Our current user registration process is using Spring Boot, Spring Security ,Spring Security OAuth 2 and a React front end user interface.
We have a create user API which you pass a username, password, user contact details etc and it returns you the user profile object as well as the OAuth token. Once the user has registered, they are logged into the application automatically.
What we want to do is to send the user an activation code to their email/phone at the end of the registration process and they need to enter this code to complete their registration.
I see there is an Spring Security enabled flag. I can create the profile and set this to false. Once the user enters the correct code, I can set this to true. My only query is would I have to get the user to login again to get the oauth token?
I prefer not to use an activation email link as I don't want to open up new browser windows.
Any advice would be most welcome.
Related
In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.
So we are building an application which has to support two ways of creating a new account.
user creates an account with a email and password combination
user adds an Authorization header with a JWT token from a trusted third party. This JWT is verified and contains the necessary information such as email to create a user in our system.
Creating a user this way works fine. However, I am not sure how to deal with the subsequent authentication. The current system uses session-based authentication.
Question: A user that created an account with the JWT should also be able to login without a password. I can think of two way to achieve this:
Validate the JWT and manually start a session. But how can I start a session manually without a password?
Add a filter to the Spring Security Chain that checks whether a JWT is present. If so it adds the user the the security context. If no JWT is present it requires the user provide a valid email, password combination. Any resources on how two do this conditional chaining?
Any hint for an advantage or disadvantage for the two methods is appreciated.
I want to implement Apple's touchId/FaceId for my app.
Currently the app has Login screen, where the user enters the userId and password. I submit the userId and password to the back end server(located at let's say https://example.com/Login?username=abc&password=xyz#123(just an example)). The backend server returns me authentication cookies. This cookies I use to access the rest of the rest api services
I am reading a number of articles which tells about how you can use Apple's touch Id with https://developer.apple.com/documentation/localauthentication framework.
It displays the generic pop up asking the use the touch Id, and returns true if the touch Id authentication is successful.
My question comes up here. If I use the touch Id and the authentication is successful. How do I proceed? Basically, I would need the authentication cookies to access the rest apis.
One flow I am assuming is.
When the user enables the touchId/faceId in settings page of my app, I store the usercredentials in the keychain.
Once the user is logged out, and the user uses touch Id and authentication is successful, I access the keychain, retrieve the password for the user, call the api https://example.com/Login?username=abc&password=xyz#123 get the authentication cookies and use them for accessing the rest of the web apis.
Is my assumption correct? Or there is a better way of implementing it?
Any examples or references would be great.
Thanks.
I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/
I am looking forward to integrate logging in users using Facebook's authentication. I have my app protected by OpenAM and the users are already registered there. I have my own login page and would not like to move this to OpenAM and retain it in my app. As of now, I am using REST calls to authenticate users in OpenAM. Now, I want to integrate login using Facebook. My idea of implementation is as following:
User logs in using original credentials and is authenticated in
OpenAM.
User is asked to associate his/her Facebook account with the
OpenAM account.
User authenticates his/her Facebook account
(https://www.facebook.com/dialog/oauth?app_id={app-id-as-created-in-fb-developers-console}&redirect_uri={my-rest-service}).
This will return the code and that can be used to recheck against
Facebook to ensure that the user was authenticated against my app
and this is not a hacker intervention
(http://graph.facebook.com/debug_token?%20input_token={code-returned-from-facebook}&access_token={my-app's-access-token}.
The response will contain the app ID that can be verified against my
App's ID. On success, I shall call OpenAM to associate the user in
OpenAM with his/her Facebook credentials (Not sure what all to use
here.)
Next, whenever the user wants to login, he/she can use Facebook
login where in the redirect URL would be my REST service and the
code returned from Facebook can be rechecked from Facebook and then
OpenAM will be called to authenticate.
My queries:
I am not sure if this approach is feasible.
How do I pair an existing user in OpenAM with the Facebook account?
How do I authenticate the user in OpenAM after Facebook login, with
the userID?
Is the Facebook userID (numeric,returned from Facebook graph in JSON
response), unique and permanent?
I would also want to give the users an option to de-associate the
existing Facebook account and associate a new one-how do I do this?
Apologies for asking too many questions, but I am new to OpenAM and OAuth and keen on following the approach I have mentioned above.
Thank you.
As an aside, it will probably be much easier in the future if you delegate all of the login to OpenAM, and let it deal with local login and social. This will make it really easy to add more social providers.
If you want to keep your current architecture, you can create a new authentication chain in OpenAM that just has social (facebook) login. You should be able to redirect the user to that chain. Once the social login process is complete, you can have OpenAM redirect back to your application page.
To link local and social login you are going to have to offer some kind of account claiming in your application. After they do a social login you could ask them to link their local account by providing the username and password. You can call OpenAM's REST API to validate the credentials.
This kind of linking can be confusing for users - so sometimes it is better to treat them as separate accounts, or have a migration process for the user to migrate to social only.