In modern applications, securing APIs and web applications is a top priority. In this post, we’ll dive deep into how to implement OAuth2 Login and Resource Server with Spring Boot 3. You will learn how to:
- Secure your frontend using OAuth2 login
- Protect your backend APIs using the Resource Server setup
This implementation uses Spring Security 6 and Spring Boot 3, leveraging features like JWT decoding and user info endpoints.
📦 Project Setup
Use Spring Initializr or your favorite IDE to create a project with the following dependencies:
- Spring Web
- Spring Security
- OAuth2 Client
- OAuth2 Resource Server
Package structure:
com.kscodes.springboot.security.oauth2
│
├── config
│ ├── SecurityConfig.java
│
├── controller
│ ├── UserController.java
│
└── application.properties
🔧 OAuth2 Login Configuration
We’ll first configure OAuth2 login for a simple frontend page.
SecurityConfig.java (Login)
package com.kscodes.springboot.security.oauth2.config;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/", "/public").permitAll()
.anyRequest().authenticated()
)
.oauth2Login(); // Enables OAuth2 login flow
return http.build();
}
}
🛡️ Resource Server Configuration (JWT)
To enable resource server support, configure Spring Security to validate JWT tokens.
Modify SecurityConfig.java
@Bean
public SecurityFilterChain resourceServerSecurity(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/**").authenticated()
.anyRequest().permitAll()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt()
);
return http.build();
}
🧩 application.properties
# OAuth2 Login
spring.security.oauth2.client.registration.google.client-id=YOUR_GOOGLE_CLIENT_ID
spring.security.oauth2.client.registration.google.client-secret=YOUR_GOOGLE_CLIENT_SECRET
spring.security.oauth2.client.registration.google.scope=openid,email,profile
# JWT Resource Server
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://accounts.google.com
Note: The issuer URI ensures that Spring decodes and validates tokens issued by the provider.
👨💻 Controller Example
package com.kscodes.springboot.security.oauth2.controller;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class UserController {
@GetMapping("/api/user")
public String getUser(@AuthenticationPrincipal OidcUser user) {
return "Welcome, " + user.getFullName();
}
@GetMapping("/public")
public String publicEndpoint() {
return "This is a public page.";
}
}
🌐 How OAuth2 Login and Resource Server Work Together
- The OAuth2 Login flow authenticates the user and fetches user information from the provider (e.g., Google, GitHub).
- The Resource Server protects API endpoints using JWT tokens. When an authenticated user makes a request, the backend validates the JWT before serving the request.
This combination of OAuth2 Login and Resource Server with Spring Boot 3 gives you a scalable, secure architecture that separates concerns effectively.
✅ Summary
In this post, we explored how to set up OAuth2 Login and Resource Server with Spring Boot 3 using com.kscodes.springboot.security.oauth2 as the package structure. You’ve learned to:
- Configure OAuth2 login for user authentication
- Protect API endpoints with a resource server and JWT
- Handle secure user data using Spring Security