We have a Spring Boot web app which uses JWT based authentication/authorisation.
Now, we want to add OAuth2 support so that users can login using their Google account.
That would be easy to do using Spring Security.
However, the requirement is a bit different.
If the user wants to use the Google login functionality, he first needs to link their Google account. Basically login into our application using his/her credentials, and on their profile page link their Google account.
The flow would be something like the following:
Click the “Link Google account” button on user’s profile which redirects them to Google
In Google choose the account you want
Google returns with a code. After that, make a request to our backend, on an authenticated endpoint e.g. POST /users/{userId}/accounts which will receive the token returned by Google
In the backend, verify this token by making a request to Google
If all is good, link user’s account with Google by updating the db accordingly
My question is, for step 4, what is the best practice for that? How can I use all the stuff that Spring Security is offering to achieve this?
Thank you in advance,
You have the authorization code and you exchange for access token all over https and all in backend.
There is no need to validate access token ( I don’t think spring security even does this part for integration with google ) at your end.
This should be done by google when you request its resource.
Related
I want to implement DocuSign JWT grant authentication. I went through examples provided by DocuSign and I am able to run the application perfectly. But I need to implement DocuSign in my application which is of providing Restful APIs using Spring boot and DocuSign login should happen without explicit login. In the given example, it will ask for explicit login as shown in the image. enter image description here
What setting do I need to change in the example or any sample example where I can give account details inside the code so that it will be authenticated automatically and using JWT grant it generates an access token. Using FeignClient can I call this API https://account-d.docusign.com/oauth/auth?response_type=YOUR_RESPONSE_TYPE&scope=YOUR_REQUESTED_SCOPES&client_id=YOUR_INTEGRATION_KEY&state=YOUR_CUSTOM_STATE&redirect_uri=YOUR_REDIRECT_URI
What you are missing over here is to login to be able to provide user consent, which can be done through any of the following ways mentioned over here
Update:
Replying to the comment regarding an example, not sure if you are using the SDK or directly calling the API but here goes both:
1- If you are using the SDK, you should be able to go through the authentication process of the JWT using this guide.
2- If you are calling the API directly, you can follow this guide. Start with step number 2 if you already have the consent.
I have applied google login functionality in my spring project. which functions like-- a user login in with google account the details of user saved into database. But, I have a requirement to auto login google account user who previously logged in with the account. but I don't know how to do that.
One way to do that (what I think) is to save cookie, but after that how a user logged in using that cookie.
I am using Spring Security Oauth2 got google sign in. After searching I got, openid is used to autologin. But I don't know how to apply and implement it.
Look into refresh tokens. Once the user been inactive for 2 hours (as by default), his token expires. He can obtain a new one if he has a refresh token, which you can store on your side when you authorize that user.
I want to create an application that will download all my photos in Google Photos. I thought it should be easy with the API available.
This should be an CLI application that will run periodically from cron.
But when I looked at the Google Photos API, they use OAuth2.
The sample shows the usage of FixedCredentials:
PhotosLibrarySettings settings =
PhotosLibrarySettings.newBuilder()
.setCredentialsProvider(
FixedCredentialsProvider.create(/* Add credentials here. */))
.build();
The problem is the part where the /* Add credentials here. */ is. How can I provide my user credentials there? There are numerous classes that implement Credentials but none of them look like ones that would allow me to automate retrieval in a CLI application.
The only thing I get from Google is the client_id and client_token for my app, but how to turn that into an access/refresh token so I can use it without my interaction?
I really hope I don't need to launch a web browser to download my photos.
The Google Photos Library API only accepts OAuth User Credentials. This means that users are required to complete the Google OAuth Flow, which means browser based Authorization.
Note: The Library API does not support service accounts. Your
application must use the other OAuth 2.0 flows available such as OAuth
2.0 for web server applications or OAuth 2.0 for mobile and desktop apps.
Your application must use OAuth 2.0 to authorize requests. No other
authorization protocols are supported. If your application uses Google
Sign-In, some aspects of authorization are handled for you.
This links details these requirements:
Authentication and authorization scopes
I am starting a new project and using javascript based UI as fronted and google cloud endpoints backed by google datastore for data storage.
I don't need to use any of the google services for user login etc. In other words, i will have my own table to store username, pwd and other profile info.
So, the questions are:
1. How will my service based frontend will hold the session?
2. How will it understand that requests are going for which user account to return user specific data?
Also to start with, I have so far created an endpoint which basically returns true or false on passing username to it. (just to mimic valid user or not).
The question is do i really need to configure any security to invoke this api from the javascript client i have?
Even if you want to use custom usernames and passwords, you'll need more than just a process to send and retrieve this data from your endpoint.
Consider using something that's there already. E.g. webapp2 has a basic auth module which allows you to have your own database with usernames and passwords but already has many required security measures in place.
A tutorial I've used to implement this in the past: https://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
So the basic answer is Google Cloud Endpoints is best suited for applications which users google accounts as authentication mechanism.
So if you are using cloud endpoints, and wanted to have custom authentication mechanism, you have to create your own.
How will my service based frontend will hold the session?
Upon successful authentication (by any form either user credentials, third party social login etc), you need to setup session for that user eg; by using session cookies.
How will it understand that requests are going for which user account to return user specific data?
Cloud Endpoint cannot tell that, so you have to write an custom filter or interceptor to check if valid session or cookie exists and either reject or continue the request.
To pass the current authenticated user who is requesting the api, you need to inject the user informations somehow (using DI, or request properties etc) into the ApiEndpoints, so with that you can process the request accordingly
I would like to secure our REST API with user token.
User does an initial request to the API to obtain an access token (must provide own credentials - login and password)
Service find the user by provided credentials
If is a user found, service creates an unique token with time expiration and returns it back to the user (token expiration can be defined as now() + 15minutes - is it enough? What is a standard expiration time for such tokens?)
User must provide this token in all his requests OR asks for new token when is expiring and API process original request
I would like to ask you - is there in Spring framework native support for such authentication flow - I'll be happy with some simple example or URL to Spring doc? If so, what do I need to use? I have studied Spring docs and read many tutorials, and It seems there is a support for everything and I need to know what is the best for my issue.
For token-based authorisation to resources, one framework that will inevitably come-up will be oAuth
oAuth will help you achieve exactly the workflow that you desire e.g. that a user can authenticate and then be given a token to access a defined set of resources via an API. It is however fairly heavyweight and it is definitely worth taking the time to understand how it works and that it exactly fits the picture of your requirements.
The "official" site is here. There are two versions of oAuth, so again this will help you to understand which the the right one for you.
As for Spring Security integration, there is a Spring Security oAuth project. The documentation for this is pretty good both at the level of how the integration works with Spring Security, but also in terms of helping you understand that oAuth is the right solution for your project.