<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Tharvesh Muhaideen A</title>
    <description>The latest articles on DEV Community by Tharvesh Muhaideen A (@tharvesh_muhaideen).</description>
    <link>https://dev.to/tharvesh_muhaideen</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4028220%2F31454851-2bec-498e-8609-e01dfb967e06.gif</url>
      <title>DEV Community: Tharvesh Muhaideen A</title>
      <link>https://dev.to/tharvesh_muhaideen</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/tharvesh_muhaideen"/>
    <language>en</language>
    <item>
      <title>I built a full IAM system in Spring Boot — here's what broke when I put it on the internet</title>
      <dc:creator>Tharvesh Muhaideen A</dc:creator>
      <pubDate>Wed, 15 Jul 2026 05:11:18 +0000</pubDate>
      <link>https://dev.to/tharvbytes/i-built-a-full-iam-system-in-spring-boot-heres-what-broke-when-i-put-it-on-the-internet-3n8l</link>
      <guid>https://dev.to/tharvbytes/i-built-a-full-iam-system-in-spring-boot-heres-what-broke-when-i-put-it-on-the-internet-3n8l</guid>
      <description>&lt;h2&gt;
  
  
  What I built
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;identityCore&lt;/strong&gt; is a self-hosted Identity &amp;amp; Access Management (IAM) service — the kind of thing you'd normally reach for Auth0, Keycloak, or Cognito for, built from the ground up in Spring Boot to actually understand how the pieces fit together.&lt;/p&gt;

&lt;p&gt;Stack: &lt;code&gt;Spring Boot 3.3.5&lt;/code&gt;, &lt;code&gt;Spring Security 6.3.4&lt;/code&gt;, &lt;code&gt;Spring Data JPA&lt;/code&gt;, &lt;code&gt;PostgreSQL&lt;/code&gt; (prod) / &lt;code&gt;H2&lt;/code&gt; (dev), &lt;code&gt;Thymeleaf&lt;/code&gt;, &lt;code&gt;HikariCP&lt;/code&gt;, &lt;code&gt;BCrypt&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  The feature set
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Three login paths, one identity model&lt;/strong&gt;: form login, Google (OIDC), GitHub (OAuth2) — all resolving to the same &lt;code&gt;UserEntity&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;RBAC as data, not constants&lt;/strong&gt;: &lt;code&gt;RoleEntity&lt;/code&gt; and &lt;code&gt;PermissionEntity&lt;/code&gt; are real JPA entities, editable through an admin UI, not &lt;code&gt;@PreAuthorize("hasRole('ADMIN')")&lt;/code&gt; scattered everywhere with no single source of truth&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;REST + MVC in the same app&lt;/strong&gt;: &lt;code&gt;AuthApiController&lt;/code&gt; / &lt;code&gt;UserApiController&lt;/code&gt; return a consistent &lt;code&gt;ApiResponse&amp;lt;T&amp;gt;&lt;/code&gt; wrapper, while &lt;code&gt;DashboardController&lt;/code&gt; / &lt;code&gt;ProfileController&lt;/code&gt; / &lt;code&gt;RoleController&lt;/code&gt; serve Thymeleaf views&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;One exception handler to rule them all&lt;/strong&gt;: &lt;code&gt;GlobalExceptionHandler&lt;/code&gt; catches &lt;code&gt;ApplicationException&lt;/code&gt;, &lt;code&gt;ValidationException&lt;/code&gt;, &lt;code&gt;ResourceNotFoundException&lt;/code&gt;, &lt;code&gt;AuthenticationException&lt;/code&gt; and maps each to the right HTTP status — no leaking stack traces, no inconsistent error shapes across endpoints&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Why two OAuth2 user services, not one
&lt;/h2&gt;

