How to do rest authentication with Spring Social?

Asked 17/11, 2013 at 17:4 Answered 4/12, 2022 at 20:54

spring spring-security spring-social spring-security-oauth2

I have implemented Spring Social + Spring Security as outlined in the Spring security examples (and with spring security java config). I reported couple of problems at the time (see https://jira.springsource.org/browse/SEC-2204) all of those are resolved and my security works fine.

However, I want to change my security implementation and use RESTful authentication. Spring oauth/oauth2 (http://projects.spring.io/spring-security-oauth/) solves this problem but I can not see how Spring Social will fit into that picture? Although behind the scenes Spring social talks to Facebook/Twitter with oauth, I don't think Spring Social's signup form and other characteristics are built for a restful API.

Any examples or ideas will definitely help.

Update on this post: (4/6/2014)

I have built a (PHP) site that consumes my API.
This PHP site (let's call it the client site), uses Facebook PHP SDK to register its own users. This is a completely separate way of gathering its own members.
However, once users are registered client site passes username, email, password, first name, and last name data along with its client_id and client secret and using OAuth2 grant type client_credentials authentication.
This passed-in user data creates a user record on the main system! (main application)
After this, each time the client site calls the main system via OAuth2 grant type password and sends client_id, client_secret, username and password, gets an "Authentication token" and be able to communicate with the main site with this token.

Seems like a long way to go but solves the problem of keeping the user record on the main system. I'm curious if there are other ways to do this? Please advise.

Helgahelge answered 17/11, 2013 at 17:4 Comment(4)

Have you looked at this example? github.com/joshlong/the-spring-rest-stack – Menfolk 10/4, 2014 at 18:27

See https://mcmap.net/q/297231/-integrate-spring-security-oauth2-and-spring-social – Minute 27/11, 2015 at 18:49

Possible duplicate of Spring Social Authentication Filter for Stateless REST Endpoints which use Facebook Token for authentication – Fotheringhay 23/5, 2017 at 14:34

geowarin.github.io/social-login-with-spring.html-- This could help you very much – Ifill 16/2, 2018 at 10:8

So you want to use Oauth2 in your application, and you want to use the password flow. You can use the spring security oauth2-resource-server project to implement a resource server. In your resource server you can use the ResourceOwnerPasswordResourceDetails to provide the client_id, client_secret, username and password, The Oauth2RestTemplate can be used to call the resource server.

Hullabaloo answered 4/11, 2022 at 17:41 Comment(0)

Spring-social was deprecated in 2019. In the case that was exposed in the question (long before this deprecation), the easiest sollution is using an authorization-server capable of federating "social" identities out of the box. Keycloak is a free "on premise" sample and Auth0 a SaaS one (with free tier). Just search for "OIDC authorization-server" in your favorite search engine and pick the one best matching your needs.

REST APIs are then configured as resource-servers using spring-boot-starter-oauth2-resource-server. Samples there.

Regelation answered 2/12, 2022 at 15:37 Comment(0)

Wow, lots of good information already provided by others but Spring Docs provides sample config yaml file to authenticate with Google and Okta, see link below (apologies if already provided).

https://docs.spring.io/spring-security/reference/5.8/reactive/oauth2/login/core.html#webflux-oauth2-login-common-oauth2-provider
Configuring Custom Provider Properties
There are some OAuth 2.0 Providers that support multi-tenancy, which results in different protocol endpoints for each tenant (or sub-domain).

For example, an OAuth Client registered with Okta is assigned to a specific sub-domain and have their own protocol endpoints.

For these cases, Spring Boot 2.x provides the following base property for configuring custom provider properties: spring.security.oauth2.client.provider.[providerId].

The following listing shows an example:
For these cases, Spring Boot 2.x provides the following base property for configuring custom provider properties: spring.security.oauth2.client.provider.[providerId].

The following listing shows an example:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
        provider:
          okta: 
            authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
            token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
            user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys

The base property (spring.security.oauth2.client.provider.okta) allows for custom configuration of protocol endpoint locations.

Chorion answered 4/12, 2022 at 20:54 Comment(0)

Recommended topics

Hot tags