Aim: Authenticate into Google DialogFlow from my spring boot app and perform api calls to it without any credentials and OAuth.
Currently I can communicate with dialogFlow from my spring boot app by providing client credentials and access token. But that's just for a particular user right? I wish to make it dynamic.
My Aim: Just like we get a login like screen to login via facebook, google etc, I wish to have dialogFlow login and then perform API calls without the need to provide access token explicitly.
Related
I am implementing OAuth2 (Keycloak) for our application. Our Application is combined of multiple Microservices (Rest APIs) and also there is an UI which calls the APIs. We have a API Gateway (Zuul) where we want to implement the Spring Boot OAuth2 with Keycloak.
After checking on the internet I can see there are 2 options while implementing OAuth2 (Keycloak) in Spring Boot.
I can redirect the user to Keycloak Login page when the user is not authenticated. Once the User is authenticated with Keycloak, then the user can access the APIs with the access token which it will get from the Keycloak Auth server.
Instead of Keycloak Login page, I can have my Own Login Page in UI and once the user submits their username & password, the details come to my API Gateway (Spring Boot code - Zuul) and with the given username & password, I can get a access token from Keycloak with their (keycloak) Token Creation POST API and send back the Access Token to the user in the Response Header along with the HOME Page and user will able to use that token for further API calls until the token gets expired.
Which option is better to use? Login with Redirect to Keycloak Login page to get the access token or Calling Keycloak POST API for token creation from Spring Boot App?
For user authentication, use authorization code flow => first option.
First option is safer: your app is never aware of user password and, as so, can't leak it.
First option is also more future proof: if the number of clients increases and authentication requirements evolves (multi factor authentication for instance), then this is handled once on the authorization-server. Same for user registration.
If you are connected about the look and feel, refer to Keycloak doc. You'll find how to provide your own style and even template.
Last, use an OIDC client library on your client to ease authorization-code flow on your client: spring-boot-starter-oauth2-client if it's a Spring app serving content with Thymeleaf, JSF, etc. Or a lib like what angular-auth-oidc-client is to Angular (search an equivalent for your own framework)
I'm developing a backend server for my applications. Actually, I'm using Keycloak as Identity Provider exploiting the OpenID Connect protocol. The frontend redirects users to Keycloak Login Page, so a token is returned to it. The frontend makes an authentication request to the backend using the returned token. Backend asks the IDP to validate the token and retrieve user info and roles.
Then I want to generate a JWT from the backend in order to easily authenticate the frontend requests.
Is this architecture fine? Or am I missing something important? Can I implement this architecture using Spring Security? Where can I learn more about it?
Thanks for any advice and support.
We have a Spring Boot web app which uses JWT based authentication/authorisation.
Now, we want to add OAuth2 support so that users can login using their Google account.
That would be easy to do using Spring Security.
However, the requirement is a bit different.
If the user wants to use the Google login functionality, he first needs to link their Google account. Basically login into our application using his/her credentials, and on their profile page link their Google account.
The flow would be something like the following:
Click the “Link Google account” button on user’s profile which redirects them to Google
In Google choose the account you want
Google returns with a code. After that, make a request to our backend, on an authenticated endpoint e.g. POST /users/{userId}/accounts which will receive the token returned by Google
In the backend, verify this token by making a request to Google
If all is good, link user’s account with Google by updating the db accordingly
My question is, for step 4, what is the best practice for that? How can I use all the stuff that Spring Security is offering to achieve this?
Thank you in advance,
You have the authorization code and you exchange for access token all over https and all in backend.
There is no need to validate access token ( I don’t think spring security even does this part for integration with google ) at your end.
This should be done by google when you request its resource.
I want to create an application that will download all my photos in Google Photos. I thought it should be easy with the API available.
This should be an CLI application that will run periodically from cron.
But when I looked at the Google Photos API, they use OAuth2.
The sample shows the usage of FixedCredentials:
PhotosLibrarySettings settings =
PhotosLibrarySettings.newBuilder()
.setCredentialsProvider(
FixedCredentialsProvider.create(/* Add credentials here. */))
.build();
The problem is the part where the /* Add credentials here. */ is. How can I provide my user credentials there? There are numerous classes that implement Credentials but none of them look like ones that would allow me to automate retrieval in a CLI application.
The only thing I get from Google is the client_id and client_token for my app, but how to turn that into an access/refresh token so I can use it without my interaction?
I really hope I don't need to launch a web browser to download my photos.
The Google Photos Library API only accepts OAuth User Credentials. This means that users are required to complete the Google OAuth Flow, which means browser based Authorization.
Note: The Library API does not support service accounts. Your
application must use the other OAuth 2.0 flows available such as OAuth
2.0 for web server applications or OAuth 2.0 for mobile and desktop apps.
Your application must use OAuth 2.0 to authorize requests. No other
authorization protocols are supported. If your application uses Google
Sign-In, some aspects of authorization are handled for you.
This links details these requirements:
Authentication and authorization scopes
I am working on a mobile app that has a back end server providing a RESTful API but need to get security setup. We will be using only Facebook login from the front end side my question is how do I go about securing the RESTful API this way?
I have read a lot about how Spring Security works and the different authentication methods but all of them seem to deal with a username/password combination. Is there a way I can provide the mobile app an access token based on successful authentication through facebook from the front end?