I tried Google Sign-In with Spring Boot + Spring Security REST API

I made it possible to log in to the REST API server created with Spring Boot with Google Sign-In, so I will write down what I did.

The version of Spring Boot I'm using is 1.5.7. Most of what you're doing below may be possible with @ EnableOAuth2Sso, but that's not interesting, or that's it.

Preparation (REST API for authentication)

Before supporting Google Sign-In, change the default behavior of Spring Security to a REST feeling.

Reference site: http://www.baeldung.com/securing-a-restful-web-service-with-spring-security

Entry point

In a standard web application, if you access a secure resource in an unauthenticated state, it will automatically prompt you to authenticate, but since the REST service explicitly authenticates, in such a case, simply press 401. It will be returned.


public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

  public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");

Returns 200 instead of 301 on successful login

By default, when login is successful, 301 is returned and the screen is guided to the screen after login, but in REST, 200 is simply returned. Create a ʻAuthenticationSuccessHandler that does not redirect by referring to the SavedRequestAwareAuthenticationSuccessHandler`.


public class RestSavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

  private RequestCache requestCache = new HttpSessionRequestCache();

  public void onAuthenticationSuccess(HttpServletRequest request,
                                      HttpServletResponse response, Authentication authentication) {
    SavedRequest savedRequest = requestCache.getRequest(request, response);

    if (savedRequest == null) {
    String targetUrlParameter = getTargetUrlParameter();
    if (isAlwaysUseDefaultTargetUrl()
      || (targetUrlParameter != null && StringUtils.hasText(request
      .getParameter(targetUrlParameter)))) {
      requestCache.removeRequest(request, response);


Returns 401 instead of 302 on login failure

Similarly, if login fails, simply return 401. You can use Spring's SimpleUrlAuthenticationFailureHandler as it is.

Just return 200 when logging out

Similarly, when logging out, it does not redirect and only returns 200. You can also use Spring's SimpleUrlLogoutSuccessHandler here.

SecurityConfig Create a Configuration in the state so far.


public class SecurityConfig extends WebSecurityConfigurerAdapter {

  private RestAuthenticationEntryPoint authenticationEntryPoint;

  private RestSavedRequestAwareAuthenticationSuccessHandler authenticationSuccessHandler;

  private SimpleUrlAuthenticationFailureHandler authenticationFailureHandler;

  private SimpleUrlLogoutSuccessHandler logoutSuccessHandler;

  protected void configure(HttpSecurity http) throws Exception {

  public SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler() {
    return new SimpleUrlAuthenticationFailureHandler();

  public SimpleUrlLogoutSuccessHandler simpleUrlLogoutSuccessHandler() {
    return new SimpleUrlLogoutSuccessHandler();

Implement Google Sign-In

Finally the main subject. Coco and Coco -auth) as a reference. From the web application (front side), ʻid_token that can be obtained at sign-in is implemented to POST to / loginwithx-www-form-urlencoded. The parameter name is google_id_token`.

Fix SecurityConfig

Make the formLogin () part of the created SecurityConfig # configure (HttpSecurity http) as follows.



I just added passwordParameter ("google_id_token"). You will now receive ʻid_token` as the password for authentication with your default username and password.

Implemented ʻAuthenticationProvider`

Now that you've received ʻid_token`, all you have to do is implement authentication.


public class GoogleIdAuthenticationProvider implements AuthenticationProvider {

  private final String clientId = "XXX.apps.googleusercontent.com";

  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    String tokenString = (String) authentication.getCredentials();
    GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(UrlFetchTransport.getDefaultInstance(), JacksonFactory.getDefaultInstance())
    GoogleIdToken idToken;
    try {
      idToken = verifier.verify(tokenString);
      if (idToken == null) {
        throw new BadCredentialsException("Failed to verify token");
    } catch (GeneralSecurityException|IOException e) {
      throw new AuthenticationServiceException("Failed to verify token", e);

    GoogleIdToken.Payload payload = idToken.getPayload();
    String userId = payload.getSubject();
    String name = (String) payload.get("name");
    GoogleUser user = new GoogleUser(userId, name);
    List<GrantedAuthority> authorities = singletonList(new SimpleGrantedAuthority("ROLE_USER"));
    return new UsernamePasswordAuthenticationToken(user, tokenString, authorities);

  public boolean supports(Class<?> authentication) {
    return UsernamePasswordAuthenticationToken.class.equals(authentication);

If you want to limit to a specific domain, you can do so by checking payload.getHostedDomain ().

The GoogleUser class is as follows.


public class GoogleUser implements UserDetails {

  private String userId;

  private String username;

  public Collection<? extends GrantedAuthority> getAuthorities() {
    return null;

  public String getPassword() {
    return null;

  public boolean isAccountNonExpired() {
    return false;

  public boolean isAccountNonLocked() {
    return false;

  public boolean isCredentialsNonExpired() {
    return false;

  public boolean isEnabled() {
    return false;

You are now ready for Google Sign-In.

