I am new to spring-social framework and trying to implement the login functionality for my portal using spring-social.
I read the documentation but i am still a little confused. Both controllers are used to establish a connection with the service provider? Is there any advantage of using ProviderSigninController over ConnectController or vice versa? What are the advantages?
The difference is in the results:
After using ConnectController you will have an OAuth2 access token to interact with a provider on behalf of a user.
After using ProviderSigninController you will have the same things + user will be signed into your application using local account (linked to OAuth credentials). If corresponding local account does not exists before this step then it may be created too.
So for example if you want 'Sign in with Twitter' button then ProviderSigninController better fit your needs.
Related
I'm implementing a web application using Spring Boot and I wanna know is there any best practice to leverage Spring Security in the following security model.
End-Users will register into the service via an SMS OTP service (providing their mobile number). once they have validated the OTP code, their user gets created (using their mobile number as username).
Upon successful OTP registration, I want the user to be able to use the service (on the same device through which the OTP registration performed before) without the need to re-confirm his identity again (Same functionality we can see in native mobile apps such as Whatsaap, Instagram or Telegram)
I appreciate any ideas or instructions on this subject.
The Answer is to use Spring Security using the "remember me" feature.
Here, there is a thorough tutorial about that
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs
I am building WebAPI on OWIN that needs authorization. I implemented OAuth 2.0 and I am really happy with it. For now, there is a grant_type "password" authentication implemented and now I need a way to use external authentication systems, i.e. Facebook, Google, etc.
The scenario I am trying to figure out is this:
iOS/Android app authorizes user with Facebook using native libraries and get Facebook access_key
I should get that access_key to my OAuth OWIN backend
Test the access key with Facebook API
Get user_id
Then map the user_id with a user in my system
Issue Identity Token for that particular user
Am I conceptually right and if so, how should I implement this in OAuth pipeline?
That is how I would do it. To implement it, you will need the Microsoft.Owin.Security.Facebook nuget package.
Here is a nice article that explains how to use the package.
http://blogs.msdn.com/b/webdev/archive/2013/10/16/get-more-information-from-social-providers-used-in-the-vs-2013-project-templates.aspx?PageIndex=2
Basically, in your owin startup class, you add a call to app.UseFacebookAuthentication();
Then get the IPrincipal from HttpContext and configure it.
I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.
I'm converting an existing Google Apps Marketplace app to support OAuth2.
I understand the use of access keys to identify the user account but how can this be used to link a user to a 'company' or 'domain'?
Our app supports having multiple user logins under one business account - we need to be able to identify what company a user belongs to using OAuth2. How can this be done? (we're using C#).
Is there an additional user API that needs to be called after initial authentication, if so, which one? (we're using C#).