Secure your SPA with Spring Boot and OAuth

Secure your SPA with Spring Boot and OAuth

Learn how to build a simple SPA client app with a little bit of JQuery, a backend service with Spring Boot, and secure it all with OpenID Connect.

Meenu Juneja

I am successfully receiving token. But I am getting error insufficient scope “email” for /mod request.
{“error”:“insufficient_scope”,“error_description”:“Insufficient scope for this resource”,“scope”:“email”}
What should I change in above tutorial. Any guidelines?

Amjed Hamasha

Thanks for the awesome article, but I still have a dilemma when it comes to accessing a resource that has no owner. If there’s no user to login and authorise the call, then we’re stuck with Client Credentials as a grant type and oauth flow, which mandates exchanging the client Id and secret with the access token, but the client in this case is an SPA which can’t keep a secret! I’ve been looking for a while but everyone is assuming there’s always a resource owner who can login and authorise the call.

Brian Demers

Can you describe the scenario a bit more? I’m not sure I’m following.

You have a client SPA app that has an access token. And another app, a Resource Server? Your SPA app makes a request to the Resource Server with an access token?

Eduardo Leon

Hi good day.

Currently I’m working an implementation of @EnableResourceServer, Okta and validate the token, but our applications is working on spring core and spring mvc, all the examples I have been checking are made with spring boot, my question is how the configuration of the EnableResourceServer is done correctly, and how the configuration properties are set


Thanks in advance

Matt Raible

Hello Eduardo,

You should be able to use any of the techniques I describe in Build a Java REST API with Java EE and OIDC for a Spring MVC app. I’d recommend trying it with Spring Security.

Eduardo Leon

Thanks It helped me a lot the filter option


mattraible I do not agree