3

I'm working on spring-security-oauth2-1.0.3.RELEASE, trying to set up an oauth client to get user authenticated with google.

I spent quit a while on this and still don't find much good article explaining very clearly.

What I'm doing is to put an OAuth2ClientAuthenticationProcessingFilter into the filter chain like this:

<http xmlns="http://www.springframework.org/schema/security"
    use-expressions="true" pattern="/oauth.html" auto-config="true">
    <sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />
    <custom-filter ref="oauth2ClientFilter" position="CAS_FILTER" />
    <sec:custom-filter ref="googleAuthFilter" after="CAS_FILTER" />
</http>

A custom-filter: googleAuthFilter is there to protect my URL.

Reading the source code of OAuth2ClientAuthenticationProcessingFilter, it requires a reference to

  1. an OAuth2RestOperations (rest template) which refers to an Oauth server resource (information about google)
  2. ResourceServerTokenServices (from Spring-security-oauth libary provider packages).

Now I'm confused. Spring-security-oauth is divided into 2 parts: client and provider.

Since I'm just setting up an Oauth client, why do I need to have a reference of a class from Oauth provider packages?

Also, How should I set up the ResourceServerTokenServices? Now I'm trying to use the defualt implementaiton. Because DefaultTokenServices again requires reference to

  1. TokenStore
  2. ClientDetailsService
  3. TokenEnhancer

So far I tried all the default implementations:

  • TokenStore: InMemoryTokenStore
  • ClientDetailsService: InMemoryClientDetailsService
  • TokenEnhancer: TokenEnhancerChain

and it seems not to work...

Thanks!

bolei
  • 156
  • 5
  • 13

2 Answers2

2

I thought I might write something. But the version you are using is very old, recent version of Spring Security OAuth2 is very easy to use and have applied wide - many document. Let's make some search :D

http://jhasaket.blogspot.com/2014/09/securing-spring-mvc-application-using.html

Thanh Nguyen Van
  • 1,923
  • 1
  • 18
  • 18
0

Check out the Spring "Social Client" tutorial,

https://spring.io/guides/tutorials/spring-boot-oauth2/#_social_login_github

That tutorial had info for Facebook & Gist. The one piece I couldn't figure out - the userInfo URL - I finally discovered not on Google but in the .YML file data shown here:

http://www.techforumist.com/google-oauth2-login-in-spring-boot-and-angularjs/

Copied locally (in the spirit of the SO practice of giving more than a URL :-)):

oauth2:
    client:
      clientId: <Client ID from google developer console>
      clientSecret: <Client Secret from google developer console>
      accessTokenUri: https://www.googleapis.com/oauth2/v4/token
      userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
      clientAuthenticationScheme: form
      scope:
        - openid
        - email
        - profile
    resource:
      userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
      preferTokenInfo: true

Hope this helps you (took me a while to find all that)!

P.S. I have an application that successfully authenticates against Google using Spring Boot OAuth2 security - don't give up hope! What I currently lack is a way to unpack the data I get back to determine the user's Google email address for whitelisting - see SO link below:

How to get google user email to whitelist users when authenticating using Spring Boot OAuth2 against Google

rich p
  • 1,005
  • 9
  • 16