An OAuth2 Client can be used to fetch user details from the provider (if such features are
available) and then convert them into an Authentication token for Spring Security.
The Resource Server above support this via the user-info-uri property This is the basis
for a Single Sign On (SSO) protocol based on OAuth2, and Spring Boot makes it easy to
participate by providing an annotation @EnableOAuth2Sso. The Github client above can
protect all its resources and authenticate using the Github /user/ endpoint, by adding
that annotation and declaring where to find the endpoint (in addition to the
security.oauth2.client.* configuration already listed above):
application.yml.
security: oauth2: # ... resource: userInfoUri: https://api.github.com/user preferTokenInfo: false
Since all paths are secure by default, there is no “home” page that you can show to
unauthenticated users and invite them to login (by visiting the /login path, or the
path specified by security.oauth2.sso.login-path).
To customize the access rules or paths to protect, so you can add a “home” page for
instance, @EnableOAuth2Sso can be added to a WebSecurityConfigurerAdapter and the
annotation will cause it to be decorated and enhanced with the necessary pieces to get
the /login path working. For example, here we simply allow unauthenticated access
to the home page at "/" and keep the default for everything else:
@Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .mvcMatchers("/").permitAll() .anyRequest().authenticated(); } }
Also note that since all endpoints are secure by default, this includes any default error handling endpoints, for example, the endpoint "/error". This means that if there is some problem during Single Sign On that requires the application to redirect to the "/error" page, then this can cause an infinite redirect between the identity provider and the receiving application.
First, think carefully about making an endpoint insecure as you may find that the behavior is simply evidence of a different problem. However, this behavior can be addressed by configuring the application to permit "/error":
@Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/error").permitAll() .anyRequest().authenticated(); } }