A comprehensive Spring Boot-based Identity Provider (IdP) that supports email/password authentication with mandatory email verification and LinkedIn OAuth integration. The system issues JWT access tokens and refresh tokens signed with a private key.
Experience the UnityID authentication system with our interactive widget demo:
- Unity Auth Widget Demo: Complete authentication integration showcase
- Live Demo:
https://storage.googleapis.com/unity-auth-widget/index.html - Widget CSS:
https://storage.googleapis.com/unity-auth-widget/unity-auth-widget.css - Widget JS:
https://storage.googleapis.com/unity-auth-widget/unity-auth-widget.js - Features: Email/password registration, LinkedIn OAuth, JWT token management, real-time status updates
- Live Demo:
-
Run the UnityID Backend:
mvn spring-boot:run
-
Try the Interactive Widget Demo:
- Open: https://storage.googleapis.com/unity-auth-widget/index.html
- Test email/password registration and login
- Try LinkedIn OAuth integration
- See real-time authentication status updates
-
Access the Applications:
- Unity Auth Widget Demo: https://storage.googleapis.com/unity-auth-widget/index.html (Primary Demo)
- UnityID Backend API: http://localhost:8080
The Unity Auth Widget demo provides the quickest way to experience UnityID's authentication capabilities with an interactive, real-time interface that showcases all authentication methods and token management.
- Email + Password: Traditional authentication with mandatory email verification
- LinkedIn OAuth: Social login integration with LinkedIn
- JWT Tokens: Secure access and refresh token system
- Email Verification: Mandatory email verification for local registrations
- JWT access tokens signed with RSA-256 (asymmetric key cryptography)
- JWT refresh tokens signed with HMAC-SHA256 (symmetric key cryptography)
- Public key distribution via JWKS endpoint for token verification
- Refresh token rotation for enhanced security
- Password encryption using BCrypt
- CORS support for frontend integration
- Role-based access control (USER, ADMIN)
POST /api/auth/register
Content-Type: application/json
{
"email": "user@example.com",
"password": "securePassword123",
"firstName": "John",
"lastName": "Doe"
}
POST /api/auth/login
Content-Type: application/json
{
"email": "user@example.com",
"password": "securePassword123"
}
GET /api/auth/verify-email?token=<verification-token>
POST /api/auth/resend-verification?email=user@example.com
POST /api/auth/refresh
Content-Type: application/json
{
"refreshToken": "<refresh-token>"
}
POST /api/auth/logout
Content-Type: application/json
{
"refreshToken": "<refresh-token>"
}
GET /api/auth/validate-token
Authorization: Bearer <access-token>
GET /.well-known/jwks.json
Alternative endpoint:
GET /api/auth/jwks
Returns the public keys used to verify JWT tokens. This endpoint is used by external applications to validate tokens issued by UnityID.
GET /api/user/me
Authorization: Bearer <access-token>
GET /api/user/profile/{userId}
Authorization: Bearer <access-token>
GET /oauth2/authorization/linkedin
The application uses environment variables for configuration. Copy .env.example to .env and update the values:
cp .env.example .envApplication Configuration:
APP_NAME: Application name (default: UnityID)SERVER_PORT: Server port (default: 5900)
Database Configuration:
DATABASE_URL: Database connection URLDATABASE_USERNAME: Database usernameDATABASE_PASSWORD: Database password
JWT Configuration:
JWT_SECRET: Secret key for JWT signing (use a strong, random key in production)JWT_ACCESS_TOKEN_EXPIRATION: Access token expiration time in millisecondsJWT_REFRESH_TOKEN_EXPIRATION: Refresh token expiration time in milliseconds
Email Configuration:
EMAIL_HOST: SMTP server hostEMAIL_PORT: SMTP server portEMAIL_USERNAME: Email usernameEMAIL_PASSWORD: Email password (use app password for Gmail)EMAIL_FROM: From email addressEMAIL_VERIFICATION_URL: Email verification URL
LinkedIn OAuth Configuration:
LINKEDIN_CLIENT_ID: LinkedIn OAuth client IDLINKEDIN_CLIENT_SECRET: LinkedIn OAuth client secretLINKEDIN_REDIRECT_URI: OAuth redirect URI
Application URLs:
FRONTEND_URL: Frontend application URL
Logging Configuration:
LOG_LEVEL_APP: Application log levelLOG_LEVEL_SECURITY: Security log levelLOG_LEVEL_OAUTH2: OAuth2 log level
For a complete list of all available environment variables, see the .env.example file.
