":servlet:spring-boot:java:oauth2:login"

servlet/spring-boot/java/oauth2/login/README.adoc

@@ -0,0 +1,321 @@
+= OAuth 2.0 Login Sample
+
+This guide provides instructions on setting up the sample application with OAuth 2.0 Login using an OAuth 2.0 Provider or OpenID Connect 1.0 Provider.
+The sample application uses Spring Boot 2.0.0.M6 and the `spring-security-oauth2-client` module which is new in Spring Security 5.0.
+
+The following sections provide detailed steps for setting up OAuth 2.0 Login for these Providers:
+
+* <<google-login, Google>>
+* <<github-login, GitHub>>
+* <<facebook-login, Facebook>>
+* <<okta-login, Okta>>
+
+[[google-login]]
+== Login with Google
+
+This section shows how to configure the sample application using Google as the Authentication Provider and covers the following topics:
+
+* <<google-initial-setup,Initial setup>>
+* <<google-redirect-uri,Setting the redirect URI>>
+* <<google-application-config,Configure application.yml>>
+* <<google-boot-application,Boot up the application>>
+
+[[google-initial-setup]]
+=== Initial setup
+
+To use Google's OAuth 2.0 authentication system for login, you must set up a project in the Google API Console to obtain OAuth 2.0 credentials.
+
+NOTE: https://developers.google.com/identity/protocols/OpenIDConnect[Google's OAuth 2.0 implementation] for authentication conforms to the
+ https://openid.net/connect/[OpenID Connect 1.0] specification and is https://openid.net/certification/[OpenID Certified].
+
+Follow the instructions on the https://developers.google.com/identity/protocols/OpenIDConnect[OpenID Connect] page, starting in the section, "Setting up OAuth 2.0".
+
+After completing the "Obtain OAuth 2.0 credentials" instructions, you should have a new OAuth Client with credentials consisting of a Client ID and a Client Secret.
+
+[[google-redirect-uri]]
+=== Setting the redirect URI
+
+The redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Google
+and have granted access to the OAuth Client _(created in the previous step)_ on the Consent page.
+
+In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect URIs* field is set to `http://localhost:8080/login/oauth2/code/google`.
+
+TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
+ The *_registrationId_* is a unique identifier for the `ClientRegistration`.
+
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
+[[google-application-config]]
+=== Configure application.yml
+
+Now that you have a new OAuth Client with Google, you need to configure the application to use the OAuth Client for the _authentication flow_. To do so:
+
+. Go to `application.yml` and set the following configuration:
++
+[source,yaml]
+----
+spring:
+  security:
+    oauth2:
+      client:
+        registration:	<1>
+          google:		<2>
+            client-id: google-client-id
+            client-secret: google-client-secret
+----
++
+.OAuth Client properties
+====
+<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties.
+<2> Following the base property prefix is the ID for the `ClientRegistration`, such as google.
+====
+
+. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier.
+
+[[google-boot-application]]
+=== Boot up the application
+
+Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`.
+You are then redirected to the default _auto-generated_ login page, which displays a link for Google.
+
+Click on the Google link, and you are then redirected to Google for authentication.
+
+After authenticating with your Google account credentials, the next page presented to you is the Consent screen.
+The Consent screen asks you to either allow or deny access to the OAuth Client you created earlier.
+Click *Allow* to authorize the OAuth Client to access your email address and basic profile information.
+
+At this point, the OAuth Client retrieves your email address and basic profile information
+from the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session.
+
+[[github-login]]
+== Login with GitHub
+
+This section shows how to configure the sample application using GitHub as the Authentication Provider and covers the following topics:
+
+* <<github-register-application,Register OAuth application>>
+* <<github-application-config,Configure application.yml>>
+* <<github-boot-application,Boot up the application>>
+
+[[github-register-application]]
+=== Register OAuth application
+
+To use GitHub's OAuth 2.0 authentication system for login, you must https://github.com/settings/applications/new[Register a new OAuth application].
+
