Building a Java Spring Boot Passkey Login
In this blog post, we’ll be walking through the process of building a sample application with passkey authentication using Java Spring Boot. To make passkeys work, we use Corbado’s passkey-first web component that automatically connects to a passkeys backend.
2. Java Spring Boot passkey project prerequisites
3. Repository structure for Java Spring Boot passkey project
4. Set up your Corbado account and project
5. Create Java Spring Boot passkeys app
6.1. Embed the passkey authentication webcomponent
6.2. Add controller endpoint for passkeys login page
7.2. Get data from Corbado session
8. Start using passkeys with our Java Spring Boot implementation
In this blog post, we’ll be walking through the process of building a sample application with passkey authentication using Java Spring Boot. To make passkeys work, we use Corbado’s passkey-first web component that automatically connects to a passkeys backend.
If you want to see the finished code, please have a look at our sample application GitHub repository.
The result looks as follows:
This tutorial assumes basic familiarity with HTML and Java Spring Boot. Let’s dive in!
A Java Spring Boot project contains many files, but the only ones important for us are in the /complete/src/main folder. The templates are located under /resources/templates while the FrontendController.java as well as its JsonReader.java helper class are located in a separate folder.
Visit the Corbado developer panel to sign up and create your account (you’ll see passkey sign-up in action here!).
In the appearing project wizard, select “Web app” as type of app and afterwards select “No existing users” as we’re building a new app from scratch. Moreover, providing some details regarding your frontend and backend tech stack as well as the main goal you want to achieve with Corbado helps us to customize and smoothen your developer experience.
Next, we navigate to Settings > General > URLs and set the Application URL, Redirect URL and Relying Party ID to the following values (We will host our app on port 8080):
- ApplicationURL: Provide the URL where you embedded the web component, http://localhost:8080
- RedirectURL: Provide the URL your app should redirect to after successful authentication and which gets sent a short-term session cookie, here: http://localhost:8080/profile
- RelyingParty ID: Provide the domain (no protocol, no port and no path) where passkeys should be bound to, here: localhost
To initialize our project, we clone Spring’s starter repository with
In the /complete/src/main/java/com/example/springboot folder, you will find the HelloController.java. We rename it to FrontendController.java and use it to serve plain HTML files when a user requests a certain path.
We will need the Corbado project ID in the next steps, so we’ll add it as an environment variable. For this, we create an application.properties file under /complete/src/main/resources and paste our Corbado project ID:
Under /complete/src/main/resources/templates create an index.html file with the content below. This will be our login page. It includes a script from Corbado which we need in the next steps.
We now place the Corbado web component (<corbado-auth/>) in the login page template which will handle all means of authentication (e.g. fallbacks, user detection, passkey management):
To make it work we modify the "index" endpoint in our FrontendController.java to render our login page template. The Corbado project ID is taken from the environment variables and is inserted into the template upon rendering.
After successful authentication, the Corbado web component redirects the user to the provided Redirect URL (https://localhost:8080/profile). This page displays information about the user and provides a button to log out. In the “templates” folder add a file “profile.html” with the following content:
Next create a profile() method with annotation inside the FrontendController.java:
We now need to obtain the user information we want to display in the profile.html template.
Before wecan use information embedded in the session, we need to verify that the session is valid. We therefore take the cbo_short_session cookie (the session) and verify its signature using the public key from Corbado. Next, we also verify that the issuer is correct, as shown below.
Note: For all JWT operations, we use the Nimbus JOSE + JWT dependency which comes with utilities for Object Signing and JSON Web Tokens (JWT).
Finally, we can extract the information stored in the JWT claims. These are afterwards used when rendering the template. Our profile() method then looks like this:
To start our application we head into the /complete directory of our app and execute
When visiting http://localhost:8080 you should see the following screen:
After successful sign up / login, you see the profile page:
This tutorial showed how easy it is to add passwordless authentication with passkeys to a Java Spring Boot app using Corbado. Besides the passkey-first authentication, Corbado provides simple session management, that we used for retrieval of user data in our backend. If you want to read more about the data you can retrieve in your backend , please check out our documentation here or if you want to add Corbado to your existing app with existing users, please see our documentation here.
Enjoyed this read?
Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!
.png)
