Java (Spring Boot)

Quick and easily add authentication to your Spring Boot application.

Prerequisites

This guide assumes you’ve already set up your application in the Kenni developer portal.

This guide also assumes you’ve already scaffolded a Spring Boot application, and for these examples, we’ll be using Java. The most important bits with regards to creating your application would be to include the org.springframework.boot:spring-boot-starter-oauth2-client dependency.

Register Kenni as your application’s OAuth provider

Add the following to your application.yml file:

yaml
spring:
  security:
    oauth2:
      client:
        registration:
          kenni-client:
            client-id: "some-client-id"
            client-secret: some-client-secret
            client-authentication-method: "client_secret_basic"
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
            scope: openid, national_id
            provider: kenni
            require-proof-key: true
            require-authorization-consent: false
        provider:
          kenni:
            issuer-uri: https://idp.kenni.is/some-issuer

💡

All required values in this section can be found in the overview tab of your application in the Kenni Developer Portal.

Replace {baseUrl} with the base url your application is running under.

Replace issuer with the name of your issuer. This can be copied from the overview tab of your application, and will look something like: https://idp.kenni.is/your-domain.

Replace scope in the authorization params with identity claims you wish to receive from Kenni. All available identity claims are listed in the overview tab.

If the issuing of access_tokens as JWT’s is desired, include an API scope next to your identity scopes. For more information regarding API scopes, see Authorizing API scopes.

Replace clientId and clientSecret with the appropriate values.

Register the SecurityFilterChain bean

The exact implementation of your SecurityFilterChain will differ due to the routes you’d be protecting, but a good start could look something like this:

java
  @Bean
  public SecurityFilterChain securityFilterChain(HttpSecurity http, ClientRegistrationRepository repo)
      throws Exception {

    var base_uri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
    var resolver = new DefaultOAuth2AuthorizationRequestResolver(repo, base_uri);

    resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());

    http.authorizeHttpRequests((authorizeRequests) -> authorizeRequests
        .requestMatchers("/authed/**").authenticated()
        .requestMatchers("/**").permitAll())
        .oauth2Login((login) -> login.authorizationEndpoint(
            authorizationEndpointConfig -> authorizationEndpointConfig.authorizationRequestResolver(resolver)));

    return http.build();
  }

In this example, all routes under /authed will require authentication, and everything else will allow anonymous access.

Accessing tokens in controllers

Both the ID- and Access Token can be read from the AuthenticationPrincipal in Spring controllers.

The following snippet would retrieve tokens in the /authed/user route:

java
  @GetMapping("/user")
  public String index(Model model, @AuthenticationPrincipal OidcUser oidcUser,
      @RegisteredOAuth2AuthorizedClient("kenni-client") OAuth2AuthorizedClient authorizedClient) {
    model.addAttribute("idToken", oidcUser.getIdToken().getTokenValue());
    model.addAttribute("accessToken", authorizedClient.getAccessToken().getTokenValue());

    return "user";
  }

The example above is for demonstration purposes, and we would not recommend adding the Access Token to the view model.

View complete integration

Visit our Github repository for a complete Spring Boot integration sample.