If I have this in my application.properties:
security.oauth2.resource.user-info-uri=https://www.googleapis.com/userinfo/v2/me
security.oauth2.client.client-id=clientid.apps.googleusercontent.com
security.oauth2.client.client-secret=client-secret
security.oauth2.client.user-authorization-uri=https://accounts.google.com/o/oauth2/v2/auth
security.oauth2.client.access-token-uri=https://oauth2.googleapis.com/token
security.oauth2.client.scope=openid
I have security configurer, controller etc. It works great. When I try to use an endpoint, I can log in at google and then I get back the response from my spring boot app.
My question is that if someone asks me: "Are you sure that this project is using OIDC?"
How to answer? How can I prove that it does? (if someone who works in IT but is not the master of OAuth2/OpenID Connect)
Have a look at some resources that explain what is OAuth and what are its differences from OpenID Connect, for example something like here: https://curity.io/resources/webinars/course-getting-started-with-oauth-and-openid-connect
It's good to know how they differ - OAuth and OIDC. In short - if you use OAuth flows to receive ID Tokens from an Authorization Server (which in OIDC is called OpenID Provider) then you're using OIDC. If you only get access tokens, then you're using only OAuth, without OIDC. ID tokens are JWTs, which provide your application with information about the authenticated user - this is what OIDC is about, to tell your application who the user is. OAuth is a way of authorizing the user - with an access token you might not now who the user is, but you can access an API with the access token, and perform some actions on behalf of the user.
If you want to prove that you're using OIDC in your app try to dig into the user's data and print their email which they used to log in to google - this will be a proof that you have access to information about the authenticated user, which you got from Google in an ID token.