12

In Spring Boot application I have secured my Spring MVC REST endpoints with Spring Security and Spring OAuth2. I have own Authorization\Resource servers so in order to comunicate with our API, client(AngularJS) needs to obtain acessToken from my API Authorization Server.

Everything works fine but for authentication/authorization on my API, user needs to create his account and provide us with his username/password.

I'd like to simplify this process and would like to propose user to authenticate on my API via Google/Facebook/Twitter oAuth providers.

Right now I have no clear understanding how it must work.. For example one of my ideas - Facebook will issue own accessToken and pass it back to my API. Based on this accessToken my API will issue own accessToken and pass it back to client application(AngularJS). Or should I pass Facebook accessToken directly to client app ?

What is the correct architecture for the described case ? How should it work ?

Maybe there is some example that demonstrates this architecture based on Spring framework ?

alexanoid
  • 24,051
  • 54
  • 210
  • 410

2 Answers2

4

If you want to delegate authentication to an external provider you can use the OAuth2ClientAuthenticationProcessingFilter, or the convenience annotations and external configuration provided in Spring Cloud Security. Example (from the Spring Cloud Security home page):

Aplication.java:

@SpringBootApplication
@EnableOAuth2Sso
public class Application {
   ...
}

application.yml:

spring:
  oauth2:
    client:
      clientId: bd1c0a783ccdd1c9b9e4
      clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
      accessTokenUri: https://github.com/login/oauth/access_token
      userAuthorizationUri: https://github.com/login/oauth/authorize
      clientAuthenticationScheme: form
    resource:
      userInfoUri: https://api.github.com/user
      preferTokenInfo: false

That works with github if your app is running on port 8080 (I believe). Similar configuration works with facebook, cloud foundry, google and other OAuth2 providers.

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • 1
    thanks for your answer. It looks awesome, I will try this solutinon today from my home machine ! One question - will it work together with my own OAuth2 AuthServer implemented via Spring OAuth ? – alexanoid Apr 17 '15 at 12:26
  • It should work with any oauth2 provider. But don't set the `clientAuthenticationScheme` for a Spring provider (it's switched off in the server by default). – Dave Syer Apr 17 '15 at 12:28
  • 3
    Thanks, I mean that I already have my own OAuth2 Server inside of this application(This OAuth2 server is a part of this application). And in additional to this method of authentication I'd like to add external oauth2 providers. So, will it work in this case ? – alexanoid Apr 17 '15 at 12:36
  • Your auth server wants to consume these authentications. It's not acting as an OAuth2 server for the purpose of the `@EnableOAuth2Sso`. So, yes, I don't see why it wouldn't work. – Dave Syer Apr 17 '15 at 16:00
  • could you please take a look on my other similar question ? http://stackoverflow.com/questions/29734305/own-spring-oauth2-server-together-with-3rdparty-oauth-providers Thanks ! – alexanoid Apr 21 '15 at 07:02
  • 1
    The main question is how my own OAuth2 server can consume these authentications. Right now he rejects SocialAuthenticationToken in OAuth2AuthenticationProcessingFilter.doFilter method by invocation of SecurityContextHolder.clearContext(); I think I need to find a way how to manually create OAuth2Authentication and put it into security context SignInAdapter.signIn method in order to pass validation by my own OAuth2 server.. – alexanoid Apr 21 '15 at 19:04
  • @alexanoid i am trying to do similar thing for last few days, but cannot find any good enough resource. have you done it already? can u give some sample code examples? I mean for integrating 3rd pary oauth providers like fb google with your own oauth provider? – Burhan Uddin Jun 24 '16 at 15:09
  • @BurhanUddin Sorry, No luck with own OAuth2 server + 3rdparty OAuth2 providers. I have re-implemented my authentication/authorization with own JWT + 3rdparty OAuth2 providers – alexanoid Jun 24 '16 at 18:14
  • 2
    its weird! i have been dying googling for last few weeks, seems like no one on internet have managed to done it before! i searched for almost all other platforms rails, play, asp.net no luck at all :( – Burhan Uddin Jun 25 '16 at 05:42
  • @BurhanUddin do you have any news about this ? – alexanoid Sep 15 '16 at 12:18
  • no bro, i wasted a lot of time in it, than realized it is better to find an alternative solution to save precious time, i moved to jwt. – Burhan Uddin Sep 18 '16 at 08:59
  • @alexanoid Hello! Still no info on internet. Need to ask: you're saying you've done this with "JWT + 3rdparty OAuth2 providers". It's precise what I am looking for, can you give me a hand with authentication/authorization flow?.. I have my own auth server(JWT tokens) and want to add SSO from Facebook. I don't have any idea how to force my resource server to accept different kinds of tokens. I think about excluding res server from interaction with social platforms and make my custom auth server exchange Facebook token for custom JWT to access resources(similar for your idea in the question) – maret Jan 11 '17 at 00:00
  • 1
    Hi @maret, In case of own OAuth2 or OAuth2 + JWT tokens please take a look into the following question http://stackoverflow.com/questions/32313821/integrate-spring-security-oauth2-and-spring-social especially answer provided by rbarriuso. You have to provide your own SocialAuthenticationSuccessHandler and send a redirect with own oauth2Token after successfull authorization with any 3rdparty OAuth2 providers. I hope this will help you. – alexanoid Jan 11 '17 at 04:24
  • 1
    @maret in other words the main idea of this solution is to issue your own JWT token and provide it to user after his successful authentication with the 3rdparty OAuth2 providers. – alexanoid Jan 11 '17 at 07:37
  • @alexanoid thanks, I understand the main idea. Just confused about implementation. This example you've gave me link to uses Spring Social, but I'm not sure if I want to involve it, cause I already have Spring OAuth2... And this solution coupled with Resource server, but I want to delegate all auth flow to my auth server. I'm going to to explore how to adapt it to my needs... – maret Jan 11 '17 at 18:30
1

In case of own OAuth2 or OAuth2 + JWT tokens please take a look into the following question Integrate Spring Security OAuth2 and Spring Social especially answer provided by @rbarriuso. You have to provide your own SocialAuthenticationSuccessHandler and send a redirect with own oauth2Token after successful authorization with any 3rdparty OAuth2 providers.

In other words the main idea of this technology agnostic solution is to issue your own access token and provide it to user after his successful authentication with the 3rdparty OAuth2 providers.

Community
  • 1
  • 1
alexanoid
  • 24,051
  • 54
  • 210
  • 410