I'm new to Spring Social and I'm writing a Spring MVC application which users should use for, let's say, tweet, follow/unfollow users. So far I can do everything I want with my own credentials (stored in a property file) using the TwitterTemplate.
I need the application to do the same on behalf of other users (authenticating them when registering in my application).
You probably want to look at this part of Spring Social reference document as an entry point. I have experienced it with facebook and linked in and it works pretty well to store connections credentials in a database.
You also want to make sure I guess that you do not use the ProviderSignInController highlighted in some of the code samples which is designed for using the social provider as an authentication infrastructure for a web application but a ConnectController which has proved to be efficient in offline access cases. See section 4 of the spring social reference documentation.
Related
I'm just wrapping my head on Oauth2. I have a Spring boot app with its own users and roles system handled by Spring Security 5. Internally I use email to identify users, I want people who registered with their gmail addresses to be able to log in through Oauth2. Or, more generally, how do I make one of my users log in to my app using Oauth2? If you need code or more information just ask. Thanks in advance.
As far as I understood your question, you are looking for a general approach to authenticate users for using your Spring Boot application with the help of OAuth2 protocol.
In your case you will probably use Google as an authentication provider and your application as resource server, according to the OAuth2 standard wording. First at all to answer your general question, there are different ways of using OAuth2 to authenticate users. A good starting points are these links:
https://www.rfc-editor.org/rfc/rfc6749
https://auth0.com
To find the proper way of implementing OAuth2 for your usecase I recommend using this decision tree: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
For starting to implement OAuth2 in Spring Boot you can use several Spring Security projects with further documentation:
https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html#boot-features-security-oauth2
https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
I am building a Spring Boot application with Vaadin as front end. The application uses a third party library to authenticate the user with his identity card via SAML.
After this authentication the user is redirected back to my service and I can fetch the authentication result and optional attributes.
My question is, how can I implement the protection of specific Vaadin views within my application based on the authentication via the user's ID card and how do I set the user as authenticated appropriately?
I am new to Spring Security and the majority of its examples shows authentication via a login form with username and password which does not fit in this case.
You can find two approaches to secure your Spring Vaadin Application with either filter based (so only Spring Security) security, or a hybrid approach in this Github repository: https://github.com/peholmst/SpringSecurityDemo
You can also find blogposts about both approaches here:
Filter Based Security
Hybrid Approach
For you especially the Filter based approach could be interesting. You could implement a Filter checking the token (or whatever) you get from your login server and then allow/deny certain pages on your server for certain roles.
i have my web app builded with Angular 4/5 and Spring Boot. Now i want to add user-accounts to my app and there i have some problems. I would like have my Auth serwer (in Spring Boot) and also i want use providers like Facebook and Google. There is my first question, when user will choose Facebook to auth, then how my resource server will know who is asking for resource. When i use my own Auth serwer i am doing it like this:
#GetMapping("/user/name")
public ResponseEntity<String>(Principle principle) {
return new ResponseEntity<String>(principle.getName(), HttpStatus.OK);
}
and this is working, but how to get user username when user is using Facebook or Google auth?
My second questions is how to properly handle expire Tokens time in Angular 4.
My third and last questions. Some resources from my server will be availible for
not logged user(annonymous) so how can i protect my resources to prevent other's than my clients using my API?
If you have some advices or examples, please help!
Don't worry about the rude comment on your question, Single Sign-On (SSO) can be pretty complicated.
If your using Facebook and Google as optional SSO providers then what you have to realize is that those providers are going to give you some sort of unique identifier along side the user information when you request it.
Spring Security and the corresponding Spring Boot auto configuration has some pretty good support for linking SSO user information to a Principal. Ill add some good references below to help understand Springs solution for this. I'm going to assume Spring Boot 2 and Spring Security 5 since your versions aren't listed.
Spring Boot 2 OAuth2.0 Client Configuration
Spring Security 5 Custom OIDC User Service
[VIDEO] Next Generation OAuth Support with Spring Security 5.0 - Joe Grandja
You can also look into Spring Social if your looking to do more than just SSO.
I've read about Oauth2 few days before, it has entities like Client, Resource Owner, Resource Server, Authorization Server and i understood the explanations too. but i don't understand the grant type's completely still i got confusion on following types. Oauth2 has 4 different grant types like,
Authorization code
Implict
Resource Owner Password Credentials
Client Credentials
please, give me some real time examples for the above types to differentiate the implementation. I need to know that what are the types of grant implementation spring security oauth2 has and full flow for spring oauth2 with security.
I have gone through some example implemented with oauth2 with spring mvc, spring security. but it's confusing me i don't get clear picture of the api implementation.
I'm looking for good Oauth2 flow and document with Spring mvc and Spring security. please help me.
In terms of understanding the flows and the differences between them, this presentation is the best resource I found online. After this, if you read the OAuth2 spec description, it'll be much easier to follow.
Unfortunately, in terms of code samples, there isn't good Spring Security OAuth2 sample code out there (the Sparklr and Tonr examples are okay but not super clear). Best resource there is to look at unit tests in Spring Security OAuth2 code on github.
One question I want to ask is - are you looking to create your own OAuth2 Provider or do you just want to connect to Facebook, Google, etc as OAuth2 client. If it's the second part, I would suggest skipping Spring Security OAuth2 and instead look at Spring Social project.
Edit:
For creating an OAuth2 Provider, check out this code by Dave Syer (he is the lead of Spring Security OAuth project) . It shows how you can create an OAuth2 Provider and Resource Server in 20 lines of code. This is the easiest way to create Spring Security OAuth code.
https://github.com/dsyer/sparklr-boot
It uses Spring Boot and Spring Security OAuth projects. Of course, you'll have to understand Spring Security, JavaConfig configuration and the OAuth2 protocol properly to understand how all of this works.
Authorization Code is redirection based flow, in most application when we login via Facebook or google we use this grant type.
Implicit is used mostly in mobile or single page application, Client confidentiality is not guaranteed here. This also has a redirect flow similar to Authorization Code. This does not support refresh token.
Password Grant Type is used when client application and resource owner belong to same application, this is goin to be case when your application is end to end working. Here we are sharing username and password. unlike the above two where we authenticate via Facebook or google.
Client Credentials: its a way to access it own service. like one microservice to access another microservice.
I also got into OAuth2 using spring last month.
I've read most of the OAuth2 spec and used the samples from the spring-security source, which are wonderful. That way I got a running application which I could use to play with and view it's sources next the the specs.
I have a RESTful API built with Spring 3.1, using Spring Security as well. I have a web application, also a Spring 3.1 MVC application. I am planning to have mobile clients accessing my REST API. So my API is the central place to authenticate, get data served from, etc.. It all makes sense so far.
Now what I cannot wrap my head around is how to add Spring Social in an easy and smart way. How did you do it? Did you maybe only move the ConnectionRepository to the API? Or did you have the API do it all? I want to prevent double-authorization for each client-technology by all means (preventing double-authorization meaning userA connects to facebook in the webapp, and then starts using our mobile client and should NOT be asked to connect to facebook again just b/c userA is using a different client).
Thanks for sharing your thoughts!
The solution we use it to secure our rest-webservices using spring security, with a cookie based remember me service. This uses well documented traditional spring-security techniques.
We then plugged in spring-social to our system, which then simply logs in the user as normal using spring secruity. The social api looks up the, for example, facebook id in your db table, if it finds existing connection logs the user in using their account on your system (and can redirect to sign up page etc).
I suggest breaking down the question into more specific areas.