In modern applications, securing APIs and web applications is a top priority. In this post, we’ll dive deep into how to implement OAuth2 Login and Resource Server with Spring Boot 3. You will learn how to:
- Secure your frontend using OAuth2 login
- Protect your backend APIs using the Resource Server setup
This implementation uses Spring Security 6 and Spring Boot 3, leveraging features like JWT decoding and user info endpoints.
📦 Project Setup
Use Spring Initializr or your favorite IDE to create a project with the following dependencies:
- Spring Web
- Spring Security
- OAuth2 Client
- OAuth2 Resource Server
Package structure:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
com.kscodes.springboot.security.oauth2 │ ├── config │ ├── SecurityConfig.java │ ├── controller │ ├── UserController.java │ └── application.properties |
🔧 OAuth2 Login Configuration
We’ll first configure OAuth2 login for a simple frontend page.
SecurityConfig.java (Login)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
package com.kscodes.springboot.security.oauth2.config; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/", "/public").permitAll() .anyRequest().authenticated() ) .oauth2Login(); // Enables OAuth2 login flow return http.build(); } } |
🛡️ Resource Server Configuration (JWT)
To enable resource server support, configure Spring Security to validate JWT tokens.
Modify SecurityConfig.java
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
@Bean public SecurityFilterChain resourceServerSecurity(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/api/**").authenticated() .anyRequest().permitAll() ) .oauth2ResourceServer(oauth2 -> oauth2 .jwt() ); return http.build(); } |
🧩 application.properties
|
1 2 3 4 5 6 7 8 9 10 |
# OAuth2 Login spring.security.oauth2.client.registration.google.client-id=YOUR_GOOGLE_CLIENT_ID spring.security.oauth2.client.registration.google.client-secret=YOUR_GOOGLE_CLIENT_SECRET spring.security.oauth2.client.registration.google.scope=openid,email,profile # JWT Resource Server spring.security.oauth2.resourceserver.jwt.issuer-uri=https://accounts.google.com |
Note: The issuer URI ensures that Spring decodes and validates tokens issued by the provider.
👨💻 Controller Example
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
package com.kscodes.springboot.security.oauth2.controller; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.oauth2.core.oidc.user.OidcUser; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; @RestController public class UserController { @GetMapping("/api/user") public String getUser(@AuthenticationPrincipal OidcUser user) { return "Welcome, " + user.getFullName(); } @GetMapping("/public") public String publicEndpoint() { return "This is a public page."; } } |
🌐 How OAuth2 Login and Resource Server Work Together
- The OAuth2 Login flow authenticates the user and fetches user information from the provider (e.g., Google, GitHub).
- The Resource Server protects API endpoints using JWT tokens. When an authenticated user makes a request, the backend validates the JWT before serving the request.
This combination of OAuth2 Login and Resource Server with Spring Boot 3 gives you a scalable, secure architecture that separates concerns effectively.
✅ Summary
In this post, we explored how to set up OAuth2 Login and Resource Server with Spring Boot 3 using com.kscodes.springboot.security.oauth2 as the package structure. You’ve learned to:
- Configure OAuth2 login for user authentication
- Protect API endpoints with a resource server and JWT
- Handle secure user data using Spring Security