I try to achieve the following behavior with Spring Boot:
When a user wants to log in to my site he can choose from multiple OAuth2 serves (for example Google, Facebook, GitHub, etc...).
He selects an option (for example google) and logs in with google OAth2.
Then my site takes the e-mail address from OAuth2 and loads the user from a database to use as Principal.
So I basically want the Principal to always be the same (read from database) and do not depend on which OAuth2 server the user uses to log in.
To achieve the behavior, you're looking for, I would suggest you take a look at PrincipalExtractor, here's a blog post about it.
Related
I work for a large company (50K+). Some orgs within the company use OKTA for auth on their servers.
I have a valid user login (via OKTA) for the servers, and can log in through a browser without any issues, but want to access this site programatically.
How can I log into these websites using my OKTA credentials?
I've found this doc: https://developer.okta.com/docs/reference/api/oidc/#authorize
that details how to use an OKTA endpoint, but it requires some info that I do not have. Namely, nonce, state, and client_id. I have no clue how to get this info.
I've found another endpoint that allows a similar login method, but only requires username and password (I forget the doc that referenced this):
https://<company>.okta.com/api/v1/authn
I am able to successfully authenticate with OKTA using this endpoint, and receive a session_token. Can I take this session_token and apply it to my arbitrary webpage somehow? I can not find any documentation that says so.
At first glance it appears that many of the API endpoints for OKTA require intimate knowledge of the hosted application (and/or are not meant to be accessed programmatically).
Is it possible to log into an arbitrary webpage that uses OKTA for authentication, with only knowledge that an end user would have (username/password/optional MFA)?
Hi not sure you found the answer yet. from your descriptions i think yours is web app, which is supposed to use authentication code flow. else, you can ask your web developers what authentication flow they use and follow the auth process accordingly.
you need to retrieve id token & access token for authentication.
I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/
In a Spring MVC mobile web application i have a requirement to post a custom messgage to social networking sites (Facebbok, linkedIN, Twitter, Google Plus).
ie If the user purchase a product he can share a predefined message "I purchased the product #134" like that.
First i thought of using simple javascript for sharing but it behaves differently in different mobiles and alse not able to post the predefined message. Another option i found is using spring-social.
Can any body suggest me any alternatives or best method to achieve this.
Any help will be appreciated.
It sounds like your question is "Can Spring Social be used to post custom messages to a user's feed? Or can someone suggest alternatives?"
Addressing the first part of that question, yes Spring Social can do this. The specifics of which vary slightly from social API to social API, but in general you'd inject the API binding into the controller where you handle the purchase of a product and at purchase time use that API binding to post the message.
The gotcha, however, is that the user must authorize your application to post stuff. You can't just arbitrarily post messages to any API without the user's permission. Therefore, prior to that purchase being completed, your app will need to obtain a connection (a Spring Social concept that captures that permission and an access token that represents the permission) by redirecting the user to the FB/Twitter/LinkedIn/etc to prompt the user for permission. Spring Social's ConnectController exists to handle that redirect and to obtain the connection for you.
If you've not already had a look, look at https://github.com/spring-projects/spring-social-samples where I have a handful of examples for Spring Social. Most notably, spring-social-showcase-boot is a new example that takes advantage of Spring Boot's simplified programming model to enable Spring Social to work with Facebook, Twitter, and LinkedIn.
I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.
I am kind of new when it comes to fetching users data from social networks,
i need to extend my application and develop some kindof users data collector module
which in generally will be responsible for fetching data on my application users from social networks.
lets assume i have a user X which sign into my application with his facebook account.
can i fetch data on user X from facebook social graph only when he logged into ( my application/ facebook / both/ when ever i want )?
i was reading a beat on spring social framework, at first look it seems exactly the framework i need for my module.
the thing is that in all the examples i saw that each time fetching is required the user should manually allow it or it might be every time he logged into the application , also when looking at the code i think i saw that for each user a service provider
should be created, all the examples implies that spring social is not ment for background daemon which will fetch users data with minimal users attention.
does spring social can answer my requirements?
there are other java open source options?
You can use Spring Social to access a social network on a user's behalf as long as you have a valid OAuth authentication token for that user. It's up to the provider (e.g. Facebook, Twitter, etc.) to dictate how long the tokens remain valid and how you can get new valid tokens. You'll have to read the provider's documentation to determine if the kind of background access you want is allowed by the provider. If it is allowed by the provider, than you ought to be able to use Spring Social to perform the operations you want to perform.
One example is Facebook. Facebook used to let you ask for a permission called "offline_access" which would result in your application receiving an authentication token for the user that would never expire (or at least wouldn't expire for a long time). They are deprecating this, though. For more information about Facebook specifically check this thread on the Spring Social forums:
http://forum.springsource.org/showthread.php?123685-Facebook-offline_access