&lt;p&gt;This is the part most tutorials skip. Google and GitHub are &lt;strong&gt;not the same protocol&lt;/strong&gt; even though Spring Security's &lt;code&gt;oauth2Login()&lt;/code&gt; makes them feel identical:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;oauth2Login&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;oauth&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;oauth&lt;/span&gt;
    &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;userInfoEndpoint&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;userInfo&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;userInfo&lt;/span&gt;
        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;userService&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;customOAuth2UserService&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;     &lt;span class="c1"&gt;// handles GitHub (plain OAuth2)&lt;/span&gt;
        &lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;oidcUserService&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="n"&gt;customOidcUserService&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;    &lt;span class="c1"&gt;// handles Google (OIDC)&lt;/span&gt;
    &lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;GitHub&lt;/strong&gt; returns an opaque &lt;code&gt;access_token&lt;/code&gt; — no identity claims baked in. You have to call &lt;code&gt;GET /user&lt;/code&gt; afterward, and if the user's email is private, that field comes back &lt;code&gt;null&lt;/code&gt;. My &lt;code&gt;CustomOAuth2UserService&lt;/code&gt; explicitly calls &lt;code&gt;/user/emails&lt;/code&gt; to get a real, verified address instead of faking one.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Google&lt;/strong&gt; returns an &lt;code&gt;id_token&lt;/code&gt; — a signed JWT with &lt;code&gt;email&lt;/code&gt;, &lt;code&gt;email_verified&lt;/code&gt;, and &lt;code&gt;name&lt;/code&gt; already inside it. &lt;code&gt;CustomOidcUserService&lt;/code&gt; reads it directly, no extra network round-trip.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Both funnel into one shared &lt;code&gt;OAuth2UserProvisioner&lt;/code&gt; that does the actual find-or-create against the DB — so the "is this a new user" logic exists in exactly one place, regardless of which provider they came from.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bug that only showed up in production
&lt;/h2&gt;

&lt;p&gt;Everything passed locally. The moment I pointed my own domain at the app through a tunnel (TLS terminated at the edge, plain HTTP to the app on port 8080), OAuth2 login died with &lt;code&gt;redirect_uri_mismatch&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Root cause: Spring Security builds the OAuth2 redirect URI from what it thinks the incoming request's scheme was. Behind a tunnel/reverse proxy, the app only ever sees the internal &lt;code&gt;http://localhost:8080&lt;/code&gt; hop — so it built &lt;code&gt;http://yourdomain.com/login/oauth2/code/google&lt;/code&gt; while Google had &lt;code&gt;https://yourdomain.com/...&lt;/code&gt; registered. Same code, same config, silently broken by &lt;em&gt;where&lt;/em&gt; it was running.&lt;/p&gt;

&lt;p&gt;Fix — one line:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight properties"&gt;&lt;code&gt;&lt;span class="py"&gt;server.forward-headers-strategy&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="s"&gt;framework&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This tells Spring to trust the &lt;code&gt;X-Forwarded-Proto&lt;/code&gt; / &lt;code&gt;X-Forwarded-Host&lt;/code&gt; headers the tunnel already sends, and rebuild URLs with the correct scheme. No proxy config needed on my end — most tunnels send these headers by default.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lessons
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;OAuth2 ≠ OIDC.&lt;/strong&gt; OAuth2 is authorization (what you can access). OIDC adds a purpose-built identity layer (&lt;code&gt;id_token&lt;/code&gt;) on top of it for authentication (who you are). Treating them identically works right up until it doesn't.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A working demo and a working deployment are different problems.&lt;/strong&gt; The exact same &lt;code&gt;SecurityConfig&lt;/code&gt; behaves differently depending on what's between the client and your app.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Centralize provisioning.&lt;/strong&gt; Two auth paths, one user-creation function — not two copies of "does this user exist" logic that can drift apart.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Repo (branch with the OAuth2 work): &lt;code&gt;github.com/Tharvesh2026/identityCore_J25&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Happy to go deeper on the RBAC design or the exception-handling setup if there's interest.&lt;/p&gt;

</description>
      <category>springboot</category>
      <category>java</category>
      <category>oauth</category>
      <category>security</category>
    </item>
  </channel>
</rss>
