This code sample demonstrates how to implement authentication with Auth0 by Okta in a Spring MVC web application using Spring Security and the Okta Spring Boot Starter. This Java code sample implements the following security tasks:
- How to add user login, sign-up, and logout to Spring MVC Applications.
- How to use Spring Security and the Okta Spring Boot Starter to protect Spring MVC application routes.
- How to make API calls from Spring MVC to request data from a protected API.
- How to get user profile information to personalize an Spring MVC user interface.
Spring MVC Code Sample Specs
This code sample uses the following main tooling versions:
- Spring Boot
v3.1.3 - Java
v17+ - Okta Spring Boot Starter
v3.0.5
This application was tested using JRE or JDK v17+ and Gradle Wrapper v7.5, which is included.
Quick Auth0 Set Up
First and foremost, if you haven't already, sign up for an Auth0 account to connect your web application with the Auth0 Identity Platform.
Next, you'll connect your web application with Auth0. You'll need to create an application registration in the Auth0 Dashboard and get three configuration values: the Auth0 Domain, the Auth0 Client ID, and the Auth0 Client Secret. You'll also need to define an Auth0 Audience value within your project to practice making secure calls to an external API.
Get the Auth0 domain and client ID
-
Open the Applications section of the Auth0 Dashboard.
-
Click on the Create Application button and fill out the form with the following values:
Hello World Client
- Click on the Create button.
An Auth0 Application page loads up.
As such, click on the "Settings" tab of your Auth0 Application page, locate the "Application URIs" section, and fill in the following values:
http://localhost:4040/login/oauth2/code/okta
http://localhost:4040
Scroll down and click the "Save Changes" button.
Next, locate the "Basic Information" section.
When you enter a value in the input fields present on this page, any code snippet that uses such value updates to reflect it. Using the input fields makes it easy to copy and paste code as you follow along.
As such, enter the "Domain" and "Client ID" values in the following fields to set up your web application in the next section:
Set Up and Run the Spring MVC Code Sample
Start by cloning the project into your local machine:
git clone https://github.com/auth0-developer-hub/web-app_spring_java_hello-world.git
Make the project directory your current working directory:
cd web-app_spring_java_hello-world
Then, check out the basic-authentication branch, which holds all the Spring MVC code related to implementing basic user authentication with Auth0:
git checkout basic-authentication
Install the Spring MVC project dependencies using Gradle:
./gradlew dependencies --write-locks
Create a .env file under the root project directory:
touch .env
Populate the .env with the following environment variables:
PORT=4040OKTA_OAUTH2_ISSUER=https://AUTH0-DOMAIN/OKTA_OAUTH2_CLIENT_ID=AUTH0-CLIENT-IDOKTA_OAUTH2_CLIENT_SECRET=AUTH0-CLIENT-SECRET
Get the Auth0 Client Secret
Head back to the "Settings" tab of your Auth0 application page in the Auth0 Dashboard to get the value for OKTA_OAUTH2_CLIENT_SECRET.
Locate the "Client Secret" field, copy its value, and paste it as the OKTA_OAUTH2_CLIENT_SECRET environment value in the .env file.
Run the Spring MVC Code Sample
Execute the following command to run the Spring MVC web application:
./gradlew bootRun
This Spring MVC code sample offers a functional application with views and services to hydrate the user interface. It is important to notice that the service implemented in the basic-authentication branch simulates the external API by placing the responses directly on the code.
Later, you'll integrate this Spring MVC web application with a real API server using any of the "Auth0 Hello World" API code samples with the backend technology of your choice.
Optional: Enable hot swapping
Spring Boot supports hot swapping. The spring-boot-devtools module includes support for restarting your application automatically as your project code changes.
You have two options to use Spring Boot hot swapping:
Use Spring Tools
You can install Spring Tools in your project. Then, whenever you run the Spring server from your IDE, hot swapping will be enabled.
Spring Tools will handle watching project files, recompiling, and restarting the server as you make code changes in your project.
Using the Gradle Wrapper
You can run the Gradle Wrapper in a terminal application as follows:
- Open a terminal window to watch and compile the Spring Boot project:
./gradlew compileJava -t
- Open a second terminal window to start the server:
./gradlew bootRun
Running those Gradle tasks in parallel enables Spring Boot hot swapping. The server will automatically restart when you make code changes in your project.
Use the Spring MVC Sample Application
You can now visit http://localhost:4040/ to access the application.
When you click on the "Log In" button, Spring MVC takes you to the Auth0 Universal Login page. Your users can log in to your application through a page hosted by Auth0, which provides them with a secure, standards-based login experience that you can customize with your own branding and various authentication methods, such as logging in with a username and password or with a social provider like Facebook or Google.
Once you log in, visit the protected "Profile" page to see all the user profile information that Auth0 securely shares with your application using ID tokens:
You can test that the protected Spring MVC routes require users to log in before accessing them. Click on the "Log Out" button and try to access the Profile page, Protected page, or the Admin page:
If everything is working as expected, Spring MVC redirects you to log in with Auth0.
Connect the Spring MVC Code Sample with an API Server
Before you can practice requesting protected resources from an external API server using access tokens, you need to set up and configure an API with Auth0. You can pair this Spring MVC code sample with any of our "Hello World" API server code samples.
Set up a Hello World API server
Pick an API code sample in your preferred backend framework and language from the list below and follow the instructions on the code sample page to set it up. Once you complete the sample API server set up, please return to this Spring MVC code sample page to learn how to integrate that API server with your Spring MVC web application.
While setting up the API server code sample, you created an Auth0 Audience value. Store that value in the following field so that you can use it throughout the instructions present in this section easily:
Set up the Spring MVC client application
If you haven't cloned the repository already, start by cloning the Spring MVC project into your local machine:
git clone https://github.com/auth0-developer-hub/web-app_spring_java_hello-world.git
Make the project directory your current working directory:
cd web-app_spring_java_hello-world
Then, check out the basic-authentication-with-api-integration branch:
git checkout basic-authentication-with-api-integration
Install the Spring MVC project dependencies using Gradle:
./gradlew dependencies --write-locks
Now, either create or update the .env file under the Spring MVC project directory with the following:
PORT=4040OKTA_OAUTH2_ISSUER=https://AUTH0-DOMAIN/OKTA_OAUTH2_CLIENT_ID=AUTH0-CLIENT-IDOKTA_OAUTH2_CLIENT_SECRET=AUTH0-CLIENT-SECRETOKTA_OAUTH2_AUDIENCE=AUTH0-AUDIENCEAPI_SERVER_URL=http://localhost:6060
This time around, you include the API_SERVER_URL and OKTA_OAUTH2_AUDIENCE values.
The API_SERVER_URL is the URL where your sample API server listens for requests. In production, you'll change this value to the URL of your live server.
The OKTA_OAUTH2_AUDIENCE is an identifier that represents the compatible Hello World API you just registered in your Auth0 tenant. This identifier is also known as the Auth0 audience. Your Spring MVC web application must provide this value to the Auth0 authorization server in order to get a valid access token to make authenticated requests to the compatible external API.
If you haven't started the Spring MVC web application yet, execute this command to run it:
./gradlew bootRun
Now your Spring MVC is all set up to request protected data from the "Hello World" API server of your choice. Ensure that your API server is running and visit the Admin page of your Spring MVC web application:
Verify that this page is displaying the relevant messages from the API.
This basic-authentication-with-api-integration branch of the code sample repository demonstrates "how to request protected data from an API using access tokens in Spring MVC".