+When registering the OAuth application, ensure the *Authorization callback URL* is set to `http://localhost:8080/login/oauth2/code/github`.
+
+The Authorization callback URL (redirect URI) is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with GitHub
+and have granted access to the OAuth application on the _Authorize application_ page.
+
+TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
+ The *_registrationId_* is a unique identifier for the `ClientRegistration`.
+
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
+[[github-application-config]]
+=== Configure application.yml
+
+Now that you have a new OAuth application with GitHub, you need to configure the application to use the OAuth application for the _authentication flow_. To do so:
+
+. Go to `application.yml` and set the following configuration:
++
+[source,yaml]
+----
+spring:
+  security:
+    oauth2:
+      client:
+        registration:	<1>
+          github:		<2>
+            client-id: github-client-id
+            client-secret: github-client-secret
+----
++
+.OAuth Client properties
+====
+<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties.
+<2> Following the base property prefix is the ID for the `ClientRegistration`, such as github.
+====
+
+. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier.
+
+[[github-boot-application]]
+=== Boot up the application
+
+Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`.
+You are then redirected to the default _auto-generated_ login page, which displays a link for GitHub.
+
+Click on the GitHub link, and you are then redirected to GitHub for authentication.
+
+After authenticating with your GitHub credentials, the next page presented to you is "Authorize application".
+This page will ask you to *Authorize* the application you created in the previous step.
+Click _Authorize application_ to allow the OAuth application to access your personal user data information.
+
+At this point, the OAuth Client retrieves your personal user information
+from the UserInfo Endpoint and establishes an authenticated session.
+
+[TIP]
+For detailed information returned from the UserInfo Endpoint, see the API documentation
+for https://developer.github.com/v3/users/#get-the-authenticated-user["Get the authenticated user"].
+
+[[facebook-login]]
+== Login with Facebook
+
+This section shows how to configure the sample application using Facebook as the Authentication Provider and covers the following topics:
+
+* <<facebook-register-application,Add a New App>>
+* <<facebook-application-config,Configure application.yml>>
+* <<facebook-boot-application,Boot up the application>>
+
+[[facebook-register-application]]
+=== Add a New App
+
+To use Facebook's OAuth 2.0 authentication system for login, you must first https://developers.facebook.com/apps[Add a New App].
+
+Select "Create a New App" and then the "Create a New App ID" page is presented. Enter the Display Name, Contact Email, Category and then click "Create App ID".
+
+NOTE: The selection for the _Category_ field is not relevant but it's a required field - select "Local".
+
+The next page presented is "Product Setup". Click the "Get Started" button for the *Facebook Login* product.
+In the left sidebar, under _Products -> Facebook Login_, select _Settings_.
+
+For the field *Valid OAuth redirect URIs*, enter `http://localhost:8080/login/oauth2/code/facebook` then click _Save Changes_.
+
+The OAuth redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Facebook
+and have granted access to the application on the _Authorize application_ page.
+
+TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
+ The *_registrationId_* is a unique identifier for the `ClientRegistration`.
+
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
+[[facebook-application-config]]
+=== Configure application.yml
+
+Now that you have created a new application with Facebook, you need to configure the sample application to use the application for the _authentication flow_. To do so:
+
+. Go to `application.yml` and set the following configuration:
++
+[source,yaml]
+----
+spring:
+  security:
+    oauth2:
+      client:
+        registration:	<1>
+          facebook:		<2>
+            client-id: facebook-client-id
+            client-secret: facebook-client-secret
+----
++
+.OAuth Client properties
+====
+<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties.
+<2> Following the base property prefix is the ID for the `ClientRegistration`, such as facebook.
+====
+
+. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier.
+
+[[facebook-boot-application]]
