How to Enable OpenID Connect in Spring Boot 3: Full Configuration Guide

Environment: Spring Boot 3 + Spring Security OAuth2 Authorization Server 1.1.0

1. Configuration

@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
    // Enable OpenID Connect 1.0
    http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(Customizer.withDefaults());
    return http.build();
}

Enable OIDC and configure scopes for each registered client.

@Bean
public RegisteredClientRepository registeredClientRepository(){
    RegisteredClient packClient = RegisteredClient
        .withId("pack001")
        .clientId("123123")
        .clientSecret("{noop}666666")
        // support Basic and POST authentication
        .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
        .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
        .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
        .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
        .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
        .redirectUri("http://localhost:8080/index.html")
        .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
        .scope("openid")
        .build();
    return new InMemoryRegisteredClientRepository(packClient);
}

2. Obtain id_token and user information

2.1 Access authorization endpoint (must include scope=openid):

http://localhost:9000/oauth2/v1/authorize?client_id=123123&response_type=code&redirect_uri=http://localhost:8080/index.html&scope=openid

After login, the redirect URL contains the authorization code. Use the code to request the token:

http://localhost:9000/oauth2/v1/token?grant_type=authorization_code&code=...&redirect_uri=http://localhost:8080/index.html&client_id=123123&client_secret=666666

2.3 Retrieve user info:

http://localhost:9000/userinfo

The default response contains the "sub" claim as the user identifier.

2.4 Customize user info by configuring the OIDC userInfoEndpoint:

OAuth2AuthorizationServerConfigurer serverConfigurer = http.getConfigurer(OAuth2AuthorizationServerConfigurer.class);
serverConfigurer.oidc(oidcConfigurer -> {
    oidcConfigurer.userInfoEndpoint(oidcUserInfoEndpointConfigurer -> {
        oidcUserInfoEndpointConfigurer.userInfoMapper(context -> {
            Authentication auth = context.getAuthentication();
            OAuth2AccessToken accessToken = context.getAccessToken();
            Map<String, Object> claims = new HashMap<>();
            claims.put("token_info", accessToken);
            claims.put("user_info", auth);
            return new OidcUserInfo(claims);
        });
    });
});

2.5 View OpenID configuration:

http://localhost:9000/.well-known/openid-configuration

Client applications can fetch this configuration when the issuer-uri is set. Example client registration in application.yml:

spring:
  security:
    oauth2:
      client:
        registration:
          pack002:
            provider: pack
            client-id: pack002
            client-secret: 888888
            client-authentication-method: client_secret_post
            authorization-grant-type: authorization_code
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
            scope:
              - openid
        provider:
          pack:
            issuer-uri: http://localhost:9000

Spring Boot automatically creates a ClientRegistrationRepository based on the issuer-uri, pulling the OpenID configuration at startup.

Additional code snippets show how the repository and client registration are built.