Spring Boot, OAuth2 and OpenID Connect

These two are often confused because OIDC is built on top of OAuth2.

The purpose of OAuth2 ist authorization and the question: can this app access data on my behaf? OpenID Connect takes care of identity in addition and answers the question: who is the logged-in user?

Think of OAuth2 as a key for a room, OIDS as a passport, that clears you identity.

For a minimal example. We can first add the dependencies to the pom.xml:

			
<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
</dependencies>

		

And a minmal security configuration in Spring Boot:

			
@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/", "/public").permitAll()
                .anyRequest().authenticated()
            )
            .oauth2Login(Customizer.withDefaults());
        return http.build();
    }
}

		

OIDC providers (Google, Keycloak) inject OidcUser; plain OAuth2 providers (Facebook) inject OAuth2User.

			
@RestController
public class UserController {
    @GetMapping("/")
    public String home() {
        return "Welcome!";
    }
    @GetMapping("/user")
    public Map<String, Object> oidcUser(@AuthenticationPrincipal OidcUser user) {
        return Map.of(
            "name",   user.getFullName(),
            "email",  user.getEmail(),
            "claims", user.getClaims()
        );
    }
    @GetMapping("/facebook")
    public Map<String, Object> oauth2User(@AuthenticationPrincipal OAuth2User user) {
        return Map.of("attributes", user.getAttributes());
    }
}

		

And htere the application.yaml config:

			
spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: YOUR_GOOGLE_CLIENT_ID
            client-secret: YOUR_GOOGLE_SECRET
            scope: [openid, profile, email]  # openid triggers OIDC
          facebook:
            client-id: YOUR_FACEBOOK_APP_ID
            client-secret: YOUR_FACEBOOK_SECRET
            scope: [public_profile, email]   # no openid — plain OAuth2
          keycloak:
            client-id: spring-client
            client-secret: YOUR_KEYCLOAK_SECRET
            authorization-grant-type: authorization_code
            scope: [openid, profile, email]
        provider:
          keycloak:
            issuer-uri: http://localhost:8081/realms/demo

		

Before starting this application, we should start keycloak docker container: docker compose up

			
# docker-compose.yml
version: '3.9'
services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.2
    container_name: local_keycloak
    command: start-dev
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
    ports:
      - "8081:8080"

		

Then open http://localhost:8081 and log in with admin / admin.

Keycloak setup checklist

Create a Realm named demo
Create a Client — type OpenID Connect, ID spring-client
Enable Client Authentication (required to generate a client secret)
Set Valid Redirect URIs to http://localhost:8080/login/oauth2/code/keycloak
Copy the secret from the Credentials tab into application.yml
Create a test User under the Users tab so you can log in

Dabbaghi.com