{"id":22268096,"url":"https://github.com/curityio/spring-boot-oauth-client","last_synced_at":"2025-07-28T12:30:53.206Z","repository":{"id":74437594,"uuid":"254115377","full_name":"curityio/spring-boot-oauth-client","owner":"curityio","description":"Example Website Client using Spring Boot to implement OAuth 2.0 and OpenID Connect","archived":false,"fork":false,"pushed_at":"2024-08-21T08:22:03.000Z","size":54,"stargazers_count":11,"open_issues_count":0,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-21T09:43:50.783Z","etag":null,"topics":["code-example","oauth2","openid-connect","spring-boot","website"],"latest_commit_sha":null,"homepage":"https://curity.io/resources/learn/oidc-spring-boot/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-08T14:44:45.000Z","updated_at":"2024-08-21T08:22:07.000Z","dependencies_parsed_at":"2023-02-26T02:30:12.397Z","dependency_job_id":null,"html_url":"https://github.com/curityio/spring-boot-oauth-client","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fspring-boot-oauth-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fspring-boot-oauth-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fspring-boot-oauth-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Fspring-boot-oauth-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/spring-boot-oauth-client/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227905532,"owners_count":17837906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-example","oauth2","openid-connect","spring-boot","website"],"created_at":"2024-12-03T11:11:06.071Z","updated_at":"2025-07-28T12:30:53.198Z","avatar_url":"https://github.com/curityio.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OAuth 2.0 Client with Spring Boot\n\n[![Quality](https://img.shields.io/badge/quality-demo-red)](https://curity.io/resources/code-examples/status/)\n[![Availability](https://img.shields.io/badge/availability-source-blue)](https://curity.io/resources/code-examples/status/)\n\nThis repository contains an example implementation that demonstrates how to use Spring Boot and Spring Security to create an OAuth 2.0 Client that authenticates users through the Curity Identity Server.\n\nThis example demonstrates two different ways for client authentication:\n\n1. Basic authentication with a client-id and a shared client secret\n2. JWT client assertion authentication with a client-id and keystore with a key pair\n\nThe second option is used to illustrate how to follow the recommendation of [OAuth2.1 on client authentication](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-2.4), which is an updated and consolidated version of OAuth2.0.\n\n## Configure the Client\n\n### Using Basic Authentication\n\n* Create a client `demo-basic-client` with the code flow capability. \n* Register the following redirect URI for your client: `http://localhost:8080/login/oauth2/code/demo-basic-client`. In this case we assume that the application is hosted on `localhost`, adapt accordingly. \n \nThe redirect URI is the path of the application where the Curity Identity Server will redirect to after the user was authenticated. This is an endpoint that Spring Boot sets up.\n\n* Choose the authentication method `secret` and enter a secret. \n* Under **Authorization** add the scopes `openid` and `profile`.\n\n### Using Private Key JWT\nAssume, there is a key pair that the client uses to create a self-signed JWT. The public key of the key pair needs to be uploaded to the Curity Identity Server.\n* In the **Facilities** menu, under **Key and Cryptography** select **Signing**.\n* Create a new **Signature Verification Key**. \n* Enter a name.\n* Select `asymmetric` as type and upload the existing (public) key.\n\nNow, navigate to the token service profile to set up the client: \n\n* Create a client `demo-private-jwt-client` with the code flow capability. \n* Register the following redirect URI for your client: `http://localhost:8080/login/oauth2/code/demo-private-jwt-client`. In this case we assume that the application is hosted on `localhost`, adapt accordingly. \n \nThe redirect URI is the path of the application where the Curity Identity Server will redirect to after the user was authenticated. This is an endpoint that Spring Boot sets up.\n\n* Choose the authentication method `asymmetric-key` and select the signature verification key created above. This is the public key that corresponds to the private key that the client uses to sign the JWT to authenticate itself.\n* Under **Authorization** add the scopes `openid` and `profile`.\n\n## Configure application.yml\nMake sure this matches the configuration on the server side. Update the client registration and provider to fit your settings. In particular, check the `client-id` and `client-secret` when using basic authentication:\n\n```yaml\nspring:\n  security:\n    oauth2:\n      client:\n        registration:\n          demo-basic-client:\n            client-name: Login with the Curity Identity Server (Basic Client)\n            client-id: demo-basic-client\n            client-secret: Secr3t\n            authorization-grant-type: authorization_code\n            redirect-uri: \"{baseUrl}/login/oauth2/code/{registrationId}\"\n            scope: openid, profile\n            provider: idsvr\n```\n\nFor the client that uses a JWT client assertion for authentication, check the `client-id` and `client.keystore` parameters. \n\nPoint to a keystore that contains at least one private key and a corresponding certificate with the public key. \nProvide the password of the keystore and the alias of the key pair. \n\nThe certificate (that is the public key) must be registered with the Curity Identity Server as a **Signature Verification Key**. See [Configure the Client](#configure-the-client).