I'm looking for some advice about how to execute a authentication implementation on my web application with some specific requirements.
The web application consists of a angular frontend and a spring-boot backend. All of this is hosted on Google Appengine and I’m using Google Cloud Datastore for the database.
I want to implement some kind of authentication system now where the user uses email and password to log in. The users should only be able to create accounts if I have allowed that email to register. What would be the best way to implement a system that achieves this?
I’ve been looking at Firebase for the authentication part and that looks good but how do I integrate this with spring boot to limit access to the site depending on if the user is logged in or not?
Another question is about the create user requirement. Would a good solution to this be to store emails that are allowed to register in my database, and then check every time someone wants to register if their email is in there before using Firebase to create that user?
I'm not very experienced with authentication implementations so any advice is appreciated.
I think that Spring Security + Stormpath its a good choice. Here is one nice tutorial: https://scotch.io/tutorials/build-a-spring-boot-app-with-user-authentication
And about the registration permission for enabled emails you should really store on DB to have control over it, I dont see any problem with that.
Related
I would appreciate any guidance you can provide for the following situation:
I have a Vue.js app with a Java-SpringBoot backend.
I want to allow users to log in using the SSO of office-365.
So authentication will be done by office-365.
However, once a user is authenticated, the permissions are set by the application itself. All permissions for different aspects of the applications are stored and handled by my application.
How can I achieve this? Is the SSO done only on the front side in Vue.js?
If so, what is returned after the SSO completes successfully and the user is authenticated? How can I set the permissions?
Do I need to perform some backend operation to ensure the user is authenticated correctly?
Thanks
any information and explanations I can get would be apricated as I'm new to SSO
I would use Keycloak. There you can choose Microsoft as an Identity provider. It manages everything for you and it's very easy to handle.
If you need a good tutorial:
We have a Spring Boot web app which uses JWT based authentication/authorisation.
Now, we want to add OAuth2 support so that users can login using their Google account.
That would be easy to do using Spring Security.
However, the requirement is a bit different.
If the user wants to use the Google login functionality, he first needs to link their Google account. Basically login into our application using his/her credentials, and on their profile page link their Google account.
The flow would be something like the following:
Click the “Link Google account” button on user’s profile which redirects them to Google
In Google choose the account you want
Google returns with a code. After that, make a request to our backend, on an authenticated endpoint e.g. POST /users/{userId}/accounts which will receive the token returned by Google
In the backend, verify this token by making a request to Google
If all is good, link user’s account with Google by updating the db accordingly
My question is, for step 4, what is the best practice for that? How can I use all the stuff that Spring Security is offering to achieve this?
Thank you in advance,
You have the authorization code and you exchange for access token all over https and all in backend.
There is no need to validate access token ( I don’t think spring security even does this part for integration with google ) at your end.
This should be done by google when you request its resource.
I want to use keycloak as a broker server for Identity and Access Management and I don't want to use login screen provided in keycloak as I have different clients like Android, IOS and web application using the same backend server.
I wan't to know if it is possible to create user, accept terms and conditions, send two factor authentication using SMS, have custom fields in login like adding adress using a POSTMAN/ RESTFul API. I know keycloak have provided API guide but they have not included anything about accepting terms and conditions, adding SMS based validations.
Following would be an opinion based question but, if these features are not available in keycloak, what are the other identify broakers I can use and it should be open source with capability to use my own database.
Edit:
I have checked auth0.com, okta/ stormpath but they are not open source and for custom database like in auth0 its requires enterprise edition.
I am starting a new project and using javascript based UI as fronted and google cloud endpoints backed by google datastore for data storage.
I don't need to use any of the google services for user login etc. In other words, i will have my own table to store username, pwd and other profile info.
So, the questions are:
1. How will my service based frontend will hold the session?
2. How will it understand that requests are going for which user account to return user specific data?
Also to start with, I have so far created an endpoint which basically returns true or false on passing username to it. (just to mimic valid user or not).
The question is do i really need to configure any security to invoke this api from the javascript client i have?
Even if you want to use custom usernames and passwords, you'll need more than just a process to send and retrieve this data from your endpoint.
Consider using something that's there already. E.g. webapp2 has a basic auth module which allows you to have your own database with usernames and passwords but already has many required security measures in place.
A tutorial I've used to implement this in the past: https://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
So the basic answer is Google Cloud Endpoints is best suited for applications which users google accounts as authentication mechanism.
So if you are using cloud endpoints, and wanted to have custom authentication mechanism, you have to create your own.
How will my service based frontend will hold the session?
Upon successful authentication (by any form either user credentials, third party social login etc), you need to setup session for that user eg; by using session cookies.
How will it understand that requests are going for which user account to return user specific data?
Cloud Endpoint cannot tell that, so you have to write an custom filter or interceptor to check if valid session or cookie exists and either reject or continue the request.
To pass the current authenticated user who is requesting the api, you need to inject the user informations somehow (using DI, or request properties etc) into the ApiEndpoints, so with that you can process the request accordingly
Is it possible to create my own users database for a google app engine app, so that it's not required for someone to have a google/openId account when he registers ?
Yes, but you will need to write all utility methods for providing proper authentication for your users. Rather than do this, I would recommending looking into the authentication services that Firebase can provide (Google acquired Firebase in 2014). At the moment, it seems Firebase will become integrated into many Google Cloud Services.