Faking OAuth2 Single Sign-on in Spring

Last updated: June 23, 2025

Reviewed by: Saajan Nagendra
Partner – Orkes – NPI EA (cat=Spring)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

Partner – Orkes – NPI EA (tag=Microservices)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

eBook – Guide Spring Cloud – NPI EA (cat=Spring Cloud)
announcement - icon

Let's get started with a Microservice Architecture with Spring Cloud:

>> Join Pro and download the eBook

eBook – Mockito – NPI EA (tag = Mockito)
announcement - icon

Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.

Get started with mocking and improve your application tests using our Mockito guide:

Download the eBook

eBook – Java Concurrency – NPI EA (cat=Java Concurrency)
announcement - icon

Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.

Get started with understanding multi-threaded applications with our Java Concurrency guide:

>> Download the eBook

eBook – Reactive – NPI EA (cat=Reactive)
announcement - icon

Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:

>> Join Pro and download the eBook

eBook – Java Streams – NPI EA (cat=Java Streams)
announcement - icon

Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.

But these can also be overused and fall into some common pitfalls.

To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:

>> Join Pro and download the eBook

eBook – Jackson – NPI EA (cat=Jackson)
announcement - icon

Do JSON right with Jackson

Download the E-book

eBook – HTTP Client – NPI EA (cat=Http Client-Side)
announcement - icon

Get the most out of the Apache HTTP Client

Download the E-book

eBook – Maven – NPI EA (cat = Maven)
announcement - icon

Get Started with Apache Maven:

Download the E-book

eBook – Persistence – NPI EA (cat=Persistence)
announcement - icon

Working on getting your persistence layer right with Spring?

Explore the eBook

eBook – RwS – NPI EA (cat=Spring MVC)
announcement - icon

Building a REST API with Spring?

Download the E-book

Course – LS – NPI EA (cat=Jackson)
announcement - icon

Get started with Spring and Spring Boot, through the Learn Spring course:

>> LEARN SPRING
Course – RWSB – NPI EA (cat=REST)
announcement - icon

Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:

>> The New “REST With Spring Boot”

Course – LSS – NPI EA (cat=Spring Security)
announcement - icon

Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.

I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.

You can explore the course here:

>> Learn Spring Security

Partner – LambdaTest – NPI EA (cat=Testing)
announcement - icon

Browser testing is essential if you have a website or web applications that users interact with. Manual testing can be very helpful to an extent, but given the multiple browsers available, not to mention versions and operating system, testing everything manually becomes time-consuming and repetitive.

To help automate this process, Selenium is a popular choice for developers, as an open-source tool with a large and active community. What's more, we can further scale our automation testing by running on theLambdaTest cloud-based testing platform.

Read more through our step-by-step tutorial on how to set up Selenium tests with Java and run them on LambdaTest:

>> Automated Browser Testing With Selenium

Partner – Orkes – NPI EA (cat=Java)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

Course – LSD – NPI EA (tag=Spring Data JPA)
announcement - icon

Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.

Get started with Spring Data JPA through the guided reference course:

>> CHECK OUT THE COURSE

Partner – Moderne – NPI EA (cat=Spring Boot)
announcement - icon

Refactor Java code safely — and automatically — with OpenRewrite.

Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.

Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.

Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.

Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:

>> LEARN SPRING SECURITY

1. Overview

We often need to implement OAuth2 Single Sign-on in applications. With it, users logged in once can enjoy accessing other apps without logging in again and again. Typically, it has an authorization server that manages the authentication part, and this is usually third-party.

Testing in such a situation becomes difficult. To overcome this, we need to mock the authorization server. In this tutorial, we’ll learn two ways to mock and bypass the OAuth2 SSO in Spring apps.

First, we’ll create a simple Spring Boot application with OAuth2 SSO enabled with Keycloak as the authorization server. Then, we’ll learn two ways to fake OAuth2 SSO using test cases.

2. OAuth2 in Spring App

In this section, we’ll create a small and simple Spring Boot application with OAuth2 SSO where the authorization server will be Keycloak. We’ll keep this section brief as our main goal here is to learn how to fake OAuth2 SSO.

Let’s create a Spring Boot app with the following dependencies from start.spring.io:

Now, let’s create the REST endpoint resource and this would be protected. No one can access these without being authenticated:

@GetMapping("/")
public String get() {
    return "Login Success";
}

This API simply returns a message Login Success. Now, let’s learn how to secure the application with OAuth2 configuration.

2.1. Configuring OAuth2

Now, let’s learn about configuring the application with OAuth2 settings.

