OpenGate/ Docs

Spring Boot Integration

On this page

OAuth2 Resource Server

Protect your Spring Boot API by validating JWTs issued by OpenGate.

Dependencies:

build.gradle.ktskotlin
dependencies {
  implementation("org.springframework.boot:spring-boot-starter-security")
  implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
}

Configuration:

application.ymlyaml
spring:
security:
  oauth2:
    resourceserver:
      jwt:
        jwk-set-uri: http://localhost:8080/realms/master/protocol/openid-connect/certs

Security Config:

SecurityConfig.javajava
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
  return http
    .csrf(csrf -> csrf.disable())
    .sessionManagement(s -> s.sessionCreationPolicy(STATELESS))
    .authorizeHttpRequests(auth -> auth
      .requestMatchers("/actuator/health").permitAll()
      .anyRequest().authenticated()
    )
    .oauth2ResourceServer(oauth2 -> oauth2
      .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthConverter()))
    )
    .build();
}

@Bean
public JwtAuthenticationConverter jwtAuthConverter() {
  var rolesConverter = new JwtGrantedAuthoritiesConverter();
  rolesConverter.setAuthoritiesClaimName("roles");   // OpenGate uses "roles" claim
  rolesConverter.setAuthorityPrefix("ROLE_");

  var converter = new JwtAuthenticationConverter();
  converter.setJwtGrantedAuthoritiesConverter(rolesConverter);
  return converter;
}
}

roles claim

OpenGate embeds roles in the roles JWT claim (not scope or realm_access). The JwtAuthenticationConverter above maps them to Spring Security GrantedAuthority objects.

Client Credentials

For service-to-service calls, use the client credentials grant:

application.ymlyaml
spring:
security:
  oauth2:
    client:
      registration:
        opengate:
          client-id: my-backend-service
          client-secret: ${OPENGATE_CLIENT_SECRET}
          authorization-grant-type: client_credentials
          scope: openid
      provider:
        opengate:
          token-uri: http://localhost:8080/realms/master/protocol/openid-connect/token

Role-Based Authorization

ProductController.javajava
@RestController
@RequestMapping("/api/products")
public class ProductController {

@GetMapping
@PreAuthorize("hasRole('VIEWER')")        // ROLE_VIEWER in JWT
public Page<Product> list(Pageable pageable) { ... }

@PostMapping
@PreAuthorize("hasRole('EDITOR')")
public Product create(@Valid @RequestBody ProductDto dto) { ... }

@DeleteMapping("/{id}")
@PreAuthorize("hasRole('ADMIN')")
public void delete(@PathVariable UUID id) { ... }

// Access JWT claims directly
@GetMapping("/me")
public UserInfo me(@AuthenticationPrincipal Jwt jwt) {
  return new UserInfo(
    jwt.getSubject(),
    jwt.getClaimAsString("email"),
    jwt.getClaimAsStringList("roles")
  );
}
}

WebClient with OAuth2

Make outbound calls to OpenGate-protected APIs using reactive WebClient with automatic token injection:

OpenGateWebClient.javajava
@Configuration
public class WebClientConfig {

@Bean
public WebClient openGateWebClient(
    ReactiveOAuth2AuthorizedClientManager manager) {

  var filter = new ServerOAuth2AuthorizedClientExchangeFilterFunction(manager);
  filter.setDefaultClientRegistrationId("opengate");

  return WebClient.builder()
    .baseUrl("http://localhost:8080")
    .filter(filter)
    .build();
}
}

// Usage
@Service
public class UserApiClient {
private final WebClient client;

public Mono<UserResponse> getUser(String userId) {
  return client.get()
    .uri("/api/users/{id}", userId)
    .retrieve()
    .bodyToMono(UserResponse.class);
}
}