Enabling SSO OAuth2 Authentication with Spring Boot 2 and WSO2 Identity Server

Spring Boot is an excellent framework that allows us to create Java applications with almost no effort. And WSO2 Identity Server is another excellent tool that allows us to manage identities and access rights, in which we can manage users from different sources, configure single sign-on easily or establish resource control.

Diving deeper, we are going to build a basic web application, where we can log in with any user from the WSO2 IS user store. And to do that, the first step is to create a service provider with OAuth2 as inbound authentication.

The inbound authentication is the WSO2 component that allows us to indicate how to manage authenticated requests. In this case, it will be base on OAuth2 authentication. When we create it, we’ll have to define the OpenId scopes, grant types, times for token expiration, etc.

We also have to configure the callback URL. This is an important validation component that avoids third parties applications use this same clientId/Secret and redirect to the other applications. In our case, the callback will be the URL of our application with the ‘/login’ path. This path will be defined by default by Spring.

Once we have it created, we can see and copy the clientId and clientSecret associated with our service provider. We will need to add these values to the security configuration of our Spring application.

As we know, Spring Boot has multiple libraries that help us to create a new project with a default configuration. For our application, we will base on the following ones:

• spring-boot-starter-parent:2.2.0.RELEASE as parent project.
• spring-boot-starter-web
• spring-boot-starter-security
• spring-boot-starter-thymeleaf
• thymeleaf-extras-springsecurity5
• spring-security-oauth2-autoconfigure:2.1.1.RELEASE

We’re going to create an application.yml file for the Spring configuration. In this file we have to put the configuration for our authentication server, WSO2 IS. For that we indicate the following values:

As you can see, we disable the basic authentication and paste the previous values from WSO2 IS for the clientId/Secret. And we also indicate the OpenID scope, this will be the user info that the application will require and for which the Identity Server will ask for permission to the user, after the login.

If we want to change the default callback URL, we need to overwrite the configuration variable security.oauth2.sso.login-path.

The rest of the values are WSO2 IS specific, e.i. the URIs for asking for authorization or a new token or the user info. The name of the token or how to do the authentication with the cliendId/Secret.

Our application will have only two pages:

• index.html: A public access page with a link to our profile page.
• profile.html: A restricted page where we can only access once we have authorized and where the application will show our name from the user principal object.

Now we need to create the core of the application, for that we create the following classes:

• Application: The main configuration class that contains the main method and a requestContextListener to use the request scope outside the dispatch servlet.
• SecurityConfig: With the annotation @EnableOAuth2Sso and the configuration for the security access. We’ll ask authorization for accessing all pages except index and login paths.
• WebConfig: With the annotation @EnableWebMvc and implementation of WebMvcConfigurer for MVC configuration.

With all of this, we’ll have our single sign-on with WSO2 IS, but we shouldn’t get the user principal name correctly. To do that, we need to create a class that extracts the name of the user from the response of the userInfo call. We can do this, implementing PrincipalExtractor and configuring the class in SecurityConfig through the Bean annotation.

Now, we can run the application and test it. After get the index page and click on the link, we will be redirected to the WSO2 IS login page. In this page, we’ll have to introduce the username and password of a valid user of the Identity Server.

Before sign in, we have to give permission for the OpenID scopes requested, and later we will be redirected to the profile page in the application. Where we can see our name.

Here you can see all the code.