This example contains two Spring Boot Apps (api and app) which use the ZITADEL SaaS identity provider as OpenID Provider.
- The app web uses the internal OAuth2 access token (opaque token) provided by ZITADEL to access the api.
- The api acts as an OAuth2 resource server.
- OpenID Connect based Login
- Logout support via OpenID Connect end session endpoint
- Access Token Relay
- Opaque Reference Tokens and Token Introspection
To run the example you need to configure the applications in ZITADEL and provide the generated properties. Please check out the full guides (web and api) on this example as well.
The Spring Boot app api is configured as an API in ZITADEL and uses the Spring Security Resource Server support.
Base URL: http://localhost:18090
The Spring Boot app web is configured as confidential Web App and OpenID Connect client in ZITADEL and uses the Spring Security OAuth2 client library for authentication.
Base URL: http://localhost:18080/webapp
Redirect URI:
http://localhost:18080/webapp/login/oauth2/code/zitadel
Post Logout URL:
http://localhost:18080/webapp
mvn clean package -DskipTests
The api application requires the following JVM Properties to be configured:
# Run the api application in one terminal
java \
-Dspring.security.oauth2.resourceserver.opaquetoken.introspection-uri=<see configuration above> \
-Dspring.security.oauth2.resourceserver.opaquetoken.client-id=<see configuration above> \
-Dspring.security.oauth2.resourceserver.opaquetoken.client-secret=<see configuration above> \
-jar api/target/api-0.0.2-SNAPSHOT.jar
The web application requires the following JVM Properties to be configured:
# Run the web application in another terminal
java \
-Dspring.security.oauth2.client.provider.zitadel.issuer-uri=<see configuration above> \
-Dspring.security.oauth2.client.registration.zitadel.client-id=<see configuration above> \
-jar web/target/web-0.0.2-SNAPSHOT.jar
Open your browser and navigate to http://localhost:18080/webapp/
- This example uses opaque reference tokens as access tokens
- For the sake of simplicity CSRF protection and https are disabled
- Note in order to allow
http://
URIs we need to enable the `development mode in the respective client configuration.