[JAVA] SSO with GitHub OAuth in Spring Boot 1.5.x environment

Thing you want to do

I want to realize single sign-on (SSO) by OAuth 2.0 in Spring Boot 1.5.15 environment. I want to use GitHub OAuth as an authorization server.

environment

Spring Boot 1.5.15 + JDK 1.8 + Maven

About the technology used

Spring Security Web https://spring.io/projects/spring-security Provides a Security Filter Chain between the client and the web application. Each Filter allows filtering such as access denial for unauthenticated users. Security Filter Chain is managed by Filter Chain Proxy.

Spring Security settings inherit the default setting class called WebSecurityConfigurerAdapter and override the necessary ones.

Official reference https://docs.spring.io/spring-security/site/docs/4.2.5.RELEASE/apidocs/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.html

SecurityConfig.java


import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration //Automatically load configuration class
@EnableWebSecurity //Enable Spring Security
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(WebSecurity web) throws Exception {
        //Describe the Filter Chain Proxy settings (≒ overall settings) in the WebSecurity method chain
        ...
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //Describe Filter Chain settings (≒ detailed settings) in the HttpSecurity method chain
        ...
    }
}

To use user information in Thymeleaf, use thymeleaf-extras-spring security. https://github.com/thymeleaf/thymeleaf-extras-springsecurity

OAuth2.0 https://tools.ietf.org/html/rfc6749 https://openid-foundation-japan.github.io/rfc6749.ja.html

A framework for authorization (AuthZ). There are four characters in OAuth 2.0: ** user **, ** authorization server **, ** resource server **, and ** client **. The ** user ** authorizes the ** client ** to use the resources on the ** resource server ** through the ** authorization server **.

The following articles are summarized in a very easy-to-understand manner. https://qiita.com/busyoumono99/items/1092fdc64d5a64d021d5

SSO with OAuth 2.0

In OAuth2.0, authentication (Authentication, AuthN) can be realized by acquiring user information from the resource server and collating it. For SSO with GitHub OAuth

It becomes.

To use with Spring Security, use Spring Security OAuth. ʻThe resource settings are described insecurity.oauth2.resource. *of application.properties, and the client settings are described in security.oauth2.client. * `. https://spring.io/projects/spring-security-oauth

Implementation

The resource URI is / demo.

pom.xml#dependencies


	<dependencies>
		<!-- Web application -->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-thymeleaf</artifactId>
		</dependency>
		<!-- OAuth2.0 SSO -->
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security.oauth</groupId>
			<artifactId>spring-security-oauth2</artifactId>
		</dependency>
		<dependency>
			<groupId>org.thymeleaf.extras</groupId>
			<artifactId>thymeleaf-extras-springsecurity4</artifactId>
		</dependency>
		<!-- Lombok -->
		<dependency>
			<groupId>org.projectlombok</groupId>
			<artifactId>lombok</artifactId>
			<optional>true</optional>
		</dependency>
	</dependencies>

DemoApplication.java


import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class DemoApplication {
	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}
}

DemoController.java


import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class DemoController {
    @GetMapping("/")
    public String home() {
        return "home";
    }
}

home.html


<html xmlns:th="http://www.thymeleaf.org"
  xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
<head>
<meta charset="utf-8"/>
<title>Home</title>
</head>
<body>
  <h1>Hello, <span sec:authentication="name"></span></h1>
</body>
</html>

SecurityConfig.java


import org.springframework.boot.autoconfigure.security.oauth2.client.EnableOAuth2Sso;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().authenticated(); //Login required to access all URIs
    }
}

application.properties


#Note that up to line breaks are considered values

server.port=8080
server.context-path=/demo

#OAuth2 client (this application) settings

#Client credentials
security.oauth2.client.client-id=${DEMO__GITHUB_OAUTH_CLIENT_ID}
security.oauth2.client.client-secret=${DEMO__GITHUB_OAUTH_CLIENT_SECRET}
#Access token acquisition URI
security.oauth2.client.access-token-uri=https://github.com/login/oauth/access_token
#Authorization URI
security.oauth2.client.user-authorization-uri=https://github.com/login/oauth/authorize
#Authentication schema
security.oauth2.client.client-authentication-scheme=form

#OAuth2 resource server (GitHub) settings

#User information acquisition URI
security.oauth2.resource.user-info-uri=https://api.github.com/user
#Get user information from resources instead of access tokens
security.oauth2.resource.prefer-token-info=false

#Setting up SSO with OAuth2

#SSO login URL (redirect URI when not authenticated)
security.oauth2.sso.login-path=/login

I was addicted to

Recommended Posts

SSO with GitHub OAuth in Spring Boot 1.5.x environment
Database environment construction with Docker in Spring boot (IntellJ)
Login with HttpServletRequest # login in Spring Security of Servlet 3.x environment
Use cache with EhCashe 2.x with Spring Boot
Spring Boot environment construction with Docker (January 2021 version)
Test controller with Mock MVC in Spring Boot
Asynchronous processing with regular execution in Spring Boot
Use Servlet filter in Spring Boot [Spring Boot 1.x, 2.x compatible]
Build Spring Boot project by environment with Gradle
[Java] Hello World with Java 14 x Spring Boot 2.3 x JUnit 5 ~
Create Spring Boot environment with Windows + VS Code
Create a Spring Boot development environment with docker
Spring boot development-development environment-
Download with Spring Boot
Include external jar in package with Spring boot2 + Maven3
Switch environment with Spring Boot application.properties and @Profile annotation
Until you start development with Spring Boot in eclipse 1
How to boot by environment with Spring Boot of Maven
Until you start development with Spring Boot in eclipse 2
[Spring Boot] Environment construction (macOS)
Generate barcode with Spring Boot
Hello World with Spring Boot
Implement GraphQL with Spring Boot
Get started with Spring boot
Spring Boot 2 multi-project in Gradle
Run LIFF with Spring Boot
SNS login with Spring Boot
File upload with Spring Boot
Spring Boot starting with copy
Spring Boot starting with Docker
Hello World with Spring Boot
Set cookies with Spring Boot
Use Spring JDBC with Spring Boot
Docker × Spring Boot environment construction
Major changes in Spring Boot 1.5
Add module with Spring Boot
Getting Started with Spring Boot
NoHttpResponseException in Spring Boot + WireMock
Create microservices with Spring Boot
Send email with spring boot
Spring Boot 1.x will reach EOL in the next year.
Change the injection target for each environment with Spring Boot 2
Use thymeleaf3 with parent without specifying spring-boot-starter-parent in Spring Boot
Easily develop web applications with STS and Spring Boot. In 10 minutes.
Spring Boot 2.x context path settings
Spring Boot + Java + GitHub authentication login
Spring Boot Hello World in Eclipse
Spring Boot application development in Eclipse
◆ Spring Boot + gradle environment construction memo
Introduction to Spring Boot x OpenAPI ~ OpenAPI made with Generation gap pattern ~
Create an app with Spring Boot 2
Database linkage with doma2 (Spring boot)
Java Spring environment in vs Code
Write test code in Spring Boot
Cassandra x Spring Boot struggle record
Spring Boot programming with VS Code
Until "Hello World" with Spring Boot
Part 1: Try using OAuth 2.0 Login supported by Spring Security 5 with Spring Boot
Get validation results with Spring Boot
Oauth2 authentication with Spring Cloud Gateway
I made a simple search form with Spring Boot + GitHub Search API.