Rest, Spring own OAuth2 server + OAuth2 providers like Facebook, Google, Yahoo

About

Asked 9/4, 2015 at 19:51 Answered 11/1, 2017 at 7:40

spring spring-security oauth-2.0 spring-social spring-security-oauth2

In Spring Boot application I have secured my Spring MVC REST endpoints with Spring Security and Spring OAuth2. I have own Authorization\Resource servers so in order to comunicate with our API, client(AngularJS) needs to obtain acessToken from my API Authorization Server.

Everything works fine but for authentication/authorization on my API, user needs to create his account and provide us with his username/password.

I'd like to simplify this process and would like to propose user to authenticate on my API via Google/Facebook/Twitter oAuth providers.

Right now I have no clear understanding how it must work.. For example one of my ideas - Facebook will issue own accessToken and pass it back to my API. Based on this accessToken my API will issue own accessToken and pass it back to client application(AngularJS). Or should I pass Facebook accessToken directly to client app ?

What is the correct architecture for the described case ? How should it work ?

Maybe there is some example that demonstrates this architecture based on Spring framework ?

Steam answered 9/4, 2015 at 19:51 Comment(0)

If you want to delegate authentication to an external provider you can use the OAuth2ClientAuthenticationProcessingFilter, or the convenience annotations and external configuration provided in Spring Cloud Security. Example (from the Spring Cloud Security home page):

Aplication.java:

@SpringBootApplication
@EnableOAuth2Sso
public class Application {
   ...
}

application.yml:

spring:
  oauth2:
    client:
      clientId: bd1c0a783ccdd1c9b9e4
      clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
      accessTokenUri: https://github.com/login/oauth/access_token
      userAuthorizationUri: https://github.com/login/oauth/authorize
      clientAuthenticationScheme: form
    resource:
      userInfoUri: https://api.github.com/user
      preferTokenInfo: false

That works with github if your app is running on port 8080 (I believe). Similar configuration works with facebook, cloud foundry, google and other OAuth2 providers.

Spider answered 17/4, 2015 at 9:47 Comment(15)

thanks for your answer. It looks awesome, I will try this solutinon today from my home machine ! One question - will it work together with my own OAuth2 AuthServer implemented via Spring OAuth ? – Steam 17/4, 2015 at 12:26

It should work with any oauth2 provider. But don't set the clientAuthenticationScheme for a Spring provider (it's switched off in the server by default). – Spider 17/4, 2015 at 12:28

Thanks, I mean that I already have my own OAuth2 Server inside of this application(This OAuth2 server is a part of this application). And in additional to this method of authentication I'd like to add external oauth2 providers. So, will it work in this case ? – Steam 17/4, 2015 at 12:36

Your auth server wants to consume these authentications. It's not acting as an OAuth2 server for the purpose of the @EnableOAuth2Sso. So, yes, I don't see why it wouldn't work. – Spider 17/4, 2015 at 16:0

could you please take a look on my other similar question ? #29734805 Thanks ! – Steam 21/4, 2015 at 7:2

The main question is how my own OAuth2 server can consume these authentications. Right now he rejects SocialAuthenticationToken in OAuth2AuthenticationProcessingFilter.doFilter method by invocation of SecurityContextHolder.clearContext(); I think I need to find a way how to manually create OAuth2Authentication and put it into security context SignInAdapter.signIn method in order to pass validation by my own OAuth2 server.. – Steam 21/4, 2015 at 19:4

@Steam i am trying to do similar thing for last few days, but cannot find any good enough resource. have you done it already? can u give some sample code examples? I mean for integrating 3rd pary oauth providers like fb google with your own oauth provider? – Cryo 24/6, 2016 at 15:9

@BurhanUddin Sorry, No luck with own OAuth2 server + 3rdparty OAuth2 providers. I have re-implemented my authentication/authorization with own JWT + 3rdparty OAuth2 providers – Steam 24/6, 2016 at 18:14

its weird! i have been dying googling for last few weeks, seems like no one on internet have managed to done it before! i searched for almost all other platforms rails, play, asp.net no luck at all :( – Cryo 25/6, 2016 at 5:42

@BurhanUddin do you have any news about this ? – Steam 15/9, 2016 at 12:18

no bro, i wasted a lot of time in it, than realized it is better to find an alternative solution to save precious time, i moved to jwt. – Cryo 18/9, 2016 at 8:59

@Steam Hello! Still no info on internet. Need to ask: you're saying you've done this with "JWT + 3rdparty OAuth2 providers". It's precise what I am looking for, can you give me a hand with authentication/authorization flow?.. I have my own auth server(JWT tokens) and want to add SSO from Facebook. I don't have any idea how to force my resource server to accept different kinds of tokens. I think about excluding res server from interaction with social platforms and make my custom auth server exchange Facebook token for custom JWT to access resources(similar for your idea in the question) – Autarch 11/1, 2017 at 0:0

Hi @maret, In case of own OAuth2 or OAuth2 + JWT tokens please take a look into the following question #32314321 especially answer provided by rbarriuso. You have to provide your own SocialAuthenticationSuccessHandler and send a redirect with own oauth2Token after successfull authorization with any 3rdparty OAuth2 providers. I hope this will help you. – Steam 11/1, 2017 at 4:24

@Autarch in other words the main idea of this solution is to issue your own JWT token and provide it to user after his successful authentication with the 3rdparty OAuth2 providers. – Steam 11/1, 2017 at 7:37

@Steam thanks, I understand the main idea. Just confused about implementation. This example you've gave me link to uses Spring Social, but I'm not sure if I want to involve it, cause I already have Spring OAuth2... And this solution coupled with Resource server, but I want to delegate all auth flow to my auth server. I'm going to to explore how to adapt it to my needs... – Autarch 11/1, 2017 at 18:30

In case of own OAuth2 or OAuth2 + JWT tokens please take a look into the following question Integrate Spring Security OAuth2 and Spring Social especially answer provided by @rbarriuso. You have to provide your own SocialAuthenticationSuccessHandler and send a redirect with own oauth2Token after successful authorization with any 3rdparty OAuth2 providers.

In other words the main idea of this technology agnostic solution is to issue your own access token and provide it to user after his successful authentication with the 3rdparty OAuth2 providers.

Steam answered 11/1, 2017 at 7:40 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags