I currently have a website set up with Spring MVC and Spring Social so users can sign in with Facebook and Twitter.
Now I want to authorize my Android client to access my third-party web site, with Facebook (or Twitter) credentials. As stated here, this should be possible. But he does not continue to say how. Can anyone get me on the way with this? Just give me some basic outlines of how to do this. I'm really stuck here...
I'm actually in the middle of working on a project which needs to do the same thing. I implemented Spring Security & Spring Social for the website and also needed to allow for the iOS and Android apps to connect via the social sites as well.
Here's what you'll need to do:
Implement the device-specific APIs into the development of your app's projects. So, implement Facebook, twitter or whatever else as you normally would on the devices. You'll be doing the actual authenticating process there.
Implement a special URL for your apps to sign in via the social services. For example, http://yousiteapi.com/services/auth/socialSignin. You're going to need to pass ALL the parameters to this api that would normally get written to the UserConnection table implementation - providerId, userProviderId, authenticationToken, secret, etc. If a provider doesn't use one of these, just pass in null or a empty var.
Within this controller, you're going to need to reference both your implementation of the spring Social SignInAdapter AND the ConnectionSignUp classes along with your implementation of the ConnectionRepository and UserConnectionRepository and basically reproduce the whole signup process. First, you'll need to decide which provider it is via the providerId you pass back and use the provider's consumerKey and consumerSecret to implement the specific ConnectionFactory you'll need. Then, use the data you passed in to create the ConnectionData object. With the ConnectionData object, you create the actual Connection object.
Now is where you replicate the logic of the normal Spring Social login: First, use your reference of the UserConnectionRepository and call the findUserIdsWithConnection() method to see if the user has previous logged in. If not, call the ConnectionSignUp.execute() method to create the user.
Finally, you just call your SignInAdapter.signin() method to sign the user in. Don't forget to set your response to OK so your app knows this was a success.
Wow, that sounds like a lot. Actually sounds like more than it is. Hope this at least helped to point you in the right direction.
Related
I'm trying to create a custom Keycloak provider that will add something to login logic. I've read how providers (or plugins) are being created for Keycloak and there's already one in the project I'm working with, but I don't know much about them.
I need to add custom logic for users authentication/authorization: I want to be able to check some fields in the internal database to validate the persons account. But I didn't find any guides or good articles about similar situations. Can someone provide me some links on what to start with? What interface and what methods I need to override in my custom provider in order to achieve something like this? I've read something about "openid" and "keycloak" in general, as well with keycloak providers, but there's too much information and no specific examples.
Username and password are being sent through web-form and "openid" is the protocol, if it wil help somehow.
Hope I understood your correctly. You probably need a plugin for your authorization flow, an additional step where you validate your data.
Have a look here: https://wjw465150.gitbooks.io/keycloak-documentation/content/server_development/topics/auth-spi.html
I have created some API's for login but am not sure about creating a login with a Username/Phone Number. Can someone help out with any tutorials or any sort of idea on how to create a REST API for phone number authentication on a Spring-Boot Project?.
I also require a suggestion on how to bring the third party login like We log in with a google account on most of the web applications
From what I've understood in your question you are concerned about security and you would like to implement something like an MFA for your users.
Since sending OTP codes is expensive (not really but let's assume you want something free) and requires to access external APIs to send the codes (with its own logic) what I can suggest to you is using something like a TOTP (Google Authenticator or Microsoft Authenticator).
Here is a good (and most important WORKING) guide I've followed some time ago:
https://medium.com/javarevisited/spring-boot-two-factor-authentication-78e00aa10176
With the right adjustments and improvements (or simplifications in case) the main logic will be perfect for your application of MFA.
For the login using for example google/facebook/SAML SSO and so on I can suggest you check on OAUTH2:
https://www.baeldung.com/sso-spring-security-oauth2
Hope it helps
Hi Ninja please read this example and seraching internet
https://dzone.com/articles/add-login-to-your-spring-boot-app-in-10-mins
I have created a third party api(REST) that I wanted to make public but is only allowed to be accessed from a specific domain. How do I perform domain specific authentication/authorization?
For example, I have an api running on domain say mydomain.com and I wanted to create a JS widget that calls this api, but the widget is used in a different domain say otherdomain.com. How do I make sure only otherdomain.com has access to my api and it is not accessible from say anotherdomain.com.
I could use a api-key to authenticate the api, but I am not sure if that is secure enough as anyone who has access to source of otherdomain.com can copy the script and the api-key and try to access api directly. How can I avoid these kind of security holes.
Using mechanisms like Oauth2 may not help as there is no involvement of a user in this case and hence cannot do user authentication by getting user credentials.
Another idea would be to check for origin header, but it can simply be mocked as well using some reset clients I suppose(or am I wrong in this case)?
Please suggest some ideas to tackle this scenario.
I'm a bit confused as to how to use Facebook's app access token with Spring Social.
I already have an app access token by making a GET request to:
http://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
I can't use (for reasons I don't want to discuss here) the standard Spring Social connection creation flow and I want to use this token (if possible).
My question is generally directed toward the GraphApi.
So in general can I use an app access token acquired via a standard GET to make requests to the Graph Api through Spring Social ?
Thanks,
There are very few things that the app access token can be used for. Most of the operations in the Graph API are for fetching user data and therefore you MUST obtain a user access token. The app access token you have will not work.
If you're planning to use your app access token to fetch a user's profile, see their friends list, or post to their timeline (or anything that pertains to a user), then you're out of luck. Imagine the chaos that would ensue if all you had to do to read and post on behalf of a user is obtain an app access token! You must get the user's permission for that kind of thing.
There are 3 ways to get a user access token: Authorization code grant (which is what Spring Social's ConnectController does and is most appropriate for traditional web applications), implicit grant (which is more appropriate for client-side Javascript), and resource owner credentials grant (which is most appropriate for mobile or desktop applications where doing a browser redirect is awkward, difficult, or impossible).
The app access token you have is only intended to consume API endpoints that are application-centric and do not pertain to any given user. There are a few such operations in Facebook's API, but the only one that immediately comes to mind is that you can use an app token to create test users (see https://developers.facebook.com/docs/test_users/).
Just as most of Facebook's API is user-centric, likewise is Spring Social's Facebook API binding. If, however, there's an app-centric operation that you'd like to see added to Spring Social, I'd appreciate it if you'd let me know at https://jira.springsource.org/browse/SOCIALFB.
We have the need in a project to implement single sign-on for two different web applications, one being our own and one is implemented by someone else. For our own application we have user/password stored (encrypted) in the database. Since our application will be integrated in their environment, we now need a mechanism to let us authorize the user already being logged in at their side without showing a login screen again.
Since I'm not a security expert myself, I started reading (on a high-level) about a few techniques regarding SSO, e.g. OpenID, Kerberos, SAML, CAS - but I have not yet gained practical experience.
Before marching in the wrong direction - can someone provide me with own experience in that field and point me to a framework to use or a good (and recent) article about how this should be done?
One more infomation: The customer talks about preferring to pass encrypted tokens between the two webapps. Does this make sense? And does this lead to a certain technique?
We use a SAML realization for this purpose ( https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/docs/index.html ) - it was easily integrated inside our existing web applications.
The working scheme can look like as follows: you will have a login page, where the SAML framework redirects user. so, after successful login, he got a cookie with the auth token, and redirected back to the web application page. you will also have an identification webservice, which you can call, passing the token provided, and be able to get the auth credentials (user role, etc) from there, so all your web applications can identify this user as logged in.