I’ve only touched on the tip of the iceberg regarding the capabilities of Spring Boot and Spring Security. You can use them to build and secure microservices too!

If you’ve never heard of JHipster before, you should download the free JHipster Mini-Book from InfoQ! It’s a book I wrote to help you get started with hip technologies today: Angular, Bootstrap and Spring Boot. The 5.0 version was just released .

To use these annotations in your app, you’ll need to add a "groups" claim to your ID token. Log in to your Okta account, navigate to API > Authorization Servers , click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim . Name it "groups", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .* .

Spring Security ships with a number of nifty annotations that allow you to control access to methods. You can use @Secured , @RoleAllowed , and @PreAuthorize to name a few. To enable method-level security, you just need to add the following annotation to a configuration class.

Run this file using spring run helloOIDC.groovy and try to access http://localhost:8080 . You’ll be redirected to Okta to log in, or just shown Hello {sub claim} if you’re already logged in.

Log in to your Okta Developer account and navigate to Applications > Add Application . Click Web and click Next . Give the app a name you’ll remember, and specify http://localhost:8080/login/oauth2/code/okta as a Login redirect URI. Click Done . The result should look something like the screenshot below.

Register for a forever-free developer account , and when you’re done, come on back so you can learn more about how to secure your Spring Boot app!

OIDC requires an identity provider (or IdP). There are many well-known IdPs like Google, Twitter, and Facebook, but those services don’t allow you to manage your users like you would in Active Directory. Okta allows this, and you can use Okta’s API for OIDC.

Using the same username and password for all your users is silly. Since friends don’t let friends write authentication, I’ll show you how to use Okta for auth with just a few lines of code.

Open your browser to http://localhost:8080 and you’ll be greeted with a login form. Enter user for the username and copy/paste the generated password from your terminal. If you copied and pasted the password successfully, you’ll see Hello World in your browser.

The @Grab annotation invokes Grape to download dependencies. Because Spring Security is in the classpath, its default security rules will be used. That is, protect everything, allow a user with the username user , and generate a random password on startup for that user.

You can create a Spring Boot application quickly with the Spring CLI. It allows you to write Groovy scripts that get rid of the boilerplate Java and build file configuration. Refer to the project’s documentation for installation instructions . To install Spring CLI, I recommend using SDKMAN! :

Another new feature that looks interesting: Elasticsearch REST client support. I integrated Spring Data Jest into JHipster, so this development intrigues me. Especially its description: an alternative option to Jest , auto-configurations for RestClient and RestHighLevelClient are provided with configurable options from the spring.elasticsearch.rest.* namespace.

Before I dive into showing you how to add authentication to a Spring Boot app with OIDC, let’s take a look at what’s new and noteworthy in this release.

For those that aren’t aware, OIDC is just a thin-layer on top of OAuth 2.0 that provides the user’s identity with an ID token. Spring Security automatically translates this token into a Java Principal so you can easily retrieve a user’s information using dependency injection. In addition to an ID token, OIDC adds:

Spring Boot 2.1 was recently released, eight months after the huge launch of Spring Boot 2.0. The reason I’m most excited about Spring Boot 2.1 to me is its improved performance and OpenID Connect (OIDC) support from Spring Security 5.1. The combination of Spring Boot and Spring Security has provided excellent OAuth 2.0 support for years, and making OIDC a first-class citizen simplifies its configuration quite a bit.

Matt Raible is a well-known figure in the Java community and has been building web applications for most of his adult life. For over 20 years, he has helped developers learn and adopt open source frameworks and use them effectively. He's a web developer, Java Champion, and Developer Advocate at Okta. Matt has been a speaker at many conferences worldwide, including Devoxx Belgium, Devoxx France, Jfokus, and Devnexus. He is the author of The JHipster Mini-Book, Spring Live, and contributed to Pro JSP. He is frequent contributor to open source and a member of the JHipster development team. You can find him online at raibledesigns.com.