Mastering OAuth2 SSO with SpringBoot: A Step‑by‑Step Guide

What is Single Sign‑On (SSO)

Multi‑point login

Traditional systems require separate credentials for each site; authentication verifies identity, while authorization verifies access rights.

Single Sign‑On

SSO allows a user to log in once to a central authentication server and access multiple sites without re‑authentication.

OAuth2 Authentication and Authorization Flow

Real‑world analogy

Illustrates the flow with a client (File Bureau), a resource owner (citizen), and an authorization server (police station): client‑id, user authentication, authorization code issuance, token exchange, and resource access.

First access to Bureau A

Step‑by‑step redirects, user login form, credential verification, issuance of an authorization code, token acquisition, and resource request.

First access to Bureau B

Previously obtained token allows direct access without repeating the full flow.

Subsequent access to Bureau A

All steps are bypassed because the token is already valid.

HTTP redirect principle

When a server cannot handle a request, it redirects the client to another URI.

SSO workflow summary

Summarizes the OAuth2 flow using the earlier analogy.

OAuth2 grant types

Authorization Code – server‑side applications.

Implicit – mobile or web apps running on the user device.

Resource Owner Password Credentials – trusted applications.

Client Credentials – machine‑to‑machine API access.

Implementing Authentication/Authorization with Spring Boot

Authorization Server

Dependency (pom.xml):

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>

application.properties: server.port=8110 Java configuration includes @EnableAuthorizationServer, client details (client‑id "webapp", secret "secret", grant type "authorization_code", scope "user_info", token validity 3600 seconds) and HTTP security settings.

Client Application

Same Maven dependency.

application.properties:

server.port=8080
security.oauth2.client.client-id=webapp
security.oauth2.client.client-secret=secret
security.oauth2.client.access-token-uri=http://localhost:8110/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:8110/oauth/authorize
security.oauth2.resource.user-info-uri=http://localhost:8110/oauth/user

Web security configuration permits "/" and "/login" and requires authentication for other endpoints.

Controller provides mappings for index, welcome, and role‑based APIs (USER, ADMIN, ROOT) using @PreAuthorize.

Role‑Based Permission Control

Define roles (USER, ADMIN, ROOT) in the authorization server.

Annotate controller methods with @PreAuthorize to restrict access.

Integrated Usage

Permission Control Scheme

Basic tables for users, roles, client‑ids, and tokens.

Application in Microservice Architecture

Authorization Server and Resource Server run as independent services; an API gateway can handle the login flow, allowing internal services to rely on token validation without direct redirects.