{"id":28208083,"url":"https://github.com/onewelcome/java-spring-oidc-example","last_synced_at":"2025-06-14T05:34:25.791Z","repository":{"id":38457726,"uuid":"145553643","full_name":"onewelcome/java-spring-oidc-example","owner":"onewelcome","description":null,"archived":true,"fork":false,"pushed_at":"2023-08-25T08:23:26.000Z","size":192,"stargazers_count":35,"open_issues_count":3,"forks_count":16,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-05-26T10:17:52.436Z","etag":null,"topics":["example"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/onewelcome.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2018-08-21T11:20:20.000Z","updated_at":"2024-08-27T15:31:13.000Z","dependencies_parsed_at":"2023-02-13T19:15:57.066Z","dependency_job_id":null,"html_url":"https://github.com/onewelcome/java-spring-oidc-example","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/onewelcome/java-spring-oidc-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onewelcome%2Fjava-spring-oidc-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onewelcome%2Fjava-spring-oidc-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onewelcome%2Fjava-spring-oidc-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onewelcome%2Fjava-spring-oidc-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/onewelcome","download_url":"https://codeload.github.com/onewelcome/java-spring-oidc-example/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/onewelcome%2Fjava-spring-oidc-example/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259404370,"owners_count":22852175,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["example"],"created_at":"2025-05-17T14:11:40.218Z","updated_at":"2025-06-12T05:31:40.443Z","avatar_url":"https://github.com/onewelcome.png","language":"Java","readme":"# Java Spring example\nThis example covers how to implement and configure a Java Spring project to work with Onegini's OpenID Connect Provider (OP). The example is based on the\nproject [spring-google-openidconnect](https://github.com/fromi/spring-google-openidconnect).\n\n## Clone and configure your IDE\nTo get the example up and running, first you'll need to clone it:\n\n`git clone https://github.com/Onegini/java-spring-oidc-example.git`\n\n### IntelliJ\n\nGo to `File -\u003e Open` and open the file `java-spring-oidc-example/pom.xml`, open it as a project.\n\nThe class `com.onegini.oidc.Application` should automatically be found and set up a run configuration for you so you can run it within IntelliJ.\n\n## Onegini Configuration\nYou'll need to properly setup your client using the Onegini Admin panel before you can begin testing.\nRefer to the [OpenID Connect documentation](https://docs.onegini.com/msp/6.0/token-server/topics/oidc/index.html). \n\nThe Web client must support the following scopes:\n  * openid\n  * profile\n  \nThe Onegini Token Server only redirects to preconfigured endpoints after login or logout. You must configure the following endpoints in the Onegini Token Server:\n  * Redirect URL: `http://localhost:8080/login`\n  * Post Logout Redirect URL: `http://localhost:8080/signout-callback-oidc`\n  \n### Configuring ID Token Encryption\nThe Onegini Token Server supports encryption of the ID token to provide confidentiality of the claims. It can be configured by providing a JWKS endpoint and \nchoosing an encryption method in [OpenID Connect configuration](https://docs.onegini.com/msp/6.0/token-server/topics/web-clients/web-client-configuration.html#enabling-openid-connect-capability):\n  * Encryption method: select one of encryption method that will be used to encrypt the ID Token.\n  * JWKS URI: An endpoint that returns a list of public keys for encryption purposes. In this example it is exposed at \n  `http://localhost:8080/.well-known/jwks.json`. These keys typically would be stored in your database and would not change frequently. This example generates \n  them each time the application is started.\n\n## Set up the application configuration\n\nModify `application.properties` in _/src/main/resources_ or use one of the mechanisms Spring Boot supports to [override property values](https://docs.spring.io/spring-boot/docs/current/reference/html/howto-properties-and-configuration.html).