+=== Boot up the application
+
+Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`.
+You are then redirected to the default _auto-generated_ login page, which displays a link for Facebook.
+
+Click on the Facebook link, and you are then redirected to Facebook for authentication.
+
+After authenticating with your Facebook credentials, the next page presented to you is "Authorize application".
+This page will ask you to *Authorize* the application you created in the previous step.
+Click _Authorize application_ to allow the OAuth application to access your _public profile_ and _email address_ information.
+
+At this point, the OAuth Client retrieves your personal user information
+from the UserInfo Endpoint and establishes an authenticated session.
+
+[[okta-login]]
+== Login with Okta
+
+This section shows how to configure the sample application using Okta as the Authentication Provider and covers the following topics:
+
+* <<okta-register-application,Add Application>>
+* <<okta-assign-application-people,Assign Application to People>>
+* <<okta-application-config,Configure application.yml>>
+* <<okta-boot-application,Boot up the application>>
+
+[[okta-register-application]]
+=== Add Application
+
+To use Okta's OAuth 2.0 authentication system for login, you must first https://www.okta.com/developer/signup[create a developer account].
+
+Sign in to your account sub-domain and navigate to _Applications -> Applications_ and then select the "Add Application" button.
+From the "Add Application" page, select the "Create New App" button and enter the following:
+
+* *Platform:* Web
+* *Sign on method:* OpenID Connect
+
+Select the _Create_ button.
+On the "General Settings" page, enter the Application Name (for example, "Spring Security Okta Login") and then select the _Next_ button.
+On the "Configure OpenID Connect" page, enter `http://localhost:8080/login/oauth2/code/okta` for the field *Redirect URIs* and then select _Finish_.
+
+The redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Okta
+and have granted access to the application on the _Authorize application_ page.
+
+TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
+ The *_registrationId_* is a unique identifier for the `ClientRegistration`.
+
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
+[[okta-assign-application-people]]
+=== Assign Application to People
+
+From the "General" tab of the application, select the "Assignments" tab and then select the _Assign_ button.
+Select _Assign to People_ and assign your account to the application. Then select the _Save and Go Back_ button.
+
+[[okta-application-config]]
+=== Configure application.yml
+
+Now that you have created a new application with Okta, you need to configure the sample application to use the application for the _authentication flow_. To do so:
+
+. Go to `application.yml` and set the following configuration:
++
+[source,yaml]
+----
+spring:
+  security:
+    oauth2:
+      client:
+        registration:	<1>
+          okta:		<2>
+            client-id: okta-client-id
+            client-secret: okta-client-secret
+        provider:	<3>
+          okta:
+            authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
+            token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
+            user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
+            user-name-attribute: sub
+            jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys
+----
++
+.OAuth Client properties
+====
+<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties.
+<2> Following the base property prefix is the ID for the `ClientRegistration`, such as okta.
+<3> `spring.security.oauth2.client.provider` is the base property prefix for OAuth Provider properties.
+====
+
+. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier.
+As well, replace `https://your-subdomain.oktapreview.com` in `authorization-uri`, `token-uri`, `user-info-uri` and `jwk-set-uri` with the sub-domain assigned to your account during the registration process.
+
+[[okta-boot-application]]
+=== Boot up the application
+
+Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`.
+You are then redirected to the default _auto-generated_ login page, which displays a link for Okta.
+
+Click on the Okta link, and you are then redirected to Okta for authentication.
+
+After authenticating with your Okta account credentials, the OAuth Client retrieves your email address and basic profile information
+from the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session.

