Docs

Docs

OAuth2 Authentication

Vaadin and Spring Security configuration for OAuth2 Authentication.

Vaadin applications can be configured to authenticate users using an existing account at an OAuth 2.0 Provider (e.g., GitHub) or at an OpenID Connect 1.0 Provider (e.g., Google).

This page focuses on how to configure a Spring Boot project to integrate OAuth2 authentication in Vaadin. It assumes you’re familiar with setting up Spring Security with Vaadin. For detailed information about Spring Security and OAuth2, consult the Spring documentation.

Application Configuration

To start, add the spring-security-oauth2-client dependency to your project. When using Spring Boot, use the following starter:

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

Next, add the OAuth2 provider settings to the application’s configuration file. The following example configuration integrates a Keycloak OAuth2 provider. To setup a test environment, refer to the Keycloak Integration in Vaadin SSO Kit documentation.

spring.security.oauth2.client.registration.keycloak.provider=keycloak
spring.security.oauth2.client.registration.keycloak.client-id=my-client-id
spring.security.oauth2.client.registration.keycloak.client-secret=<<client secret>>
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid,profile

spring.security.oauth2.client.provider.keycloak.issuer-uri=http://keyclok.local:8180/realms/my-app

For integration with other OAuth2 providers, refer to the Spring Security documentation.

Enable OAuth2 Login in Vaadin

To enable OAuth2 login in a Vaadin application, extend the VaadinWebSecurity class and configure the login page and post-logout redirect URI using the setOAuth2LoginPage method.

Besides the HttpSecurity instance, there are two method parameters:

  • Login Page: The URI capable of initiating the authentication request. Usually, it’s /oauth2/authorization/{registrationId}, where registrationId refers to the client registered in the application configuration file.

  • Post Logout Redirect URI: The location where the user is redirected after logout.

The post logout redirect URI can be expressed as a relative or absolute URI, or as a template. The supported URI template variables are {baseScheme}, {baseHost}, {basePort}, {basePath}, and {baseUrl} — which is the same as {baseScheme}://{baseHost}{basePort}{basePath}.

@Configuration
class SecurityConfiguration extends VaadinWebSecurity {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        setOAuth2LoginPage(http,
            "/oauth2/authorization/keycloak", 1
            "{baseUrl}/session-ended"         2
        );
    }
}

  1. Login page for initiating OAuth2 login with the Keycloak client.

  2. Post logout redirect URI uses a template to resolve dynamically the URL.

The setOAuth2LoginPage(HttpSecurity, String) method is a shortcut that defaults the post-logout redirect URL to {baseUrl}.

EF8F6AC3-BE67-4BE2-9A78-C371C1D4B9FD