\nThe following properties must be set:\n\n  * onegini.oidc.clientId: the client identifier of the Web client that supports OpenID Connect\n  * onegini.oidc.clientSecret: the client secret of the Web client that supports OpenID Connect\n  * onegini.oidc.issuer: the base URL of the Token Server instance\n  \nOptional properties:  \n  * onegini.oidc.idTokenEncryptionEnabled: boolean for enabling ID token encryption. This should match the server side configuration\n\n___Example configuration___\n\n```\nonegini.oidc.clientId=openid-client\nonegini.oidc.clientSecret=secret\nonegini.oidc.issuer=http://localhost:7878/oauth\nonegini.oidc.idTokenEncryptionEnabled=true\n```\n\n## Run and test\nRun the example via the Run configuration in IntelliJ or via the command line: `mvn spring-boot:run`. The Token Server needs to be accessible to start this \napplication since it connects to the discovery endpoint during start up.\n\nGo to [http://localhost:8080](http://localhost:8080) \n\nYou should see a page with a link to a secured resource. When you click the link you wil be redirected to authenticate. If everything goes well, you will be \nreturned to a page where you see user information and the claims from the ID token. The user identifier is the value of the \"sub\" claim in the ID token.\n            \n## How it works\n\n### OAuth2Client\n[OAuth2Client.java](src/main/java/com/onegini/oidc/security/OAuth2Client.java) configures the OAuth flow for Spring Security. It uses discovery \nto find the endpoints used by the OAuth flow. By default the scopes \"openid\" and \"profile\" are requested.\n\n### OpenIdConnectAuthenticationFilter\n[OpenIdConnectAuthenticationFilter.java](src/main/java/com/onegini/oidc/security/OpenIdConnectAuthenticationFilter.java) is the filter used during\nauthentication. It obtains the ID token and creates the principal using some of the data.\n\nDepending on the scope and configuration used in your environment, the user data returned in the ID token will differ. Adjust the \n`OpenIDConnectAuthenticationFilter` class accordingly to match the correct fields.\nIn this example we use the `sub` and the `name` value, but you can use any value configured for your environment.\n\n### OpenIdTokenValidationWrapper\n[OpenIdTokenValidationWrapper.java](src/main/java/com/onegini/oidc/security/OpenIdTokenValidatorWrapper.java) validates the ID token. It validates\nits signature against the keys that are returned by the JWKS endpoint of the OP. It verifies that the claims are from the issuer, intended for the correct \naudience and that they have not expired.\n\n### UserInfo\nThe [UserInfo.java](src/main/java/com/onegini/oidc/model/UserInfo.java) is a POJO for user information. It is used as user principal in Spring \nSecurity.\n\n### TokenDetails\nThe [TokenDetails.java](src/main/java/com/onegini/oidc/model/TokenDetails.java) is a POJO for additional details about the token used during \nauthentication. In this project it contains the claims of the JWT.\n\n### Security configuration\nIn [SecurityConfiguration.java](src/main/java/com/onegini/oidc/security/SecurityConfiguration.java) we configure the Spring Security filters used \nto authenticate the user and authorize the controllers of our application.\n\n### SampleSecuredController\nThe [SampleSecuredController.java](src/main/java/com/onegini/oidc/SampleSecuredController.java) has a protected endpoint `/secured`. It populates\nthe modelMap for the template that shows the user information, ID token and the claims.\n\n### LogoutController\nThe [LogoutController.java](src/main/java/com/onegini/oidc/LogoutController.java) contains the logic to end the session. The user first comes to\nthe `/logout` endpoint. If the user was logged in via an ID token, they are redirected to the end session endpoint of the OP. The OP ends the session of the \nuser and redirects it back to `http://localhost:8080/signout-callback-oidc`. Then the user is logged out in Spring Security and redirected to the home page.\n\n## Encryption/Decryption\n\n### JweWellKnownJwksController\nThe [JweWellKnownJwksController.java](src/main/java/com/onegini/oidc/JweWellKnownJwksController.java) is responsible for returning the JWKS list (for encryption \npurposes). This is an example implementation defined by the [OpenID Connect Encryption spec](https://openid.net/specs/openid-connect-core-1_0.html#RotateEncKeys).