What is OAuth2/OIDC, and how does Spring Boot support acting as a client or resource server?

9 minadvancedoauth2oidcresource-server

Quick Answer

OAuth2 is an authorization delegation framework letting a user grant a third-party application limited access to their resources on another service, without sharing their actual password with that third party, via short-lived access tokens issued by an authorization server. OIDC (OpenID Connect) is an identity layer built on top of OAuth2, adding a standardized ID token that proves who the user actually is, not just what they're authorized to access. Spring Boot supports both roles: as an OAuth2 Client (spring-boot-starter-oauth2-client) to let users log in via an external provider like Google or Okta, and as a Resource Server (spring-boot-starter-oauth2-resource-server) to validate incoming bearer access tokens issued by an external authorization server.

Detailed Answer

OAuth2 is an authorization delegation framework: it lets a user grant a third-party application limited, scoped access to their data on another service (e.g., "let this app read your Google Calendar"), without ever handing that third-party application the user's actual Google password. Instead, the user authenticates directly with the trusted service (the authorization server), which then issues a short-lived, scope-limited access token the third-party app can present on the user's behalf.

OIDC (OpenID Connect) builds an identity/authentication layer on top of OAuth2's authorization mechanics — OAuth2 alone doesn't actually standardize "who is this user," only "what are they authorizing access to." OIDC adds a standardized ID token (itself a signed JWT) containing verified identity claims (user ID, email, name), which is what actually enables "Sign in with Google/Okta/etc." style authentication flows, rather than just delegated API access.

Spring Boot supports two distinct roles in this ecosystem, each with its own starter:

1. OAuth2/OIDC Client (spring-boot-starter-oauth2-client) — your application lets users log in via an external identity provider:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: ${GOOGLE_CLIENT_ID}
            client-secret: ${GOOGLE_CLIENT_SECRET}
            scope: openid, profile, email
http.oauth2Login(Customizer.withDefaults()); // "Sign in with Google" style flow, handled largely by Spring Security

2. OAuth2 Resource Server (spring-boot-starter-oauth2-resource-server) — your application accepts and validates access tokens issued by an external authorization server, protecting its own API endpoints:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://your-auth-server.com/
http.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
// Spring Security automatically fetches the issuer's public signing keys and validates incoming Bearer tokens

How these two roles typically fit together in a real system: a frontend or mobile app authenticates a user via an identity provider (getting back tokens), then calls your backend API with the resulting access token attached as a Bearer header; your backend, configured as a resource server, validates that token's signature/expiration/issuer/audience against the authorization server's published metadata, without needing to independently manage user credentials at all — a large part of the appeal of OAuth2/OIDC is that individual backend services never need to handle raw passwords or implement their own login/identity logic from scratch.

Related Resources