67

I have implemented Spring Social + Spring Security as outlined in the Spring security examples (and with spring security java config). I reported couple of problems at the time (see https://jira.springsource.org/browse/SEC-2204) all of those are resolved and my security works fine.

However, I want to change my security implementation and use RESTful authentication. Spring oauth/oauth2 (http://projects.spring.io/spring-security-oauth/) solves this problem but I can not see how Spring Social will fit into that picture? Although behind the scenes Spring social talks to Facebook/Twitter with oauth, I don't think Spring Social's signup form and other characteristics are built for a restful API.

Any examples or ideas will definitely help.

Update on this post: (4/6/2014)

  • I have built a (PHP) site that consumes my API.
  • This PHP site (let's call it the client site), uses Facebook PHP SDK to register its own users. This is a completely separate way of gathering its own members.
  • However, once users are registered client site passes username, email, password, first name, and last name data along with its client_id and client secret and using OAuth2 grant type client_credentials authentication.
  • This passed-in user data creates a user record on the main system! (main application)
  • After this, each time the client site calls the main system via OAuth2 grant type password and sends client_id, client_secret, username and password, gets an "Authentication token" and be able to communicate with the main site with this token.

Seems like a long way to go but solves the problem of keeping the user record on the main system. I'm curious if there are other ways to do this? Please advise.

starball
  • 20,030
  • 7
  • 43
  • 238
aug70co
  • 3,965
  • 5
  • 30
  • 44
  • 6
    Have you looked at this example? https://github.com/joshlong/the-spring-rest-stack – void Apr 10 '14 at 18:27
  • 1
    See http://stackoverflow.com/a/33963286/2050333 – rbarriuso Nov 27 '15 at 18:49
  • 2
    Possible duplicate of [Spring Social Authentication Filter for Stateless REST Endpoints which use Facebook Token for authentication](https://stackoverflow.com/questions/35911723/spring-social-authentication-filter-for-stateless-rest-endpoints-which-use-faceb) – Alberto Anderick Jr May 23 '17 at 14:34
  • 1
    https://geowarin.github.io/social-login-with-spring.html-- This could help you very much – Shashi Dk Feb 16 '18 at 10:08

3 Answers3

2

So you want to use Oauth2 in your application, and you want to use the password flow. You can use the spring security oauth2-resource-server project to implement a resource server. In your resource server you can use the ResourceOwnerPasswordResourceDetails to provide the client_id, client_secret, username and password, The Oauth2RestTemplate can be used to call the resource server.

Spacewink
  • 99
  • 8
0

Spring-social was deprecated in 2019. In the case that was exposed in the question (long before this deprecation), the easiest sollution is using an authorization-server capable of federating "social" identities out of the box. Keycloak is a free "on premise" sample and Auth0 a SaaS one (with free tier). Just search for "OIDC authorization-server" in your favorite search engine and pick the one best matching your needs.

REST APIs are then configured as resource-servers using spring-boot-starter-oauth2-resource-server. Samples there.

ch4mp
  • 6,622
  • 6
  • 29
  • 49
0

Wow, lots of good information already provided by others but Spring Docs provides sample config yaml file to authenticate with Google and Okta, see link below (apologies if already provided).

https://docs.spring.io/spring-security/reference/5.8/reactive/oauth2/login/core.html#webflux-oauth2-login-common-oauth2-provider
Configuring Custom Provider Properties
There are some OAuth 2.0 Providers that support multi-tenancy, which results in different protocol endpoints for each tenant (or sub-domain).

For example, an OAuth Client registered with Okta is assigned to a specific sub-domain and have their own protocol endpoints.

For these cases, Spring Boot 2.x provides the following base property for configuring custom provider properties: spring.security.oauth2.client.provider.[providerId].

The following listing shows an example:
For these cases, Spring Boot 2.x provides the following base property for configuring custom provider properties: spring.security.oauth2.client.provider.[providerId].

The following listing shows an example:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
        provider:
          okta: 
            authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
            token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
            user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys

The base property (spring.security.oauth2.client.provider.okta) allows for custom configuration of protocol endpoint locations.

MZM
  • 105
  • 1
  • 3