I really don’t want to keep too much of my users’ data in my database. Say, passwords. What if I misconfigure an endpoint and they leak? What if my database provider leaks the DB and hashing algorithm becomes obsolete? Luckily, I can easily get rid of that issue with enabling login via other providers. OAuth2 protocol is a way to go in this case. For the beginning, one provider is enough. I chose Google as this is the one that has the biggest market penetration. What did I have to do?
Google setup
First of all, I needed to create a new application in Google API Console. In the OAuth consent section, I needed to provide my e-mail address and the name of the application. Before deployment, Google also requires us to provide a couple of optional settings, like privacy policy URL, but that will be considered as soon as I deploy my application somewhere. In Credentials („Dane logowania”) section I needed to add a new application. There an identifier and secret key are generated which will be useful at the next step. Right now I need to provide authorised JavaScript sources and authorised redirect URI addresses. As we deploy application only locally, for now, the only one will be pointing to my localhost:
Spring Boot setup
Adding required dependencies
One of them (spring-boot-security-starter) was already in my project. I needed also spring-security-oauth2 package.
Setting up OAuth properties
There is a set of properties that needs to be added to your application-[profilename].properties file. I wanted to get a public profile and e-mail of my users so in future I’ll be able to identify the users by their e-mail address, hence the „profile email” scope. You’ll need to replace SAMPLE_CLIENT_ID and SAMPLE_CLIENT_SECRET with values obtained from your Google API Console. You’re likely not to want to put that values into your public repositories.
Security configuration
With Spring there are several options for providing security configuration – most popular is either XML or Java code-based configuration. We’re using the second one here, leave index.html as a non-restricted page and everything else as requiring the user to log in. In future I expect it to change so that most of the assets is public. The most important part of this configuration is @EnableOAuth2Sso annotation which triggers using the properties from the file above and sets up default login endpoint.
Showing user data
I don’t have any real business logic in the application yet, so as an example I decided to create a REST endpoint that will return logged in user’s data. The endpoint will require authentication as defined in the above security configuration file.
Results
We have a nice index.html page with Bootstrap and Vue.js (I’ll write about this later), on which there now is a „Login with Google” link:
When we click on it, we’re redirected to Google login page.
After successful login and giving all required permissions, we’re redirected to the user page. We see a lot of data and several fields which just in case I won’t show in full 馃槈
As you see, there is already some information about the logged in user inside our Principal object, among them a name, surname and e-mail address.聽 We’ll likely save that data somewhere to keep information about our user and display them on request.
All changes that were required for adding login are also provided in this commit.