Build and Secure Microservices with Spring Boot 2.0 and OAuth 2.0

avatar-matt_raible.jpg Matt Raible

Spring Boot has experienced massive adoption over the last several years. For Spring users, it offers a breath of fresh air, where they don’t have to worry about how things are configured if they’re comfortable with defaults. The Spring Boot ecosystem is filled with a wealth of what they call starters. Starters are bundles of dependencies that autoconfigure themselves to work as a developer might expect.

Spring Boot allows you to create standalone web apps, CLIs, batch processes, and microservices. When you get into microservices, you’ll find that Spring Cloud helps autoconfigure the tools you want in your microservices architecture.

As we all know by now, pretty much every application depends upon a secure identity management system. For most developers who are getting started with new Spring Boot 2.0 apps, there’s a decision to be made between rolling your own authentication and authorization system or plugging in a service like Okta. Before we dive into our Spring Boot 2.0 application, I want to tell you a bit about Okta, and why I think it’s an excellent solution for all Java developers.

What is Okta?

In short, we make identity management a lot easier, more secure, and more scalable than what you’re probably used to. Okta is a cloud service that allows developers to create, edit, and securely store user accounts and user account data, and connect them with one or multiple applications. Our API enables you to:

Are you sold? Register for a forever-free developer account, and when you’re done, come on back so we can learn more about building secure microservices in Spring Boot 2.0!

Get Started with Spring Boot 2.0 for Your Microservices Architecture

To help celebrate this new release, I took the time to update a few of our blog posts to use 2.0. The first one I updated was Build a Basic CRUD App with Angular 5.0 and Spring Boot 2.0.

The other two I updated show you how to build and secure microservices with OAuth 2.0.

If you’re using Spring Boot 1.x, I encourage you to try Spring Boot 2.x. The three posts I mentioned above show you it’s possible to use with our Angular SDK, and our Sign-In Widget. In fact, each blog post has a link to its GitHub repo, which has a README that explains what you need to do to get started.

It’s not too hard, so I’ll break it down for you:

  1. Create a Web application in Okta with your developer account.
  2. Update a file or two to use your client ID/secret instead of mine, or set environment variables that match Spring Security’s property names.
  3. Run the apps and rejoice!

If a picture is worth a thousand words, a video is worth 1.8 million words. For this reason, I created a screencast showing how to build a microservices architecture for microbrews with Spring Boot.

I also created a screencast that shows how to secure this architecture with OAuth 2.0 and Okta.

What About Spring WebFlux?

One of the most significant additions in Spring Boot 2.0 is a new reactive web framework called Spring WebFlux. WebFlux allows you to create non-blocking web apps that perform better with high load. For proof, see Reactive vs. Synchronous Performance Test with Spring Boot 2.0.

All of the examples above are written with Spring MVC, not WebFlux. This was primarily because I believe Spring MVC is the right choice for most developers that are just starting out. It’s also because Spring Security’s OAuth support didn’t work with Spring WebFlux. That is, until last week!

Josh Long and I had a fun time demoing this functionality at the SpringOne Tour in Denver just a few days ago.

Spring WebFlux + OAuth 2.0 + Okta

I did some experimenting with the latest bits from Spring Security’s GitHub repo and was able to make an example work with Okta. I found that the configuration for WebFlux + OAuth 2.0 largely resembles Spring Security’s OIDC support. In fact, the configuration properties names are the same.

You can read more about the Spring Security 5.1.0.M1 release, or follow the steps below to use it in your Spring WebFlux application.

Here’s what you need in your application.yml:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: {yourClientId}
            client-secret: {yourClientSecret}
        provider:
          okta:
            authorization-uri: https://{yourOktaDomain}.com/oauth2/v1/authorize
            token-uri: https://{yourOktaDomain}.com/oauth2/v1/token
            user-info-uri: https://{yourOktaDomain}.com/oauth2/v1/userinfo
            jwk-set-uri: https://{yourOktaDomain}.com/oauth2/v1/keys

You’ll need to modify your pom.xml to add dependencies and upgrade Spring Security.

<properties>
    ...
    <spring-security.version>5.1.0.M1</spring-security.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring-security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-client</artifactId>
        <version>${spring-security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-jose</artifactId>
        <version>${spring-security.version}</version>
    </dependency>
    ...
</dependencies>

<repositories>
    <repository>
        <id>spring-milestone</id>
        <name>Spring Milestone Repository</name>
        <url>http://repo.spring.io/milestone</url>
    </repository>
</repositories>

You’ll also need to copy the auto-configuration classes into your project, along with the spring.factories file that configures them. GitHub’s SVN support makes this possible with the following commands.

svn export https://github.com/spring-projects/spring-security/trunk/samples/boot/oauth2login-webflux/src/main/java/org src/main/java/org
svn export https://github.com/spring-projects/spring-security/trunk/samples/boot/oauth2login-webflux/src/main/resources/META-INF src/main/resources/META-INF

This step will not be necessary once Spring Security 5.1.0 is GA.

Learn More About Spring Boot and Microservices

We have several tutorials on this blog about how to develop applications with Spring Boot, and how to secure microservices. Not much has changed if you’re using Spring MVC. I encourage you to check out the following posts to learn how to use OAuth 2.0’s client credentials flow, as well as how to test your Spring Boot apps.

I hope you have a bootiful experience with Spring Boot 2.0. If you have any questions, please hit me up on Twitter or leave a comment below. If you want to get notified when new blog posts are published here, please follow @oktadev.