servlet/spring-boot/java/oauth2/login/build.gradle

@@ -0,0 +1,27 @@
+plugins {
+	id 'org.springframework.boot' version '2.2.6.RELEASE'
+	id 'io.spring.dependency-management' version '1.0.9.RELEASE'
+	id "nebula.integtest" version "7.0.9"
+	id 'java'
+}
+
+repositories {
+	mavenCentral()
+	maven { url "https://repo.spring.io/snapshot" }
+}
+
+dependencies {
+	implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5'
+
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
+
+	integTestImplementation 'net.sourceforge.htmlunit:htmlunit'
+}
+
+tasks.withType(Test).configureEach {
+	useJUnitPlatform()
+}

servlet/spring-boot/java/oauth2/login/gradle.properties

@@ -0,0 +1 @@
+spring-security.version=5.4.0.BUILD-SNAPSHOT

servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.5.1-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

servlet/spring-boot/java/oauth2/login/gradlew

@@ -0,0 +1,185 @@
+#!/usr/bin/env sh
+
+#
+# Copyright 2015 the original author or authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+##############################################################################
+##
+##  Gradle start up script for UN*X
+##
+##############################################################################
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+        PRG="$link"
+    else
+        PRG=`dirname "$PRG"`"/$link"
+    fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME="`pwd -P`"
+cd "$SAVED" >/dev/null
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn () {
+    echo "$*"
+}
+
+die () {
+    echo
+    echo "$*"
+    echo
+    exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+nonstop=false
+case "`uname`" in
+  CYGWIN* )
+    cygwin=true
+    ;;
+  Darwin* )
+    darwin=true
+    ;;
+  MINGW* )
+    msys=true
+    ;;
+  NONSTOP* )
+    nonstop=true
+    ;;
+esac
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+        # IBM's JDK on AIX uses strange locations for the executables
+        JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+        JAVACMD="$JAVA_HOME/bin/java"
+    fi
+    if [ ! -x "$JAVACMD" ] ; then
+        die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+    fi
+else
+    JAVACMD="java"
+    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+    MAX_FD_LIMIT=`ulimit -H -n`
+    if [ $? -eq 0 ] ; then
+        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+            MAX_FD="$MAX_FD_LIMIT"
+        fi
+        ulimit -n $MAX_FD
+        if [ $? -ne 0 ] ; then
+            warn "Could not set maximum file descriptor limit: $MAX_FD"
+        fi
+    else
+        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+    fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
+    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+    
+    JAVACMD=`cygpath --unix "$JAVACMD"`
+
+    # We build the pattern for arguments to be converted via cygpath
+    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+    SEP=""
+    for dir in $ROOTDIRSRAW ; do
+        ROOTDIRS="$ROOTDIRS$SEP$dir"
+        SEP="|"
+    done
+    OURCYGPATTERN="(^($ROOTDIRS))"
+    # Add a user-defined pattern to the cygpath arguments
+    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+    fi
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    i=0
+    for arg in "$@" ; do
+        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
+
+        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
+            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+        else
+            eval `echo args$i`="\"$arg\""
+        fi
+        i=`expr $i + 1`
+    done
+    case $i in
+        0) set -- ;;
+        1) set -- "$args0" ;;
+        2) set -- "$args0" "$args1" ;;
+        3) set -- "$args0" "$args1" "$args2" ;;
+        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+    esac
+fi
+
+# Escape application args
+save () {
+    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+    echo " "
+}
+APP_ARGS=`save "$@"`
+
+# Collect all arguments for the java command, following the shell quoting and substitution rules
+eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+
+exec "$JAVACMD" "$@"

servlet/spring-boot/java/oauth2/login/gradlew.bat

@@ -0,0 +1,104 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+
+@if "%DEBUG%" == "" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%" == "" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if "%ERRORLEVEL%" == "0" goto init
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto init
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:init
+@rem Get command-line arguments, handling Windows variants
+
+if not "%OS%" == "Windows_NT" goto win9xME_args
+
+:win9xME_args
+@rem Slurp the command line arguments.
+set CMD_LINE_ARGS=
+set _SKIP=2
+
+:win9xME_args_slurp
+if "x%~1" == "x" goto execute
+
+set CMD_LINE_ARGS=%*
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+
+:end
+@rem End local scope for the variables with windows NT shell
+if "%ERRORLEVEL%"=="0" goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
+exit /b 1
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

servlet/spring-boot/java/oauth2/login/settings.gradle

@@ -0,0 +1 @@
+

servlet/spring-boot/java/oauth2/login/src/integTest/java/sample/OAuth2LoginApplicationTests.java

