Spring Boot + Spring Security + OAuth2

In this tutorial we explain how to secure a Spring Boot application using OAuth2.

If you follow the steps in order, you’ll get a fully working secured application which authenticates user requests through Google API.


  • Eclipse IDE (neon release)
  • Maven 4
  • Java 1.8
  • Spring Boot 2.0.0

1- Create maven project

Open eclipse then create a new maven project and name it as SpringBootOAuth2.

At the end of this tutorial, we’ll get the following project structure:

Spring Boot OAuth2 Project

2- pom.xml

Configure Spring Security in the application through adding the following dependency:

After adding this dependency, you will not be able to access any page in the application without being authenticated through the traditional Spring login page.

In order to avoid the traditional Spring authentication and use external service authentication, we add support for OAuth2 as the following:

For now Spring Boot still doesn’t know which OAuth2 service you’re going to integrate with, so you’ll still see the traditional login page.

Now just define your application as a web app through adding the following dependencies:

We add “tomcat-embed-jasper” to be able to use JSP later on in the tutorial.

That’s it for pom.xml, this is the whole file for reference:

3- Create credentials for your webapp

The first thing to do before start integrating OAuth2 into your application is to setup and configure the application in the authority service which will authenticate your users, you could use several authority services like (Facebook, Twitter, Github … ) at the same time but for simplicity we choose to go with Google in this tutorial.

To configure your application in google, follow the below steps:

  • Open Google Console API
  • Click on “New Project” button at the top left of the page.
  • Set a name for your project then click “Create”.
  • Now your application is created, choose your application from the list of projects at the top toolbar, then choose “APIs & Services” -> “Credentials” from the left menu.
  • Click “Create Credentials” -> “OAuth Client Id” then choose your application type, in this tutorial we choose “Web Application”
  • Add your redirect URI under “Authorized redirect URIs” text box, this is the URL which google uses when redirecting back to your application after successful authentication.
  • Click on “Create”.

Now your application is setup and configured under Google and you should get “Client Id” and “Client Secret” which uniquely identifies your application.

4- application.properties

Now go back to your application and configure OAuth2 under application.properties:

Here we tell our application to redirect to Google authentication page whenever an unauthorized user tries to access the application, as you see we use the “Client Id” and “Client Secret” of our application that we generate from google in the previous step.

We also statically set the redirect URI to be used by Google through “preEstablishedRedirectUri” attribute, the value of this attribute should be defined under the “Authorized redirect URIs” list that we set in the previous step OR you’ll get “Error: redirect_uri_mismatch” on redirection.

P.S: if you don’t define “preEstablishedRedirectUri” attributeSpring Boot will automatically use “localhost:9090/login” as the redirect URI.

5- Create JSP pages

Our application consists of 2 JSP pages: index.jsp and home.jsp

We define index.jsp to be the root page of the application, anyone could access it without authentication. For simplicity purposes, our page acts as a login page and it just holds a “Login With Google” button which authenticates the user through Google API.

And we define home.jsp as the home page which any authorized user reaches after successful authentication with Google.

Both jsp files are defined under WEB-INF/jsp which we previously defined as a view resolver prefix under application.properties.

6- Override application security

By default, Spring Security doesn’t allow unauthorized users to open any page in the application without a redirection. In order to exclude our index.jsp page from authentication, we override WebSecurityConfigurerAdapter class as the following:

In the configure() method, we define specific URLs like (“/”, “/callback”, “/login**”, “/webjars/**”, “/error**”) to be excluded from Spring authentication through using permitAll() while telling Spring to authenticate any other URL through .antMatcher(“/**”) .authorizeRequests()

The use of @EnableOAuth2Sso is mandatory, this is the annotation which initializes and auto-configures OAuth2, you can use this annotation either in the Spring Boot initializer class or here in the configurer.

7- HomeController.java

Now we define our controller under com.programmer.gate as the following:

Here we define the root page of our application to be “index.jsp” and we also define the callback method which google redirects to after successful authentication, as you see our callback function would just redirect to “home.jsp”.

8- Application.java

The final step is to create the Spring Boot initializer, this is the entry point of our application. We define Application.java under com.programmer.gate.

9- Demo

This is what we get when accessing http:localhost:9090Login with google

And this is what we get after clicking on “Login With Google” or when accessing any other URL:Google Authorization

10- Source code

You can download the source code from this repository: spring-boot-oauth2


0 0 votes
Article Rating

Hussein Terek

Owner of programmergate.com, I have a passion for software engineering and everything related to Java environment.

Newest Most Voted
Inline Feedbacks
View all comments
augustine sung
augustine sung
2 years ago

Thanks Hussein.
It was really useful example.

Akash Singhal
Akash Singhal
2 years ago

Hi.. How to get gmail login user data client name, email, meaning full data using Like security.oauth2.client.

Satish Bhatia
Satish Bhatia
2 years ago

Thanks for your article. Its by far the cleanest solution I have found till date!!!

To make this work with AWS cognito, please would you be able to advise on the questions below?
callbackUrl=i have this
cognito.region=i have this
cognito.clientId=i have this
cognito.clientSecret=i have this
cognito.userPoolId=i have this
cognito.domain=i have this

Question: what are the correct values for use with cognito?

Question: where do i use the keys for decoding the JWT to get access to claims?

2 years ago

its displaying not found message

pooja dassani
pooja dassani
1 year ago

this is the only example which actually ran successfully thanks a ton

1 year ago

If I have to leave “/callback” unauthenticated, what stops me from entering “localhost:9090/callback” to gain access to the “home” page?