps’
3) Click on Create App & then select ‘Something Else’, then ‘continue’
4) Fill ‘App Display Name’
5) Click on ‘Create App’
6) Now Verify Captcha & click on ‘Submit’
7) Click on Settings, then click on ‘Basic’, You will find your app details at the right side.
8) Note down ‘App ID’ & ‘App Secret’.

If you face any issue in creating an app using the above steps, kindly follow steps to create an app.

Alternatively, you can go to the Meta for Developers website and click Get Started.

Step#2 : Create a Spring Boot Starter Project in STS(Spring Tool Suite)

While creating Starter Project select ‘Spring Security’, ‘Spring Web’, ‘Cloud OAuth2’ and ‘Spring Boot DevTools’ as starter project dependencies. Even If you don’t know how to create a Spring Boot Starter Project, kindly visit our separate article on How to create a Spring Boot Starter Project.

Step#3 : Apply @EnableOAuth2Sso at Starter class 

Your starter class of Spring Boot Project should be annotated with @EnableOAuth2Sso like below code:

package com.dev.spring.security.oauth;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;

@SpringBootApplication
@EnableOAuth2Sso
public class SpringBootOAuth {

	public static void main(String[] args) {
		SpringApplication.run(SpringBootOAuth.class, args);
	}

}

Step#3 : Create a Controller class as UserController.java

Create one controller class to get user details which will help to connect via OAuth. In addition, apply @RestController on top of it.

package com.dev.spring.security.oauth.controller;

import java.security.Principal;
import java.util.Map;

import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class UserController {

	@GetMapping("/")
	public String getUserDetails(Principal principal) {
		
		OAuth2Authentication oAuth = (OAuth2Authentication) principal;
		boolean isAuthenticated = oAuth.isAuthenticated();
		
        Map<String, Object> details = (Map<String, Object>)oAuth.getUserAuthentication().getDetails();
        String username = (String)details.get("name");
        
        return "Username: " + username
        		+ "<br><br>" + 
        		"Is User Authenticated? : "+isAuthenticated;
		
	}
	

	@GetMapping("/user")
	public Principal showUser(Principal p) {
		System.out.println(p.getClass().getName());
		return p;
	}

}

Step#4 : Create application.yml file

Finally create application.yml in place of application.properties. Don’t forget to remove pre-existing application.properties otherwise Spring Boot App will read it by default.

#application.yml
--------------------------------------------------------------
server:
 port: 8081
spring:
 application:
  name: SpringBootOAuth
security:
  oauth2:
   client:
    clientId: Your App ID
    clientSecret: Your App Secret
    accessTokenUri: https://graph.facebook.com/oauth/access_token
    userAuthorizationUri: https://www.facebook.com/dialog/oauth
    tokenName: oauth_token
    authenticationScheme: query
    clientAuthenticationScheme: form
  resource:
   userInfoUri: https://graph.facebook.com/me

How to test implemented OAuth 2.0 in Spring Boot Project?

Step#1 : Select Project, right click on it, Run as > Spring Boot App
Step#2 : Open Browser and hit URL : http://localhost:8081/
Step#3 : You will be redirected to the Facebook page as shown below. Also observe the redirected URL of your browser which is something like https://www.facebook.com/dialog/oauth?client_id=****************&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Flogin&response_type=code&state=1Gepzv

♥ The above URL clearly indicates the magic of OAuth. 🙂

Step#4 : Click on ‘Continue as Your Name’
Step#5 : Finally you will see below page with Facebook User details.

Here, we are getting the user information of a facebook app even without logging into it. That’s the capability of OAuth. 🙄

Step#6 : Hit the URL http://localhost:8081/user , you will see all the details of user similar to JSON format.

Summary

After going through all the theoretical & examples part of ‘How to implement OAuth in Spring Boot Project?’, finally, we are able to implement OAuth security in a Spring Boot project. Of course, In this article we have thoroughly learned about the OAuth technique. We will include some more examples of authorizing Social media websites in the future and update the article accordingly. Similarly, we will expect from you to further extend the implementation of your project subsequently. If you wish to learn about JWT Authentication technique, you may visit our previous article. Also, If there is any update in the future, we will also update this article accordingly. In addition, feel free to provide your comments in below comments section.