@@ -0,0 +1,381 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import java.net.URI;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebResponse;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlAnchor;
+import com.gargoylesoftware.htmlunit.html.HtmlElement;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oauth2Login;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
+
+/**
+ * Integration tests for the OAuth 2.0 client filters
+ * {@link OAuth2AuthorizationRequestRedirectFilter} and
+ * {@link OAuth2LoginAuthenticationFilter}. These filters work together to realize OAuth
+ * 2.0 Login leveraging the Authorization Code Grant flow.
+ *
+ * @author Joe Grandja
+ * @since 5.0
+ */
+@SpringBootTest(classes = { OAuth2LoginApplication.class, OAuth2LoginApplicationTests.SecurityTestConfig.class })
+@AutoConfigureMockMvc
+public class OAuth2LoginApplicationTests {
+
+	private static final String AUTHORIZATION_BASE_URI = "/oauth2/authorization";
+
+	private static final String AUTHORIZE_BASE_URL = "http://localhost:8080/login/oauth2/code";
+
+	@Autowired
+	private WebClient webClient;
+
+	@Autowired
+	private MockMvc mvc;
+
+	@Autowired
+	private ClientRegistrationRepository clientRegistrationRepository;
+
+	@BeforeEach
+	void setup() {
+		this.webClient.getCookieManager().clearCookies();
+	}
+
+	@Test
+	void requestIndexPageWhenNotAuthenticatedThenDisplayLoginPage() throws Exception {
+		HtmlPage page = this.webClient.getPage("/");
+		this.assertLoginPage(page);
+	}
+
+	@Test
+	void requestOtherPageWhenNotAuthenticatedThenDisplayLoginPage() throws Exception {
+		HtmlPage page = this.webClient.getPage("/other-page");
+		this.assertLoginPage(page);
+	}
+
+	@Test
+	void requestAuthorizeGitHubClientWhenLinkClickedThenStatusRedirectForAuthorization() throws Exception {
+		HtmlPage page = this.webClient.getPage("/");
+
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+
+		HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration);
+		assertThat(clientAnchorElement).isNotNull();
+
+		WebResponse response = this.followLinkDisableRedirects(clientAnchorElement);
+
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.MOVED_PERMANENTLY.value());
+
+		String authorizeRedirectUri = response.getResponseHeaderValue("Location");
+		assertThat(authorizeRedirectUri).isNotNull();
+
+		UriComponents uriComponents = UriComponentsBuilder.fromUri(URI.create(authorizeRedirectUri)).build();
+
+		String requestUri = uriComponents.getScheme() + "://" + uriComponents.getHost() + uriComponents.getPath();
+		assertThat(requestUri).isEqualTo(clientRegistration.getProviderDetails().getAuthorizationUri());
+
+		Map<String, String> params = uriComponents.getQueryParams().toSingleValueMap();
+
+		assertThat(params.get(OAuth2ParameterNames.RESPONSE_TYPE))
+				.isEqualTo(OAuth2AuthorizationResponseType.CODE.getValue());
+		assertThat(params.get(OAuth2ParameterNames.CLIENT_ID)).isEqualTo(clientRegistration.getClientId());
+		String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId();
+		assertThat(URLDecoder.decode(params.get(OAuth2ParameterNames.REDIRECT_URI), "UTF-8")).isEqualTo(redirectUri);
+		assertThat(URLDecoder.decode(params.get(OAuth2ParameterNames.SCOPE), "UTF-8"))
+				.isEqualTo(clientRegistration.getScopes().stream().collect(Collectors.joining(" ")));
+		assertThat(params.get(OAuth2ParameterNames.STATE)).isNotNull();
+	}
+
+	@Test
+	void requestAuthorizeClientWhenInvalidClientThenStatusInternalServerError() throws Exception {
+		HtmlPage page = this.webClient.getPage("/");
+
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google");
+
+		HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration);
+		assertThat(clientAnchorElement).isNotNull();
+		clientAnchorElement.setAttribute("href", clientAnchorElement.getHrefAttribute() + "-invalid");
+
+		WebResponse response = null;
+		try {
+			clientAnchorElement.click();
+		}
+		catch (FailingHttpStatusCodeException ex) {
+			response = ex.getResponse();
+		}
+
+		assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR.value());
+	}
+
+	@Test
+	void requestAuthorizationCodeGrantWhenValidAuthorizationResponseThenDisplayIndexPage() throws Exception {
+		HtmlPage page = this.webClient.getPage("/");
+
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+
