Secure your SPA with Spring Boot and OAuth
Learn how to build a simple SPA client app with a little bit of JQuery, a backend service with Spring Boot, and secure it all with OpenID Connect.
Meenu Juneja
I am successfully receiving token. But I am getting error insufficient scope “email” for /mod request.
{“error”:“insufficient_scope”,“error_description”:“Insufficient scope for this resource”,“scope”:“email”}
What should I change in above tutorial. Any guidelines?
Amjed Hamasha
Thanks for the awesome article, but I still have a dilemma when it comes to accessing a resource that has no owner. If there’s no user to login and authorise the call, then we’re stuck with Client Credentials as a grant type and oauth flow, which mandates exchanging the client Id and secret with the access token, but the client in this case is an SPA which can’t keep a secret! I’ve been looking for a while but everyone is assuming there’s always a resource owner who can login and authorise the call.
Brian Demers
Can you describe the scenario a bit more? I’m not sure I’m following.
You have a client SPA app that has an access token. And another app, a Resource Server? Your SPA app makes a request to the Resource Server with an access token?
Eduardo Leon
Hi good day.
Currently I’m working an implementation of @EnableResourceServer, Okta and validate the token, but our applications is working on spring core and spring mvc, all the examples I have been checking are made with spring boot, my question is how the configuration of the EnableResourceServer is done correctly, and how the configuration properties are set
security:
oauth2:
resource:
userInfoUri: https://dev-551515.oktapreview.com/oauth2/default/v1/userinfo
Thanks in advance
Matt Raible
Hello Eduardo,
You should be able to use any of the techniques I describe in Build a Java REST API with Java EE and OIDC for a Spring MVC app. I’d recommend trying it with Spring Security.
Eduardo Leon
Thanks It helped me a lot the filter option
disqus_iBrZiZukYs
mattraible I do not agree