I'm using Spring Social to connect user application account to a social account (Facebook and/or Twitter).
It turns out that it is possible that two different user accounts connect to the same social account.
Example:
User1 in my webapp connects with Facebook account #1
User2 in my webapp connects with Facebook account #1
This is possible now. Looks like this happens inside Spring Social.
After that, sign-in with social account is not possible for both accounts.
I would like to avoid connecting same social account to different webapp users at a point when User2 tries to connect. Any hint how can I do that is appreciated!
An answer to this question is providede here.
Code example here.
In short, ConnectInterceptor must be used for ConnectController to check for existing connection and remove currently creating connection if its a duplicate.
If you are using default connection controller provided by spring social, after getting the user token/secret it stores in database. To store in database spring-social uses :
org.springframework.social.connect.jdbc.JdbcConnectionRepository
org.springframework.social.connect.jdbc.JdbcUsersConnectionRepository
Before storing into database you can validate the items and provide your own logic.
Hope this helps!
Related
I am trying to make a mobile app in React-Native and Server in Spring-Boot which have a OAuth2 implemented API endpoints.
My question is how can I integrate Social Logins into my React-Native app which in save a user in my user table. apart from Social login I am using naive register/login flow which require username/password to provide access token from OAuth2 Server. How can I do the same with Just Social Login without prompting user any password or other extra information.
any general solution for this will help regardless of tech I am using.
Thanks
Usually when using social networks to login/sign up you'll get a token returned in your app which you can send via your REST API and on your backend it can then retrieve the users information from the social platform used depending on the granted scopes(e-mail, username, etc...) and store the retrieved values in the database.
Thats basically how it works in general, but if you want to have more information you probably still need to share some more info about your tech used.
Hopefully that helped you out ;)
I have implemented a Spring Boot application with AngularJS frontend. Have also setup users along with their permissions. Right now I am able to login with any of these users and is working well with Spring security. I would like to turn this traditional login flow into a Facebook/Google OAuth login flow, where in I want the users to use their Facebook/Google account to log in and they will be mapped to their internal users automatically. This will help me in getting rid of maintaining passwords of these users.
I found many articles talking about setting up OAuth with Spring Boot and how can Facebook/Google login be integrated with a Spring Boot application. But I am having difficulty in finding an article which talks about linking a Facebook/Google user with internal users.
How should I go about this?
Look for a user with the associated facebook/google userID.
If that user does not exist you request an email address and try to match it with an existing legacy account.
If you do not get a email adress for any reason (not acceping the authorization request for example) you could show a popup box asking for the email adress explaining why you need it.
You then locate the legacy user and merge it adding the facebook/google ID to look it up in the future.
If no user is found with the email adress you either refuse the user or create a new account.
you should be able to do all of this by implementing your own AuthenticationProvider
Before you can fetch a user’s data from Facebook, you must specify your application’s ID and secret by setting the spring.social.facebook.appId and spring.social.facebook.appSecret properties. You can set these via any means supported by Spring Boot, including setting them in an application.properties file:
spring.social.facebook.appId=233668646673605
spring.social.facebook.appSecret=33b17e044ee6a4fa383f46ec6e28ea1d
For reference you can follow this article: https://spring.io/guides/gs/accessing-facebook/
My goal is to create a single click registration / sign on for my site using social media that's painfree yet secured using oauth and SocialAuthenticationFilter.
Ideally you'd be able to login to the same account with either twitter / Facebook etc (without first connecting them to a user account).
An example I'm working from is the Spring Social Showcase found on git, it's fantastic but it still requires an intermediary 'sign up' step.
I can't figure out a way of making a secure account using only the info from Facebook login using aouth and I'd prefer it if a user didn't have to sign up and connect as per the example.
So, is there a secure way of doing this or am I misunderstanding something?
Thanks
Using OAuth / OIDC is the right way to go.
In order to automatically match the logins from different social login providers, you have to rely on the email address as the primary user identifier.
Once relying on the email address, you may automatically register new users inside your internal DB.
However users may want to change their email address. This may complicate the processes significantly, depending on what options you want to support.
In my application I use Spring Boot Social and have two kind of urls, for example
/connect/twitter
and
/signin/twitter
Both of them work pretty similar.. what differences between these urls and which one should I use in order to authenticate\authorize user via social networks ?
The /signin/twitter link should be used if you want to support a user logging in to your application with their twitter credentials.
The /connect/twitter link should be used if you have user authentication in the app and you just want users to connect their accounts (for example, a logged in user wants to connect their twitter account so they can see their followers etc)
See the following docs for reference:
The "connect framework"
Sign in with service provider
I am kind of new when it comes to fetching users data from social networks,
i need to extend my application and develop some kindof users data collector module
which in generally will be responsible for fetching data on my application users from social networks.
lets assume i have a user X which sign into my application with his facebook account.
can i fetch data on user X from facebook social graph only when he logged into ( my application/ facebook / both/ when ever i want )?
i was reading a beat on spring social framework, at first look it seems exactly the framework i need for my module.
the thing is that in all the examples i saw that each time fetching is required the user should manually allow it or it might be every time he logged into the application , also when looking at the code i think i saw that for each user a service provider
should be created, all the examples implies that spring social is not ment for background daemon which will fetch users data with minimal users attention.
does spring social can answer my requirements?
there are other java open source options?
You can use Spring Social to access a social network on a user's behalf as long as you have a valid OAuth authentication token for that user. It's up to the provider (e.g. Facebook, Twitter, etc.) to dictate how long the tokens remain valid and how you can get new valid tokens. You'll have to read the provider's documentation to determine if the kind of background access you want is allowed by the provider. If it is allowed by the provider, than you ought to be able to use Spring Social to perform the operations you want to perform.
One example is Facebook. Facebook used to let you ask for a permission called "offline_access" which would result in your application receiving an authentication token for the user that would never expire (or at least wouldn't expire for a long time). They are deprecating this, though. For more information about Facebook specifically check this thread on the Spring Social forums:
http://forum.springsource.org/showthread.php?123685-Facebook-offline_access