First of all, let’s create a class that handles security and OAuth2-related configurations:

@Configuration
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
          .authorizeHttpRequests(a ->
              a.requestMatchers(
                new AntPathRequestMatcher("/login"),
                new AntPathRequestMatcher("/oauth2/**"),
                new AntPathRequestMatcher("/openid-connect"),
                new AntPathRequestMatcher("/error"),
                new AntPathRequestMatcher("/css/**"),
                new AntPathRequestMatcher("/js/**"),
                new AntPathRequestMatcher("/images/**"),
                new AntPathRequestMatcher("/assets/**"))
              .permitAll()
              .anyRequest().authenticated())
              .oauth2Login(customizer -> customizer.successHandler(successHandler()))
              .build();
    }

    public AuthenticationSuccessHandler successHandler() {
        SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler();
        handler.setDefaultTargetUrl("/");
        return handler;
    }
}

Here, we configure the SecurityFilterChain bean to authenticate every request except some endpoints like login, oauth2, error, etc. The login type is OAuth2.  The successHandler() ensures that after successful login, it’ll redirect flow to a REST endpoint of the application returning a message Login Success. 

Now, let’s add some properties related to OAuth2 and the authorization server in application.yaml file. The authorization server is called provider in the application.yaml file:

spring:
    security:
        oauth2:
            client:
                registration:
                    keycloak:
                        client-id: my-client
                        scope: openid,profile,email
                        authorization-grant-type: authorization_code
                        redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
                provider:
                     keycloak:
                         issuer-uri: http://localhost:8787/realms/my-realm

Here, we configure our Spring Boot app for the authorization server. We register a Keycloak client, my-client, with scopes for openid, profile, and email, enabling OpenID Connect-based authentication. The configuration sets the authorization-grant-type to authorization-code.

It dynamically constructs the redirect-URI using placeholders, enabling the application to handle the OAuth2 callback correctly after authentication. The issuer-uri under provider points to the Keycloak realm my-realm, which is essential for discovering Keycloak’s OAuth2 endpoints.

We can configure Keycloak as an authorization server by following this documentation. We just have to match client-id and issuer-url while configuring Keycloak. Although this isn’t required for tests, we can play with it and try to access the API and see authentication in action.

3. Faking the OAuth2 SSO

In this section, we’ll learn two ways to fake OAuth2 SSO. One way is to bypass the authentication altogether, and the second way is to mock the authorization server. In both scenarios, we don’t need to run Keycloak while running our test cases.

3.1. Bypassing Authentication With MockMvc

To bypass the authentication, we need a dummy provider that can be registered as a client by the OAuth2AuthorizedClientService bean. To do that, let’s create a test configuration for this dummy provider:

@TestConfiguration
public class NoOAuth2Config {
    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        ClientRegistration registration = ClientRegistration
          .withRegistrationId("dummy")
          .clientId("test-client")
          .clientSecret("test-secret")
          .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
          .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
          .authorizationUri("http://localhost/fake-auth")
          .tokenUri("http://localhost/fake-token")
          .userInfoUri("http://localhost/fake-userinfo")
          .userNameAttributeName("sub")
          .clientName("Dummy Client")
          .build();
        return new InMemoryClientRegistrationRepository(registration);
    }

    @Bean
    public OAuth2AuthorizedClientService authorizedClientService(
      ClientRegistrationRepository clientRegistrationRepository) {
        return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
    }
}

The above test configuration creates a client and registers it with the OAuth2AuthorizedClientService. If we look carefully at clientRegistrationRepository(), it has all the properties Spring needs to register clients. We can verify with the properties in the application.yaml file from earlier.

Now, let’s write the test case:

@Import(NoOAuth2Config.class)
@ActiveProfiles("test")
@AutoConfigureMockMvc
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.MOCK)
class FakingOauth2SsoIntegrationTest {
    @Autowired
    MockMvc mockMvc;

    @Test
    void whenBypssingTheOAuthWithSpringConfig_thenItShouldBeAbleToLogin() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.get("/")
          .with(oauth2Login()))
          .andExpect(status().isOk());
    }
}

Here, we auto-configure MockMvc and import the NoOAuthConfig configuration class in this Spring Boot test.

The oauth2login() is part of SecurityMockMvcRequestPostProcessors and establishes a SecurityContext that has an OAuth2AuthenticationToken for the Authentication, an OAuth2User as the principal, and an OAuth2AuthorizedClient in the session. This is how we bypass the authentication.

3.2. Fake an OAuth2 SSO Service With WireMock

To mock the authorization server, we’ll use WireMock:

<dependency>
    <groupId>com.github.tomakehurst</groupId>
    <artifactId>wiremock-jre8-standalone</artifactId>
    <version>2.35.1</version>
    <scope>test</scope>
</dependency>

The latest version of WireMock is available in the Maven Repository.

Now, let’s add the following configuration in the application-test.yaml file, which is similar to the main application.yaml file content:

spring:
    security:
        oauth2:
            client:
                registration:
                    wiremock:
                        client-id: my-client
                        client-secret: my-secret
                        redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
                        authorization-grant-type: authorization_code
                        scope: openid
                        provider: wiremock
                provider:
                    wiremock:
                        issuer-uri: http://localhost:8787/realms/my-realm

To mock the authorization server, we’ll mock one API  /.well-known/openid-configuration, a JSON file that an OpenID Connect provider serves over HTTPS at a well-known URL, providing all the configuration details a client needs to integrate with it. It allows client applications (like web or mobile apps) to automatically discover auth endpoints, token endpoints, supported features, public keys, scopes, claims, etc.

