I am trying to build a Vaadin/Spring application that would allow the users to log in either using a username/password that I store in a DB (this part I got covered with a CustomAuthenticatorProvider), or by clicking a button that would be "Login in with your Twitch account" and that would perform the auth using oauth2 on Twitch.
For this part, I am not able to find any solution...do I have to create another CustomAuthenticatorProvider? Is there a way to use the built-in oauth2 from Spring?
Can anyone help?
Thanks!
You can use the Spring Security OAuth 2.0 client with a Vaadin app. Here's a link to a tutorial with a demo app.
Related
I have a Rest API developed with Spring Boot and neo4j as a database. There is no Frontend in the Spring Boot App. It only serves as a Backend. The Frontend is developed in Flutter.
In my app, the end user has to sign up and login with theis user credentials. The user management is currently handled with Spring Security and JWT, generating and storing the tokens with AuthenticationProvider, UserDetailsService and so on.
Now, we are migrating our whole infrastructure to Microsoft Azure. We already managed to get the DB, the Backend (as the Spring Boot App) and the Frontend there.
The question now is whether it makes sense to migrate the User Management to Azure Active Directory. Is this the right use case for that, or is Azure Active Directory actually there for other use cases?
Also, I want to use my Login and Signup Forms built with Flutter. I only found solutions so far where you get redirected to this Microsoft Login Form. I want to signup/login directly from my Flutter App, and then use the token for my requests in the Spring Boot App.
Does this even make sense? If yes, how can I realize that? I was searching for hours but I didn't find any proper solutions.
If you use AAD you will have to use the OAuth redirect based Microsoft login experience. There is no way around that.
If you can't think of any way you or your users will benefit by migrating to AAD, then there's no reason to do that. You're doing a bunch of work, and incurring risk, for no real benefit.
I am working on a project to implement spring boot authorization server using federated login google and Facebook.
I have successfully login using google and Facebook, and store user information in database also, it works fine for me.
Now I am facing an issue, In this project after login using Facebook/google I need to get a jwt token with user information in that token.so that I can use that token in other microservices.
I don't know how to get that .
Any help appreciated.
Thank You
I'm implementing a web application using Spring Boot and I wanna know is there any best practice to leverage Spring Security in the following security model.
End-Users will register into the service via an SMS OTP service (providing their mobile number). once they have validated the OTP code, their user gets created (using their mobile number as username).
Upon successful OTP registration, I want the user to be able to use the service (on the same device through which the OTP registration performed before) without the need to re-confirm his identity again (Same functionality we can see in native mobile apps such as Whatsaap, Instagram or Telegram)
I appreciate any ideas or instructions on this subject.
The Answer is to use Spring Security using the "remember me" feature.
Here, there is a thorough tutorial about that
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
Hallo i am new to oAuth and i created a rest connection to Magento with that example
http://devdocs.magento.com/guides/m1x/api/rest/introduction.html
the php script is working and i can connect to magento. But i have to enter the admin credentials and after that i have to click the Authorize button.
now my "magento rest project" is triggered by a database. so i was searching the last hours how do i get the accesstoken without really clicking on the button? is there something like that for cli or is it even possible?
thank you very much for helping me to understand it.
cheers pat
It would be possible if they supported the client credential grant, or kind of possible if they supported refresh tokens. Unfortunately, they don't support either.
For the authorization code grant that you are implementing, an authorization decision is made by asking the user if they are willing to allow your client to access their data (to protect the user's privacy). This is mentioned in the Magento docs as well.
The built in Magento REST Api functionality doesn't support grant types other than authorization code grant.
I managed to use a customized oAuth2 library (https://bshaffer.github.io) (customizing the class so that it's compatible with the Zend Framework that magento is based on). It will let you choose your own grant type (in your case, Client Credential Grant).
The downside is that I had to re-create all the REST API endpoints. The upside is that it's not that hard, at least not harder than creating a custom endpoint using Magento's built in REST API functionality.