\nThis example uses the `ECDH_ES` algorithm by default. You can swap to another asymmetric algorithm such as `RSA_OAEP_256` using the \n`ASYMMETRIC_ENCRYPTION_ALGORITHM` variable. The `MAX_AGE` variable defined in this class defines how long the Token Server will cache the response.\nThis should align with your key rotation strategy. It also validates that the key's encryption algorithm is supported by checking the supported algorithms \nexposed by the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) This example generates keys every time \nthe application is started and stores them in memory. In a production situation, keys should be persisted in some way and proper key rotation followed. See \n[JSON Web Key (JWK) RFC-7517](https://tools.ietf.org/html/rfc7517) for more information. This controller is only exposed when the property\n`onegini.oidc.idTokenEncryptionEnabled` is set to `true`. If your client is not configured for encryption, there is no need for this controller.\n\n### JweKeyGenerator\nThe [JweKeyGenerator.java](src/main/java/com/onegini/oidc/encryption/JweKeyGenerator.java) is responsible for key generation. It shows how to generate the RSA \nand EC keys. This could be used to help you generate keys to persist elsewhere.\n\n### JwkSetProvider\nThe [JwkSetProvider.java](src/main/java/com/onegini/oidc/encryption/JwkSetProvider.java) has a storage role for caching the encryption keys. In a production \nenvironment it should be modified to grab the keys from where they have been stored.\n\n### JweDecrypterService\nThe [JweDecrypterService.java](src/main/java/com/onegini/oidc/encryption/JweDecrypterService.java) does the decryption of the ID token. The `decrypt` \nmethod consumes the encrypted JWT and tries to decrypt it by finding the relevant key. It then passes that key with the encrypted JWT to `nimbusds-jose-jwt` \nlibrary which decrypts it and returns the Signed JWT.\n\n## Troubleshooting\n\nConnecting this Relying Party example with the Onegini Token Server requires configuration of both applications. This section describes some situations that may \ngo wrong. \n\n### Application fails to start\n\nThe RP can only start up when the Onegini Token Server is running. During the start up the RP tries to connect to the discovery endpoint of the\nOnegini Token Server.\n\n* Check that the Onegini Token Server is running\n* Check that the property `onegini.oidc.issuer` points to the base URL of that Onegini Token Server (e.g. http://localhost:7878/oauth)\n\n### 401 - Unauthorized during login\n\nThis means that the authentication has failed. \n\nYou may see this when the Relying Party has disabled ID Token encryption but the configuration in the Onegini Token Server has enabled it. When this is the \ncase, there are two solutions:\n* Enable ID Token encryption in the RP via the property `onegini.oidc.idTokenEncryptionEnabled=true` and restart the application\n* Disable ID Token encryption in the Onegini Token Server. Call the logout endpoint http://localhost:8080/logout before logging in again.\n\n### 500 - Internal server error during login\n\nAn error page is shown during login with a message \"Server did not return an Encrypted JWT but encryption was enabled. Check your server side configuration\".\n\nYou see this when the Relying Party has enabled ID Token encryption but the configuration in the Onegini Token Server has disabled it.\n\nThere are two solutions:\n* Disable ID Token encryption in the RP via the property `onegini.oidc.idTokenEncryptionEnabled=false` and restart the application\n* Enable ID Token encryption in the Onegini Token Server. Call the logout endpoint http://localhost:8080/logout before logging in again.\n\n### Confirmation page is shown after logout\n\nThere can be several reasons why this page is shown by the Onegini Token Server after logging out with the RP:\n* The POST logout redirect URL is not properly configured. Refer to the [Onegini Configuration](#onegini-configuration)\n* ID Token encryption is enabled","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fonewelcome%2Fjava-spring-oidc-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fonewelcome%2Fjava-spring-oidc-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fonewelcome%2Fjava-spring-oidc-example/lists"}