+		HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration);
+		assertThat(clientAnchorElement).isNotNull();
+
+		WebResponse response = this.followLinkDisableRedirects(clientAnchorElement);
+
+		UriComponents authorizeRequestUriComponents = UriComponentsBuilder
+				.fromUri(URI.create(response.getResponseHeaderValue("Location"))).build();
+
+		Map<String, String> params = authorizeRequestUriComponents.getQueryParams().toSingleValueMap();
+		String code = "auth-code";
+		String state = URLDecoder.decode(params.get(OAuth2ParameterNames.STATE), "UTF-8");
+		String redirectUri = URLDecoder.decode(params.get(OAuth2ParameterNames.REDIRECT_URI), "UTF-8");
+
+		String authorizationResponseUri = UriComponentsBuilder.fromHttpUrl(redirectUri)
+				.queryParam(OAuth2ParameterNames.CODE, code).queryParam(OAuth2ParameterNames.STATE, state).build()
+				.encode().toUriString();
+
+		page = this.webClient.getPage(new URL(authorizationResponseUri));
+		this.assertIndexPage(page);
+	}
+
+	@Test
+	void requestAuthorizationCodeGrantWhenNoMatchingAuthorizationRequestThenDisplayLoginPageWithError()
+			throws Exception {
+		HtmlPage page = this.webClient.getPage("/");
+		URL loginPageUrl = page.getBaseURL();
+		URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error");
+
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google");
+
+		String code = "auth-code";
+		String state = "state";
+		String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId();
+
+		String authorizationResponseUri = UriComponentsBuilder.fromHttpUrl(redirectUri)
+				.queryParam(OAuth2ParameterNames.CODE, code).queryParam(OAuth2ParameterNames.STATE, state).build()
+				.encode().toUriString();
+
+		// Clear session cookie will ensure the 'session-saved'
+		// Authorization Request (from previous request) is not found
+		this.webClient.getCookieManager().clearCookies();
+
+		page = this.webClient.getPage(new URL(authorizationResponseUri));
+		assertThat(page.getBaseURL()).isEqualTo(loginErrorPageUrl);
+
+		HtmlElement errorElement = page.getBody().getFirstByXPath("div");
+		assertThat(errorElement).isNotNull();
+		assertThat(errorElement.asText()).contains("authorization_request_not_found");
+	}
+
+	@Test
+	void requestAuthorizationCodeGrantWhenInvalidStateParamThenDisplayLoginPageWithError() throws Exception {
+		HtmlPage page = this.webClient.getPage("/");
+		URL loginPageUrl = page.getBaseURL();
+		URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error");
+
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google");
+
+		HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration);
+		assertThat(clientAnchorElement).isNotNull();
+		this.followLinkDisableRedirects(clientAnchorElement);
+
+		String code = "auth-code";
+		String state = "invalid-state";
+		String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId();
+
+		String authorizationResponseUri = UriComponentsBuilder.fromHttpUrl(redirectUri)
+				.queryParam(OAuth2ParameterNames.CODE, code).queryParam(OAuth2ParameterNames.STATE, state).build()
+				.encode().toUriString();
+
+		page = this.webClient.getPage(new URL(authorizationResponseUri));
+		assertThat(page.getBaseURL()).isEqualTo(loginErrorPageUrl);
+
+		HtmlElement errorElement = page.getBody().getFirstByXPath("div");
+		assertThat(errorElement).isNotNull();
+		assertThat(errorElement.asText()).contains("authorization_request_not_found");
+	}
+
+	@Test
+	void requestWhenMockOAuth2LoginThenIndex() throws Exception {
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+		this.mvc.perform(get("/").with(oauth2Login().clientRegistration(clientRegistration)))
+				.andExpect(model().attribute("userName", "user")).andExpect(model().attribute("clientName", "GitHub"))
+				.andExpect(model().attribute("userAttributes", Collections.singletonMap("sub", "user")));
+	}
+
+	private void assertLoginPage(HtmlPage page) {
+		assertThat(page.getTitleText()).isEqualTo("Please sign in");
+
+		int expectedClients = 4;
+
+		List<HtmlAnchor> clientAnchorElements = page.getAnchors();
+		assertThat(clientAnchorElements.size()).isEqualTo(expectedClients);
+
+		ClientRegistration googleClientRegistration = this.clientRegistrationRepository.findByRegistrationId("google");
+		ClientRegistration githubClientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+		ClientRegistration facebookClientRegistration = this.clientRegistrationRepository
