An example Spring Boot project that sets up Google OAuth login with a Next.JS 15 app.
Many Spring Boot OAuth examples stop after getting the app running on localhost and without a working logout. This example aims to avoid making the same mistake and provide a production-ready Spring Boot + Google OAuth app.
Important files:
- backend/src/main/java/com/example/springboot/config/SecurityConfig.java
- This is the main Spring Security Config file
- backend/src/main/resources/application-postgres.properties
- Configures Spring and the Database connection
- backend/src/main/java/com/example/springboot/auth/Oauth2LoginSuccessHandler.java
- Overwrites the built-in login handler
- backend/src/main/java/com/example/springboot/auth/Oauth2LogoutSuccessHandler.java
- Overwrites the built-in logout handler
https://console.cloud.google.com
- Create new "Login Data" - OAuth-Client-ID
- Add
http://localhost:8080/login/oauth2/code/googleto "Authorized Redirect URIs"- This is the spring-created backend route handler for the google oauth login redirect
- Retrieve the Google Client ID and Client Secret
- Add both as ENV vars to your spring boot application
- Setup a local postgres database
- You can use the provided
backend/docker-compose.ymlfile
- You can use the provided
- Add the other required ENV vars according to
backend/.env.example - Spring Profile
postgreswill load the available application propertiesbackend/src/main/resources/application-postgres.properties - There are some important settings here
server.servlet.session.cookie.domain=${COOKIE_DOMAIN:example.com}- Crucial, if your backend and frontend do not share the same domain
- e.g
backend.example.comandfrontend.example.com
- e.g
- Assuming you have a wildcard ssl cert for
example.com, addexample.comasCOOKIE_DOMAINhere
- Crucial, if your backend and frontend do not share the same domain
server.servlet.session.cookie.same-site=lax- The Google login redirect will not work with
same-site=strictand a wildcard domain
- The Google login redirect will not work with
- The following settings are required when running the Spring Boot application behind a reverse proxy such as nginx. If these are not set, Spring Boot's internal
getProtocol()will returnhttpinstead ofhttpsduring the login flow, which will fail the Google OAuth redirect requirement for a redirect uri that starts withhttps.server.forward-headers-strategy=frameworkserver.tomcat.redirect-context-root=falseserver.tomcat.remoteip.host-header=X-Forwarded-Hostserver.tomcat.remoteip.internal-proxies=- this is intentionally empty
server.tomcat.remoteip.protocol-header-https-value=https
cd frontendnpm run dev- Start your Spring Boot app
- via your IDE or build and run the jar
java -jar backend/build/libs/spring-boot-google-oauth-nextjs-example-0.0.1-SNAPSHOT.jar
- via your IDE or build and run the jar
- Visit
http://localhost:3000- your frontend will fail to load, when the backend is not available, since the
frontend/middleware.tstries to fetch the current user on every pageconst isAuth = await verifySession();
- your frontend will fail to load, when the backend is not available, since the
- Click Login
- follow the Google Login prompts
- Observe the intermediate redirect to your backend and immediate redirect to your frontend
- A JSESSIONID cookie will be available now
- these can be 'anonymous' token, if the login fails, dont get confused ;-)
- Pass this token along with any backend fetch to authorize your request
- Click logout
- Spring Boot will clear your backend session
- JSESSIONID cookie will have been deleted
- You should be redirected to
/
The backend provides a me GET endpoint (backend/src/main/java/com/example/springboot/controller/AuthController.java), that returns yourself - the authenticated user from the current request.
I cannot get CSRF / XSRF tokens to work. So it is disabled via the Spring security config (.csrf(AbstractHttpConfigurer::disable)), not ideal but not a complete roadblock. If you know how to get this to work with Spring Boot 3.x and e.g. Next.JS, please contact me :)