I really don’t want to keep too much of my users' data in my database. Say, passwords. What if I misconfigure an endpoint and they leak? What if my database provider leaks the DB and hashing algorithm becomes obsolete? Luckily, I can easily get rid of that issue with enabling login via other providers. OAuth2 protocol is a way to go in this case. For the beginning, one provider is enough. I chose Google as this is the one that has the biggest market penetration. What did I have to do?
Spring Boot setup
Adding required dependencies
One of them (spring-boot-security-starter) was already in my project. I needed also spring-security-oauth2 package.
Setting up OAuth properties
There is a set of properties that needs to be added to your application-[profilename].properties file. I wanted to get a public profile and e-mail of my users so in future I’ll be able to identify the users by their e-mail address, hence the „profile email” scope. You’ll need to replace SAMPLE_CLIENT_ID and SAMPLE_CLIENT_SECRET with values obtained from your Google API Console. You’re likely not to want to put that values into your public repositories.
With Spring there are several options for providing security configuration – most popular is either XML or Java code-based configuration. We’re using the second one here, leave index.html as a non-restricted page and everything else as requiring the user to log in. In future I expect it to change so that most of the assets is public. The most important part of this configuration is @EnableOAuth2Sso annotation which triggers using the properties from the file above and sets up default login endpoint.
Showing user data
I don’t have any real business logic in the application yet, so as an example I decided to create a REST endpoint that will return logged in user’s data. The endpoint will require authentication as defined in the above security configuration file.
We have a nice index.html page with Bootstrap and Vue.js (I’ll write about this later), on which there now is a „Login with Google” link:
When we click on it, we’re redirected to Google login page.
After successful login and giving all required permissions, we’re redirected to the user page. We see a lot of data and several fields which just in case I won’t show in full 😉
As you see, there is already some information about the logged in user inside our Principal object, among them a name, surname and e-mail address. We’ll likely save that data somewhere to keep information about our user and display them on request.
All changes that were required for adding login are also provided in this commit.