Key configuration properties in application.properties:
# JWT Configuration
app.jwt.secret=mySecretKey123456789012345678901234567890123456789012345678901234567890
app.jwt.access-token-expiration=900000 # 15 minutes
app.jwt.refresh-token-expiration=86400000 # 24 hours
# Email Configuration
spring.mail.host=smtp.gmail.com
spring.mail.port=587
spring.mail.username=${EMAIL_USERNAME}
spring.mail.password=${EMAIL_PASSWORD}
# LinkedIn OAuth Configuration
spring.security.oauth2.client.registration.linkedin.client-id=${LINKEDIN_CLIENT_ID}
spring.security.oauth2.client.registration.linkedin.client-secret=${LINKEDIN_CLIENT_SECRET}- Java 24 or higher
- Maven 3.6+
- Gmail account with App Password (for email verification)
- LinkedIn Developer Account (for OAuth)
-
Clone the repository
git clone <repository-url> cd UnityID
-
Configure environment variables
# Copy the example environment file cp .env.example .env # Edit the .env file with your actual values # Or export them directly: export EMAIL_USERNAME=your-email@gmail.com export EMAIL_PASSWORD=your-app-password export LINKEDIN_CLIENT_ID=your-linkedin-client-id export LINKEDIN_CLIENT_SECRET=your-linkedin-client-secret export JWT_SECRET=your-super-secret-jwt-key-here
-
Run the application
mvn spring-boot:run
-
Access the application
- Unity Auth Widget Demo: https://storage.googleapis.com/unity-auth-widget/index.html
- API: http://localhost:8080
- H2 Console: http://localhost:8080/h2-console
- JDBC URL:
jdbc:h2:mem:unityid - Username:
sa - Password:
password
- JDBC URL:
For production deployment, consider:
- Database: Replace H2 with a production database (PostgreSQL, MySQL)
- JWT Secret: Use a strong, randomly generated secret
- HTTPS: Enable SSL/TLS encryption
- Environment Variables: Use secure secret management
- Logging: Configure appropriate logging levels
{
"sub": "user@example.com",
"userId": 1,
"email": "user@example.com",
"firstName": "John",
"lastName": "Doe",
"emailVerified": true,
"provider": "LOCAL",
"roles": ["ROLE_USER"],
"iat": 1640995200,
"exp": 1640996100
}{
"sub": "user@example.com",
"userId": 1,
"type": "refresh",
"iat": 1640995200,
"exp": 1641081600
}All API endpoints return standardized error responses:
{
"success": false,
"message": "Error description",
"error": "Detailed error message",
"data": null
}- Token Storage: Store tokens securely on the client side
- HTTPS: Always use HTTPS in production
- Token Expiration: Access tokens expire in 15 minutes by default
- Refresh Token Rotation: Refresh tokens are rotated on each use
- Email Verification: Email verification is mandatory for local registrations
- Password Policy: Implement strong password requirements
src/main/java/com/IA/UnityID/
├── config/ # Configuration classes
├── controller/ # REST controllers
├── dto/ # Data Transfer Objects
├── entity/ # JPA entities
├── exception/ # Exception handlers
├── repository/ # Data repositories
├── security/ # Security components
└── service/ # Business logic services
To add a new OAuth provider:
- Create a new
OAuth2UserInfoimplementation - Update
OAuth2UserInfoFactory - Add provider configuration in
application.properties - Update the
AuthProviderenum in the User entity
Run the test suite:
mvn test- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Submit a pull request
This project is licensed under the MIT License.