Build a Spring Boot App With Secure Server-to-Server Communication via OAuth 2.0

Build a Spring Boot App With Secure Server-to-Server Communication via OAuth 2.0

How to build a Spring Boot App for server-to-server communication via the OAuth 2.0 Client Credentials Grant type.

Most OAuth 2.0 guides are focused around the context of a user, i.e. logging in to an application using Google, Github, Okta, etc. While this can be useful, these guides ignore server-to-server communication where there is no user and you only have one service connecting to another. Thankfully, Okta is here to lend a hand with this area of application security.

The OAuth 2.0 Client Credentials Grant type is exclusively used for scenarios in which no user exists (CRON jobs, scheduled tasks, other data workloads, etc.). This flow is less showy than other OAuth flows as there is no end user or browser. However, this is far easier to understand than the more complicated, user-centric OAuth 2.0 grant types. In this tutorial, we'll walk through the OAuth 2.0 Client Credentials Grant type and how you can deploy it for secure server-to-server communication in Spring Boot.

OAuth 2.0 Client Credentials Grant

The goal of the Client Credentials Grant is to allow two machines to communicate securely. In this grant type, you have a client (think of this as your application) making API requests to another service (this is your resource server).

To help illustrate why this flow is important, let’s take a step back and talk about what we did before OAuth 2.0.

NOTE: If you’re an OAuth pro, you can skip ahead to the code examples below or check out this example on GitHub.

Before OAuth 2.0, the way developers handled server-to-server authentication was with HTTP Basic Auth. Essentially, this boiled down to a developer that would send over a server’s unique username and password (often referred to as an ID and secret) on each request. The API service would then validate this username and password on every request by connecting to a user store (database, LDAP, etc.) in order to validate the credentials.

This approach has a few drawbacks and exposure points:

  • Each application in the diagram above handles the username and password.
  • A second username and password might be needed to connect to the user store.
  • The same username and password is used for each request.

There are various ways to help mitigate these risks, but that’s out of scope in this post.

The OAuth 2.0 Client Credentials Grant was created to help solve the problems that originated with HTTP Basic Auth. While the client still uses a username and password (called the clientid and clientsecret), instead of sending them directly to the API service on each request, they are instead exchanged for a token via an authorization server.

The authorization server returns a temporary access token (which is used until it expires). The client then uses this access token when communicating with the resource server, which means that your client’s most sensitive data (the ID and secret) are only shared over the network once every expiration period, dramatically reducing the likelihood of compromise. Once the resource server receives the incoming request with the access token, it will then validate the token with by talking to the authorization server.

I’ll talk about a couple of ways to reduce the number of network calls further at the end of this post, but, first, onto an example!

Let’s Build an OAuth 2.0 Client Credentials App!

Enough talk, let’s do something! I’m going to show you how to implement the Client Credentials Grant type with Spring using two applications: a client and server. The server will have a single endpoint which returns a “message of the day.” The client will be a simple command line application; you could easily replace this with a backend web application, CRON job, or any other backend script.

Set Up Your Authorization Server

To keep things simple, you’ll use Okta to create an OAuth 2.0 authorization server. This will handle all of the Client Credentials Grant stuff mentioned above. Do you need to use Okta? Not at all! You can use any OAuth 2.0 compatible server that you want. But, because our service is free and simple to use, it speeds up this process.

If you don’t already have a free developer account, head over to and click Sign Up. When that’s complete, you’ll have two pieces of information, your Okta base URL, which looks something like:, and an email with instructions on how to activate your account.

After activating your account, while you are still in the Okta Developer Console, you then need to create an application and a custom OAuth scope. The application will give you a client ID and secret, while the custom scope will restrict your access token to this example.

Click the Applications menu item, then Add Application.  Next, select Service -> Next. You will then change the name to whatever you want (I’m going to use “My MOD App”). Next, click Done.

You will need the Client ID and Client secret values for the next steps.

Then, create a custom scope for your application.

From the menu bar, select API -> Authorization Servers. Remember the Issuer URI value; you will need this for the following steps. Edit the authorization server by clicking on the edit pencil, then click Scopes -> Add Scope. Fill out the name field with custom_mod and press Create.

Now, onto the fun stuff!

Create a Resource Server

This resource server (aka: API service) is going to be overly simple and consist of a single /mod endpoint. Now, create a new project using the Spring Initializer on the command line:

curl  \
  -d artifactId=creds-example-server \
  -d dependencies=security,web \
  -d language=java \
  -d type=maven-project \
  -d baseDir=creds-example-server \
| tar -xzvf -

change into the new directory

cd creds-example-server

You will also need to manually add one more dependency to your pom.xml:


NOTE: I also renamed the DemoApplication to ServerApplication , because we are going to create another application shortly.

