An example Spring Boot project that sets up Google OAuth login with a Next.JS 15 app.
Many Spring Boot OAuth examples stop after getting the app running on localhost and without a working logout. This example aims to avoid making the same mistake and provide a production-ready Spring Boot + Google OAuth app.
Important files:
- backend/src/main/java/com/example/springboot/config/SecurityConfig.java
- This is the main Spring Security Config file
- backend/src/main/resources/application-postgres.properties
- Configures Spring and the Database connection
- backend/src/main/java/com/example/springboot/auth/Oauth2LoginSuccessHandler.java
- Overwrites the built-in login handler
- backend/src/main/java/com/example/springboot/auth/Oauth2LogoutSuccessHandler.java
- Overwrites the built-in logout handler
https://console.cloud.google.com
- Create new "Login Data" - OAuth-Client-ID
- Add
http://localhost:8080/login/oauth2/code/google
to "Authorized Redirect URIs"- This is the spring-created backend route handler for the google oauth login redirect
- Retrieve the Google Client ID and Client Secret
- Add both as ENV vars to your spring boot application
- Setup a local postgres database
- You can use the provided
backend/docker-compose.yml
file
- You can use the provided
- Add the other required ENV vars according to
backend/.env.example
- Spring Profile
postgres
will load the available application propertiesbackend/src/main/resources/application-postgres.properties
- There are some important settings here
server.servlet.session.cookie.domain=${COOKIE_DOMAIN:example.com}
- Crucial, if your backend and frontend do not share the same domain
- e.g
backend.example.com
andfrontend.example.com
- e.g
- Assuming you have a wildcard ssl cert for
example.com
, addexample.com
asCOOKIE_DOMAIN
here
- Crucial, if your backend and frontend do not share the same domain
server.servlet.session.cookie.same-site=lax
- The Google login redirect will not work with
same-site=strict
and a wildcard domain
- The Google login redirect will not work with
- The following settings are required when running the Spring Boot application behind a reverse proxy such as nginx. If these are not set, Spring Boot's internal
getProtocol()
will returnhttp
instead ofhttps
during the login flow, which will fail the Google OAuth redirect requirement for a redirect uri that starts withhttps
.server.forward-headers-strategy=framework
server.tomcat.redirect-context-root=false
server.tomcat.remoteip.host-header=X-Forwarded-Host
server.tomcat.remoteip.internal-proxies=
- this is intentionally empty
server.tomcat.remoteip.protocol-header-https-value=https
cd frontend
npm run dev
- Start your Spring Boot app
- via your IDE or build and run the jar
java -jar backend/build/libs/spring-boot-google-oauth-nextjs-example-0.0.1-SNAPSHOT.jar
- via your IDE or build and run the jar
- Visit
http://localhost:3000
- your frontend will fail to load, when the backend is not available, since the
frontend/middleware.ts
tries to fetch the current user on every pageconst isAuth = await verifySession();
- your frontend will fail to load, when the backend is not available, since the
- Click Login
- follow the Google Login prompts
- Observe the intermediate redirect to your backend and immediate redirect to your frontend
- A JSESSIONID cookie will be available now
- these can be 'anonymous' token, if the login fails, dont get confused ;-)
- Pass this token along with any backend fetch to authorize your request
- Click logout
- Spring Boot will clear your backend session
- JSESSIONID cookie will have been deleted
- You should be redirected to
/
The backend provides a me
GET endpoint (backend/src/main/java/com/example/springboot/controller/AuthController.java
), that returns yourself
- the authenticated user from the current request.
I cannot get CSRF / XSRF tokens to work. So it is disabled via the Spring security config (.csrf(AbstractHttpConfigurer::disable)
), not ideal but not a complete roadblock. If you know how to get this to work with Spring Boot 3.x and e.g. Next.JS, please contact me :)