Documentation versions (currently viewingVaadin 24)

Getting Started

Step-by-step guide on how to use SSO Kit in a Hilla application.
Instructions for Hilla
This page guides you in getting started with SSO Kit and Hilla. See the guide for getting stated with SSO Kit and Vaadin Flow.

SSO Kit builds upon Spring Boot and Spring Security. It comes with a starter and client side modules for configuring the security settings needed to authenticate with an identity provider.

Create a Hilla Application

You can create a Hilla application without authentication by entering the following from the command-line:

npx @hilla/cli init <your-project-name>


Once you’ve created a Hilla application, you can begin securing it by installing and configuring SSO Kit on the backend. The following section shows how to block unauthorized users from using a button in an application. You can install and update SSO Kit by adding it as a dependency to your application in the pom.xml file.

Add SSO Kit Dependency

Add the sso-kit-starter module to the pom.xml file of a Vaadin application like so:

Version Number
See the SSO Kit releases page for the latest version, or a different version of the sso-kit-starter dependency.

Configure Endpoints

For Hilla to be able to parse and generate endpoints from an application and from SSO Kit dependency for your frontend, you have to add a configuration to the Hilla Maven plugin with your application and SSO Kit dependency package names like this:

            <!-- Add this configuration. -->
            <!-- ... -->

Configure SSO Provider in Spring

Next, you need to set some configuration properties to connect SSO Kit to an OpenID Connect provider. These properties can be added to your file where you give the provider URL and the client registration details, such as credentials and scope.

Provider definition is configured within the namespace where you give a key to identify your provider, such as keycloak. You can use the same key to register the client for that provider within the namespace, where you specify client credentials and the requested scope.

The scope is a list of keywords to request the provider for a specific set of information, such as user profile, email, and roles. The following is an example of the properties to set to enable a Keycloak instance to perform authentication:,openid,email,roles
# Customize the following property values for your Keycloak configuration:

Single Sign-On

SSO Kit provides the SingleSignOnConfiguration auto-configuration class to set up Hilla and Spring to allow single sign-on with external identity providers.

Customized Security Configuration
If you need a customized security configuration, you can disable this auto-configuration class by adding its fully-qualified name to the spring.autoconfigure.exclude property and define your own configuration class.

The following configuration enables login for the identity providers defined in the application configuration. It instructs the application to accept requests for the login route. It can be configured by setting the hilla.sso.login-route property, which defaults to /login.

To redirect users automatically to the provider login form, you can set this property to /oauth2/authorization/{provider-key}, where {provider-key} is the key used to configure the provider in file.

Custom Login Page
Some providers support a custom theme for their login pages. Learn more about this in Theming.

Secure the Application

A Hilla application includes frontend code and backend endpoints. Both of them can and should benefit from authentication protection.

Protect Example Endpoint

Hilla allows fine-grained authorization on endpoints and endpoint methods. You can use annotations like @PermitAll or @RolesAllowed(…​) to declare who can access what.

To try this feature, replace the @AnonymousAllowed annotation in with @PermitAll. When you do this, unauthenticated users won’t be able to access all endpoint methods. You could also apply the same annotation at the method level for more fine-grained control.

Start the application using the mvnw command. Then try the application in the browser. It should work correctly, except that when you click on the Say Hello button, nothing happens. This is because the endpoint is no longer accessible without authentication.


Once the backend is secure, you can begin extending authentication features to the frontend. The following section shows how to display user information (e.g., a name), on secured views and enable users to log in and out.

Install SSO Kit Client Dependency

npm install --save @hilla/sso-kit-client-react

This dependency contains the SsoProvider provider and the useSsoContext hook which are needed in the later steps.