+				.findByRegistrationId("facebook");
+		ClientRegistration oktaClientRegistration = this.clientRegistrationRepository.findByRegistrationId("okta");
+
+		String baseAuthorizeUri = AUTHORIZATION_BASE_URI + "/";
+		String googleClientAuthorizeUri = baseAuthorizeUri + googleClientRegistration.getRegistrationId();
+		String githubClientAuthorizeUri = baseAuthorizeUri + githubClientRegistration.getRegistrationId();
+		String facebookClientAuthorizeUri = baseAuthorizeUri + facebookClientRegistration.getRegistrationId();
+		String oktaClientAuthorizeUri = baseAuthorizeUri + oktaClientRegistration.getRegistrationId();
+
+		for (int i = 0; i < expectedClients; i++) {
+			assertThat(clientAnchorElements.get(i).getAttribute("href")).isIn(googleClientAuthorizeUri,
+					githubClientAuthorizeUri, facebookClientAuthorizeUri, oktaClientAuthorizeUri);
+			assertThat(clientAnchorElements.get(i).asText()).isIn(googleClientRegistration.getClientName(),
+					githubClientRegistration.getClientName(), facebookClientRegistration.getClientName(),
+					oktaClientRegistration.getClientName());
+		}
+	}
+
+	private void assertIndexPage(HtmlPage page) {
+		assertThat(page.getTitleText()).isEqualTo("Spring Security - OAuth 2.0 Login");
+
+		DomNodeList<HtmlElement> divElements = page.getBody().getElementsByTagName("div");
+		assertThat(divElements.get(1).asText()).contains("User: joeg@springsecurity.io");
+		assertThat(divElements.get(4).asText()).contains("You are successfully logged in joeg@springsecurity.io");
+	}
+
+	private HtmlAnchor getClientAnchorElement(HtmlPage page, ClientRegistration clientRegistration) {
+		Optional<HtmlAnchor> clientAnchorElement = page.getAnchors().stream()
+				.filter((e) -> e.asText().equals(clientRegistration.getClientName())).findFirst();
+
+		return (clientAnchorElement.orElse(null));
+	}
+
+	private WebResponse followLinkDisableRedirects(HtmlAnchor anchorElement) throws Exception {
+		WebResponse response = null;
+		try {
+			// Disable the automatic redirection (which will trigger
+			// an exception) so that we can capture the response
+			this.webClient.getOptions().setRedirectEnabled(false);
+			anchorElement.click();
+		}
+		catch (FailingHttpStatusCodeException ex) {
+			response = ex.getResponse();
+			this.webClient.getOptions().setRedirectEnabled(true);
+		}
+		return response;
+	}
+
+	@EnableWebSecurity
+	public static class SecurityTestConfig extends WebSecurityConfigurerAdapter {
+
+		// @formatter:off
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.authorizeRequests((requests) -> requests
+					.anyRequest().authenticated()
+				)
+				.oauth2Login((oauth2) -> oauth2
+					.tokenEndpoint((tokens) -> tokens
+						.accessTokenResponseClient(this.mockAccessTokenResponseClient())
+					)
+					.userInfoEndpoint((userInfo) -> userInfo
+						.userService(this.mockUserService())
+					)
+				);
+		}
+		// @formatter:on
+
+		private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> mockAccessTokenResponseClient() {
+			OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken("access-token-1234")
+					.tokenType(OAuth2AccessToken.TokenType.BEARER).expiresIn(60 * 1000).build();
+
+			OAuth2AccessTokenResponseClient tokenResponseClient = mock(OAuth2AccessTokenResponseClient.class);
+			when(tokenResponseClient.getTokenResponse(any())).thenReturn(accessTokenResponse);
+			return tokenResponseClient;
+		}
+
+		private OAuth2UserService<OAuth2UserRequest, OAuth2User> mockUserService() {
+			Map<String, Object> attributes = new HashMap<>();
+			attributes.put("id", "joeg");
+			attributes.put("first-name", "Joe");
+			attributes.put("last-name", "Grandja");
+			attributes.put("email", "joeg@springsecurity.io");
+
+			GrantedAuthority authority = new OAuth2UserAuthority(attributes);
+			Set<GrantedAuthority> authorities = new HashSet<>();
+			authorities.add(authority);
+
+			DefaultOAuth2User user = new DefaultOAuth2User(authorities, attributes, "email");
+
+			OAuth2UserService userService = mock(OAuth2UserService.class);
+			when(userService.loadUser(any())).thenReturn(user);
+			return userService;
+		}
+
+		@Bean
+		OAuth2AuthorizedClientRepository authorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
+
+	}
+
+}

