Understanding Single Sign-On (SSO) with OAuth2.0 and Spring Boot Implementation

Single Sign‑On (SSO) is a popular login method for multi‑domain enterprise sites. The article first distinguishes traditional multi‑point login, where each site maintains its own user database, from SSO, where multiple sites share a common authentication and authorization server.

It introduces the key concepts of authentication (verifying identity) and authorization (verifying access rights) and uses a vivid life‑scenario analogy involving a citizen (resource owner), archive bureaus (clients), and a police station (authorization server) to illustrate the OAuth2.0 flow.

The step‑by‑step scenario describes how the citizen is redirected through HTTP redirects, obtains an authentication form, submits credentials, receives an authorization code, and finally accesses protected resources without re‑logging, demonstrating the OAuth2 Authorization Code grant type.

The article also explains the principle of HTTP redirection, comparing it to being directed to different government windows, and outlines the four standard OAuth2 grant types: Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.

For practical implementation, a complete Spring Boot example is provided. The necessary Maven dependency is:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>

The authorization server configuration includes application.properties (e.g., server.port=8110) and Java classes annotated with @EnableResourceServer, @EnableAuthorizationServer, and security settings that define a client (id "webapp", secret "secret") with the authorization‑code grant type.

@Configuration
@EnableAuthorizationServer
public class Oauth2AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("webapp").secret("secret")
            .authorizedGrantTypes("authorization code")
            .scopes("user_info")
            .autoApprove(true)
            .accessTokenValiditySeconds(3600);
    }
}

@Configuration
public class Oauth2WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
            .antMatchers("/login", "/oauth/authorize/oauth/logout")
            .and().authorizeRequests().anyRequest().authenticated()
            .and().formLogin().permitAll();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("admin123").roles("ADMIN");
    }
}

The client application (e.g., a web site) also includes the same Maven dependency, its own application.properties (e.g., server.port=8080 and OAuth2 client settings), and a security configuration that enables SSO with @EnableOAuth2Sso and protects endpoints.

@Configuration
@EnableOAuth2Sso
public class Oauth2WebsecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**").authorizeRequests()
            .antMatchers("/", "/login").permitAll()
            .anyRequest().authenticated();
    }
}

@RestController
public class Oauth2ClientController {
    @GetMapping("/")
    public ModelAndView index() { return new ModelAndView("index"); }
    @GetMapping("/welcome")
    public ModelAndView welcome() { return new ModelAndView("welcome"); }
}

Role‑based access control is demonstrated using Spring Security annotations such as @PreAuthorize("hasAuthority('ADMIN')") on REST endpoints, allowing fine‑grained permission management.

Finally, the article discusses how the authorization server and resource server can be deployed as independent micro‑services behind an API gateway, enabling seamless SSO across a distributed system.