Add SSO Provider

The SsoProvider provides the single sign-on context to the application. Import the SsoProvider and pass the RouterProvider as a parameter to it in the App.tsx file.

import { SsoProvider } from "@hilla/sso-kit-client-react";

return (
    <RouterProvider router={router}/>

Add Log-In & Log-Out Buttons

As an example, add two buttons to the drawer footer — one to sign in, and another to sign out. Use the imported useSsoContext hook to get the authenticated state and to add the login and logout functions to the buttons.

import { Button } from '@vaadin/react-components/Button.js';
import { useSsoContext } from "@hilla/sso-kit-client-react";

// Get the authenticated state, the login and logout functions in the MenuOnLeftLayout function.
const {authenticated, login, logout} = useSsoContext();

// Replace the `footer` in the returned element.
<footer slot="drawer">
    ? <Button onClick={logout}>Sign out</Button>
    : <Button onClick={login}>Sign in</Button>

Add Access Control

You can protect your views by verifying that each authentication has happened before loading the view.

Custom Redirect Path
You can define a custom redirect path in the protectRoutes function on which to redirect users that are not authenticated. The default value is the predefined /ssologin path, which redirects the user to the provider’s login page.

In the frontend/routes.tsx file, enrich the ViewRouteObject type with AccessProps type to be able to protect a view and add the requireAuthentication parameter to a view:

import { AccessProps, protectRoutes } from "@hilla/sso-kit-client-react";

// Enrich the ViewRouteObject type with AccessProps.
export type ViewRouteObject = (IndexViewRouteObject | NonIndexViewRouteObject) & AccessProps;

// Add requireAuthentication to the About View.
  path: '/about',
  // ...
  requireAuthentication: true,

// Protect the views which require authentication.
export const routes: readonly ViewRouteObject[] = protectRoutes([
  // ...

Filter the menu excluding unauthorized views by amending the view filter in MainLayout.tsx:

// Gather the hasAccess function and add filter to the routes that checks for authentication.
const { hasAccess } = useSsoContext();

const menuRoutes = (routes[0]?.children || [])
  .filter((route) => route.path && route.handle && route.handle.icon && route.handle.title)
  .filter(hasAccess) as readonly MenuRoute[];

Now the About item in the menu appears only when authenticated.

Show User Information

The SSO Kit Client provides the User class which contains information about the authenticated user. You can get the user information by using the useSsoContext hook.

Since the About page is now protected, it’s a perfect place to show some information about the current user:

import { useSsoContext } from "@hilla/sso-kit-client-react";

// Gather the user from the SSO context.
const { user } = useSsoContext();

// Add some output in the return.
<p>Username: {user?.preferredUsername}</p>
<p>Full name: {user?.fullName}</p>
<p>Email: {user?.email}</p>

Single Sign-Off

SSO Kit provides two methods for logging out the user. They’re defined by the OpenID Connect specification like so:

RP-Initiated Logout

RP-initiated logout (i.e., Relaying Party, the application) enables the user to logout from the application itself, ensuring the connected provider session is terminated.

Back-Channel Logout

Back-Channel Logout is a feature that enables the provider to close user sessions from outside the application. For example, from the provider’s user dashboard or from another application.

Enable the Feature

To enable the feature in an application, you need to set the hilla.sso.back-channel-logout property to true. You would do that like you see here:


The client should then be configured on the provider’s dashboard to send logout requests to a specific application URL: /logout/back-channel/{registration-key}, where {registration-key} is the provider key.

Modify the Frontend

As an example, show a dialog when the user is logged out from outside the application.

The useSsoContext hook provided by the SSO Kit Client handles the back-channel logout and receives an event if logout happens. To get notified about a logout event, register a callback using the onBackChannelLogout function and store the logged out state:

import { ConfirmDialog } from '@vaadin/react-components/ConfirmDialog.js';
import { useEffect } from 'react';
import { useSignal } from "@vaadin/hilla-react-signals";
import { useSsoContext } from "@hilla/sso-kit-client-react";

const { onBackChannelLogout } = useSsoContext();

// Store the logged out state.
const loggedOut = useSignal(false);
// Subscribe to the back-channel logout event and set logged out state to true on the event.
useEffect(() => {
  onBackChannelLogout(() => {
    loggedOut.value = true;
}, []);

// Add the confirm dialog to the AppLayout.
<ConfirmDialog header='Logged out' cancelButtonVisible
<p>You have been logged out. Do you want to log in again?</p>

You can trigger a logout externally with the provider tools. For Keycloak, you can sign out a session from the administration console or visit the page