servlet/spring-boot/java/oauth2/login/src/main/java/sample/OAuth2LoginApplication.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * OAuth2 Log In application.
+ *
+ * @author Joe Grandja
+ */
+@SpringBootApplication
+public class OAuth2LoginApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(OAuth2LoginApplication.class, args);
+	}
+
+}

servlet/spring-boot/java/oauth2/login/src/main/java/sample/web/OAuth2LoginController.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample.web;
+
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+
+/**
+ * OAuth2 Log in controller.
+ *
+ * @author Joe Grandja
+ * @author Rob Winch
+ */
+@Controller
+public class OAuth2LoginController {
+
+	@GetMapping("/")
+	public String index(Model model, @RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient,
+			@AuthenticationPrincipal OAuth2User oauth2User) {
+		model.addAttribute("userName", oauth2User.getName());
+		model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName());
+		model.addAttribute("userAttributes", oauth2User.getAttributes());
+		return "index";
+	}
+
+}

servlet/spring-boot/java/oauth2/login/src/main/resources/application.yml

@@ -0,0 +1,35 @@
+server:
+  port: 8080
+
+logging:
+  level:
+    root: INFO
+    org.springframework.web: INFO
+    org.springframework.security: INFO
+#    org.springframework.boot.autoconfigure: DEBUG
+
+spring:
+  thymeleaf:
+    cache: false
+  security:
+    oauth2:
+      client:
+        registration:
+          google:
+            client-id: your-app-client-id
+            client-secret: your-app-client-secret
+          github:
+            client-id: your-app-client-id
+            client-secret: your-app-client-secret
+          facebook:
+            client-id: your-app-client-id
+            client-secret: your-app-client-secret
+          okta:
+            client-id: your-app-client-id
+            client-secret: your-app-client-secret
+        provider:
+          okta:
+            authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
+            token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
+            user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
+            jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys

servlet/spring-boot/java/oauth2/login/src/main/resources/templates/index.html

@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
+<head>
+	<title>Spring Security - OAuth 2.0 Login</title>
+	<meta charset="utf-8" />
+</head>
+<body>
+<div style="float: right" th:fragment="logout" sec:authorize="isAuthenticated()">
+	<div style="float:left">
+		<span style="font-weight:bold">User: </span><span sec:authentication="name"></span>
+	</div>
+	<div style="float:none">&nbsp;</div>
+	<div style="float:right">
+		<form action="#" th:action="@{/logout}" method="post">
+			<input type="submit" value="Logout" />
+		</form>
+	</div>
+</div>
+<h1>OAuth 2.0 Login with Spring Security</h1>
+<div>
+	You are successfully logged in <span style="font-weight:bold" th:text="${userName}"></span>
+	via the OAuth 2.0 Client <span style="font-weight:bold" th:text="${clientName}"></span>
+</div>
+<div>&nbsp;</div>
+<div>
+	<span style="font-weight:bold">User Attributes:</span>
+	<ul>
+		<li th:each="userAttribute : ${userAttributes}">
+			<span style="font-weight:bold" th:text="${userAttribute.key}"></span>: <span th:text="${userAttribute.value}"></span>
+		</li>
+	</ul>
+</div>
+</body>
+</html>

servlet/spring-boot/java/oauth2/login/src/test/java/sample/web/OAuth2LoginControllerTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.web;
+
+import java.util.Collections;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oauth2Login;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
+
+/**
+ * Tests for {@link OAuth2LoginController}
+ *
+ * @author Josh Cummings
+ */
+@WebMvcTest(OAuth2LoginController.class)
+public class OAuth2LoginControllerTests {
+
+	@Autowired
+	MockMvc mvc;
+
+	@MockBean
+	ClientRegistrationRepository clientRegistrationRepository;
+
+	@Test
+	void rootWhenAuthenticatedReturnsUserAndClient() throws Exception {
+		// @formatter:off
+		this.mvc.perform(get("/").with(oauth2Login()))
+			.andExpect(model().attribute("userName", "user"))
+			.andExpect(model().attribute("clientName", "test"))
+			.andExpect(model().attribute("userAttributes", Collections.singletonMap("sub", "user")));
+		// @formatter:on
+	}
+
+	@Test
+	void rootWhenOverridingClientRegistrationReturnsAccordingly() throws Exception {
+		// @formatter:off
+		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test")
+			.authorizationGrantType(AuthorizationGrantType.PASSWORD)
+			.clientId("my-client-id")
+			.clientName("my-client-name")
+			.tokenUri("https://token-uri.example.org")
+			.build();
+
+		this.mvc.perform(get("/").with(oauth2Login()
+			.clientRegistration(clientRegistration)
+			.attributes((a) -> a.put("sub", "spring-security"))))
+			.andExpect(model().attribute("userName", "spring-security"))
+			.andExpect(model().attribute("clientName", "my-client-name"))
+			.andExpect(model().attribute("userAttributes", Collections.singletonMap("sub", "spring-security")));
+		// @formatter:on
+	}
+
+	@TestConfiguration
+	static class AuthorizedClient {
+
+		@Bean
+		OAuth2AuthorizedClientRepository authorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
+
+	}
+
+}

settings.gradle

@@ -29,4 +29,5 @@ include ":reactive:webflux:kotlin:hello-security"
 include ":servlet:spring-boot:java:hello"
 include ":servlet:spring-boot:java:hello-security"
 include ":servlet:spring-boot:java:hello-security-explicit"
+include ":servlet:spring-boot:java:oauth2:login"
 include ":servlet:spring-boot:kotlin:hello-security"