Let’s add the code to mock the endpoint in the authorization server:

static WireMockServer wireMockServer;

@BeforeAll
static void setup() {
    wireMockServer = new WireMockServer(8787);
    configureFor(8787);
    wireMockServer.start();

    stubFor(get(urlEqualTo("/realms/my-realm/.well-known/openid-configuration"))
      .willReturn(aResponse()
      .withHeader("Content-Type", "application/json")
      .withBody("""
            {
                "issuer": "http://localhost:8787/realms/my-realm",
                "authorization_endpoint": "http://localhost:8787/realms/my-realm/oauth/authorize",
                "token_endpoint": "http://localhost:8787/realms/my-realm/oauth/token",
                "userinfo_endpoint": "http://localhost:8787/realms/my-realm/userinfo",
                "jwks_uri": "http://localhost:8787/realms/my-realm/.well-known/jwks.json",
                "response_types_supported": [
                    "code",
                    "token",
                    "id_token",
                    "code token",
                    "code id_token",
                    "token id_token",
                    "code token id_token",
                    "none"
                ],
                "subject_types_supported": [
                    "public"
                ],
                "id_token_signing_alg_values_supported": [
                    "RS256"
                ],
                "scopes_supported": [
                    "openid",
                    "email",
                    "profile"
                ]
            }
        """)));
}

@AfterAll
static void tearDown() {
    wireMockServer.stop();
}

Here, we set up a WireMock server to mock Keycloak for testing OAuth2 login flows. It runs on port 8787 and define a stub to intercept requests to /.well-known/openid-configuration under the my-realm realm. The stub returns a mock JSON response that mimics a real Keycloak configuration, including endpoints for authorization, token exchange, and user info.

This setup makes the application believe it’s interacting with a real Keycloak server during tests. Finally, the tearDown() stops the WireMock server after all tests are complete.

Now, let’s write the test case:

@Test
void whenAuthServerIsMocked_thenItShouldBeAbleToLogin() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/")
      .with(oauth2Login()))
      .andExpect(status().isOk());
}

4. Conclusion

In this article, we learned how to set up a basic OAuth2 Single Sign-On (SSO) using Keycloak as the authorization server. We then explored how to simulate authentication when writing test cases.

In the first approach, we bypassed authentication using Spring Security configurations alone. In the second approach, we used the WireMock API to mock the authorization server without running an actual auth server.

The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.
Baeldung Pro – NPI EA (cat = Baeldung)
announcement - icon

Baeldung Pro comes with both absolutely No-Ads as well as finally with Dark Mode, for a clean learning experience:

>> Explore a clean Baeldung

Once the early-adopter seats are all used, the price will go up and stay at $33/year.

Partner – Orkes – NPI EA (cat = Spring)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

Partner – Orkes – NPI EA (tag = Microservices)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

eBook – HTTP Client – NPI EA (cat=HTTP Client-Side)
announcement - icon

The Apache HTTP Client is a very robust library, suitable for both simple and advanced use cases when testing HTTP endpoints. Check out our guide covering basic request and response handling, as well as security, cookies, timeouts, and more:

>> Download the eBook

eBook – Java Concurrency – NPI EA (cat=Java Concurrency)
announcement - icon

Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.

Get started with understanding multi-threaded applications with our Java Concurrency guide:

>> Download the eBook

eBook – Java Streams – NPI EA (cat=Java Streams)
announcement - icon

Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.

But these can also be overused and fall into some common pitfalls.

To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:

>> Join Pro and download the eBook

eBook – Persistence – NPI EA (cat=Persistence)
announcement - icon

Working on getting your persistence layer right with Spring?

Explore the eBook

Course – LS – NPI EA (cat=REST)

announcement - icon

Get started with Spring Boot and with core Spring, through the Learn Spring course:

>> CHECK OUT THE COURSE

Partner – Moderne – NPI EA (tag=Refactoring)
announcement - icon

Modern Java teams move fast — but codebases don’t always keep up. Frameworks change, dependencies drift, and tech debt builds until it starts to drag on delivery. OpenRewrite was built to fix that: an open-source refactoring engine that automates repetitive code changes while keeping developer intent intact.

The monthly training series, led by the creators and maintainers of OpenRewrite at Moderne, walks through real-world migrations and modernization patterns. Whether you’re new to recipes or ready to write your own, you’ll learn practical ways to refactor safely and at scale.

If you’ve ever wished refactoring felt as natural — and as fast — as writing code, this is a good place to start.

Course – LSS – NPI (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE

eBook Jackson – NPI EA – 3 (cat = Jackson)
Do JSON right with Jackson - book cover
Do JSON right with Jackson - icon
Do JSON right with Jackson
Download the E-book
2 Comments
Oldest
Newest
Inline Feedbacks
View all comments