Spring Security does a lot of things out of the box.

• Most of OAuth 2.0 Login can be turned on with a handful of configuration properties.

Third party OAuth 2.0 providers make it easy to integrate

• They provide a way to configure the clientID and client secret needed by Spring Security.
• You can store this information in GitHub Actions Secrets so that it’s not checked into your codebase. (See bike-tracker repo for an example)

Keep tenancy simple

• Part of the project involved an internal custom OAuth Provider, which I was responsible for integrating with another internal product. A mistake I made at first was to require a per-tenant configuration. From a security point of view, this was a very secure model because it enforced tenant isolation. A provider OAuth integration would be created inside the customer’s tenant, and then the downstream
• The per-tenant configuration could be paired with a username lookup to ensure the user was in the same tenant. However, it was tedious to configure because the OAuth integration had to be configured inside the customer tenant and had to match the OAuth configuration in the other product. In the future I would have a shared OAuth configuration that could be used for multiple tenants.