\n\n```yaml\nspring:\n  security:\n    oauth2:\n      client:\n        registration:\n          demo-private-jwt-client:\n            client-name: Login with the Curity Identity Server (Private JWT Client)\n            client-id: demo-private-jwt-client\n            client-authentication-method: private_key_jwt\n            authorization-grant-type: authorization_code\n            redirect-uri: \"{baseUrl}/login/oauth2/code/{registrationId}\"\n            scope: openid, profile\n            provider: idsvr\n\nclient:\n  authentication:\n    asymmetric-key:\n      key-store-file-name: demo-private-jwt-client.jks\n      key-store-password: changeit\n      key-store-alias: demo-client\n      key-store-type: jks\n```\n\nDon't forget to point to the Curity Identity Server as well. Specify the issuer URI (by default, this is the anonymous endpoint of the Curity Identity Server). Spring Boot uses this URI to load the OpenID Connect metadata from the server.\n\n```yaml\nspring:\n  security:\n    oauth2:\n      client:\n        provider:\n          idsvr:\n            issuer-uri: https://idsvr.example.com/oauth/v2/oauth-anonymous\n```\n\nSee [application.yml](src/main/resources/application.yml) for the complete configuration.\n\n## Run the application\nTo start the application run \n\n```bash\n./gradlew bootRun\n```\n\nOpen `http://localhost:8080` in your browser. Click on the link to log in. \nOpen one of the different options to fetch an access and ID token from the Curity Identity Server. \nAfter successful login the page displays the username and the name of the client used to integrate with the Curity Identity Server.\n\n### Configuring the Trust Store\n\nThe application must trust the HTTPS server certificate of the Curity Identity Server. Place the issuing CA certificate of the server certificate and all intermediate CA certificate as well as the root CA certificate in a trust store. \n\nStart the application with the truststore using JVM arguments:\n\n```bash\n./gradlew bootRun -Djavax.net.ssl.trustStore=/path/to/localhost.truststore -Djavax.net.ssl.trustStorePassword=changeit\n```\n\n## Generate Key and Trust Stores\n\n### Key Store for API Client Authentication\n\nWhen authenticating with `private_key_jwt`, you need to specify keys to issue the self-signed JWT for the authentication. Use `keytool` to generate a key pair:\n\n```bash\nkeytool -genkey -alias demo-client -keyalg RSA -keystore demo-private-jwt-client.jks -keysize 2048 -dname \"CN=Demo Client,O=Example\"\n```\n\nThe subject name of the certificate does not matter in this context. Make sure to remember the alias as it is used to identify the key pair. Put the key store file in the `resources` folder and update the parameters in `application.yml` accordingly.\n\nExport the certificate with the public key:\n\n```bash\nkeytool -exportcert -keystore demo-private-jwt-client.jks -alias demo-client -file demo-client.cer\n```\n\nUpload the certificate file to the Curity Identity Server as a **Signature Verification Key** in the **Facilities** -\u003e **Keys and Cryptography** -\u003e **Signing** section and configure the client with that key.\n\n### Trust Store for Server Certificates\n\nThe `OAuthFilter` assumes that the authorization server's endpoints are served over HTTPS. \nThe API must trust the server certificate from the JWKS and OpenID metadata endpoints. \nIn test systems the server certificate may not be trusted by default. \nTo set up the trust, add the trust chain of the server certificate to a trust store. \nGet hold of the certificate of the CA that issued the server certificate and all intermediate CA certificates up to the root CA (\"trust chain\"). \nThen use `keytool` to import the certificate(s) in a (new) truststore:\n\n```bash\nkeytool -importcert -keystore localhost.truststore -file issuing-ca-cert.pem\n```\n\nIf prompted, trust the certificates. \nIf the server certificate is self-signed import only the certificate itself.\n\n## More Information\nMore information about OAuth 2.0, OpenID Connect and the Curity Identity Server can be found here:\n\n* [The Curity Identity Server](https://curity.io)\n* [OAuth 2.0](https://curity.io/resources/oauth/)\n* [OpenID Connect](https://curity.io/resources/openid-connect/)\n\nCheck out the related tutorial of this repository:\n* [OIDC Client with Spring Security](https://curity.io/resources/tutorials/howtos/writing-clients/oidc-spring-boot/)\n\n## Licensing\n\nThis software is copyright (C) 2020 Curity AB. It is open source software that is licensed under the [Apache 2 license](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fspring-boot-oauth-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Fspring-boot-oauth-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Fspring-boot-oauth-client/lists"}