Add Authentication to Your Spring Boot App

• Spring
• Java

Get Started with Spring + Okta

1. What is Okta

Okta is an Identity Access Management platform. Okta manages the security of your users.

This means that you can offload authentication to Okta so you can focus on the business logic of what your building.

Work on the following sections to quickly integrate authentication into your app. Feel free to skip over any sections you already know about by clicking on the navigation to the right.

NOTE: Okta is much, much more than authentication, but this is the best place to start. There's a whole section on learning more below.

2. Create an Okta Account

New to Okta? Follow these instructions to get set up.

1. Create A Free Account
2. Fill out the form on the tab that opens up.
3. Click the link you receive in your email to set a password.
4. Come back here to continue...

3. Create an Okta App for Authentication

1. Navigate to Applications and click Add Application
2. Click Web and click Next
3. Give it a Name and click Done
4. Note the Client ID and Client Secret. You'll need them later.

NOTE: You just created an OpenID Connect App. Don't know what that is? Don't worry - you don't need to know yet. If you want to find out more now, check out this guide.

4. Build Okta into a Spring Boot App

1. You'll be working with a Spring Boot sample from this github repo.

2. From your terminal, execute the following:

   git clone https://github.com/okta/samples-java-spring
   cd samples-java-spring/okta-hosted-login
   mvn -Dokta.oauth2.issuer=https://{yourOktaDomain}/oauth2/default \
   	-Dokta.oauth2.clientId={clientId} \
   	-Dokta.oauth2.clientSecret={clientSecret} \
   	spring-boot:run
   

   NOTE: Putting secrets on the command line should ONLY be done for examples, do NOT do this in production.

3. In your browser, navigate to: http://localhost:8080. Login with the user you set up with Okta.

5. A Look at the Spring Boot Code

Here's a snippet from the Spring Security configuration:

@Configuration
static class WebConfig extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
			// allow antonymous access to the root page
			.antMatchers("/").permitAll()

			// all other requests
			.anyRequest().authenticated()

			// set logout URL
			.and().logout().logoutSuccessUrl("/")

			// enable OAuth2/OIDC
			.and().oauth2Client()
			.and().oauth2Login();
	}
}

This is standard Spring Security configuration. Because of the deep integration the Okta Spring Boot Starter has with Spring Security, there is nothing Okta specific here.

Here's a snippet from the home.html template:

...
<div th:if="${#authorization.expression('isAuthenticated()')}" class="text container">
	<p>Welcome home, <span th:text="${#authentication.principal.attributes['name']}">Joe Coder</span>!</p>
	...
</div>
...

This is leveraging the regular SpEL constructs to (a) detect if a user is authenticated and (b) if so, show the user's name.

Learn More About Okta

Recommended Guides

• Okta Authentication How To Guide
• Social Login
• Validate access tokens
• Validate ID tokens
• Spring Security SAML

Related Blog Posts

• Build a Basic CRUD App with Angular 5.0 and Spring Boot 2.0
• Use React and Spring Boot to Build a Simple CRUD App
• Secure a Spring Microservices Architecture with Spring Security and OAuth 2.0
• 10 Excellent Ways to Secure Your Spring Boot Application
• Build a Basic CRUD App with Angular 7.0 and Spring Boot 2.1
• Tutorial: Develop a Mobile App With Ionic and Spring Boot
• Build Your First Progressive Web Application with Angular and Spring Boot
• Secure your SPA with Spring Boot and OAuth
• Add Social Login to Your Spring Boot 2.0 App
• Secure Your Spring Boot Application with Multi-Factor Authentication