Next, update the ServerApplication to include the @EnableResourceServer annotation and add a simple REST controller:

public class ServerApplication {

public static void main(String[] args) {, args);

 * Allows for @PreAuthorize annotation processing.
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();

public class MessageOfTheDayController {
    public String getMessageOfTheDay(Principal principal) {
        return "The message of the day is boring for user: " + principal.getName();


Now it is time to configure the application! I renamed my file to application.yml and updated it to include:

      clientId: {client-id-from-above}
      clientSecret: {client-secret-from-above}
      tokenInfoUri: {issuer-uri-from-above}/v1/introspect

That’s it! Just a few lines of code and a couple lines of config! Spring Boot will automatically handle the validation of the access tokens — all you need to do now is worry about is your code!

Next, start it up and leave it running:

./mvn spring-boot:run

You can try to access http://localhost:8080/mod , if you want. It will respond with HTTP 401 UNAUTHORIZED.

Create the OAuth 2.0 Client

Next, you’re going to create a simple command-line client (you could easily duplicate this logic in any type of application).

Next, open up a new terminal window and create a second application with the Spring Initializer:

-d artifactId=creds-example-client
-d dependencies=security
-d language=java
-d type=maven-project
-d baseDir=creds-example-client
| tar -xzvf -

change into the new directory

cd creds-example-client

This will follow the same instructions as before — add in the Spring OAuth 2.0 library as a dependency in your pom.xml:


This time, I’ll start by defining the configuration

(again I renamed to application.yml):

  baseUrl: http://localhost:8080
      grantType: client_credentials
      clientId: {client-id-from-above}
      clientSecret: {client-secret-from-above}
      accessTokenUri: {issuer-uri-from-above}/v1/token
      scope: custom_mod

I’ve namespaced the configuration under example since you could be connecting to multiple servers.

I configured a few properties:

  • baseUrl is the base URL of our example server
  • grantType defines the grant type for the connection
  • clientId and clientSecret are the same as above
  • accessTokenUri defines the URI used to get an access token
  • scope is the custom scope we created above

Last up is our ClientApplication (renamed from DemoApplication):

public class ClientApplication implements CommandLineRunner {
    private final Logger logger = LoggerFactory.getLogger(ClientApplication.class);
    @Value("#{ @environment['example.baseUrl'] }")
    private String serverBaseUrl;
    public static void main(String[] args) {, args);
    protected ClientCredentialsResourceDetails oAuthDetails() {
        return new ClientCredentialsResourceDetails();
    protected RestTemplate restTemplate() {
        return new OAuth2RestTemplate(oAuthDetails());
    public void run(String... args) {"MOD: {}", restTemplate().getForObject(serverBaseUrl + "/mod", String.class));

There are a few items that I want to touch on:

  • The CommandLineRunner interface adds a run method, which is called automatically after initialization. The application exits after leaving this method.
  • I created an ClientCredentialsResourceDetails bean, which is bound to my configuration properties: example.oauth2.client . 
  • I used an OAuth2RestTemplate in place of a standard RestTemplate . This automatically manages all of the OAuth 2.0 access token exchange and sets the Authentication: Bearer header value. Basically, it handles all of the OAuth detail so you don’t need to worry about any of them!

Next, run the application with ./mvnw spring-boot:run and you should see a console output similar to:

2018-03-20 12:56:10.058  INFO 15833 --- [main] c.e.c.ClientApplication: MOD: The message of the day is boring for user: 0oabcd12yz2EpHuis75s3

The client has successfully communicated with the server! Not bad, right? In just a few lines of code, you were able to get an OAuth 2.0 authorization server setup and configured, as well as create two Spring apps (one client and one server) that can now communicate securely using the OAuth 2.0 Client Credentials Grant type!

NOTE: if you see a 401 or 500 exception, double check that your application.yml config files contain the correct information.

Extra Credit: Reduce the Number of Calls to the Authorization Server

The second sequence diagram above seems more complicated than the first, even when factoring in the reuse of an access token. Access tokens are opaque. There is no spec behind them, and the format is left to the implementation of the authorization server.

At Okta, we use signed JWTs, which means you can validate them locally, instead of making an additional request from the API service to the authorization server on each request.

We have helper libraries in a few different languages and a Spring Boot starter that will handle the local validation for you.

Thanks for reading! If you liked this post, share it with all of your programming buddies!

Originally published on

spring-boot java web-development

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Productive Web Development in Java with IntelliJ IDEA, Spring Boot and Vaadin

We cover tips and tricks to help you become a more productive web app developer. We build a small web app using Vaadin's Java API and Spring Boot. We show you how to set up IntelliJ IDEA to automatically reload your app and browser as you develop and cover our favorite shortcuts and hacks for productive and enjoyable web app development in Java.

Hire Web Developer

Looking for an attractive & user-friendly web developer?, a leading web, and mobile app development company, offers web developers for hire through flexible engagement models. You can **[Hire Web...

Top 10 Advanced Java and Spring Boot Courses for Full-Stack Java Developers

These are best online courses to learn Spring Boot, Advanced Java, Docker, React, Microservices, DEvops, and Angular to become full stack Java developer.

How to Install OpenJDK 11 on CentOS 8

What is OpenJDK? OpenJDk or Open Java Development Kit is a free, open-source framework of the Java Platform, Standard Edition (or Java SE).

Java Spring Boot First App

Step by Step to your First Spring App