I'm a bit confused as to how to use Facebook's app access token with Spring Social.
I already have an app access token by making a GET request to:
http://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
I can't use (for reasons I don't want to discuss here) the standard Spring Social connection creation flow and I want to use this token (if possible).
My question is generally directed toward the GraphApi.
So in general can I use an app access token acquired via a standard GET to make requests to the Graph Api through Spring Social ?
Thanks,
There are very few things that the app access token can be used for. Most of the operations in the Graph API are for fetching user data and therefore you MUST obtain a user access token. The app access token you have will not work.
If you're planning to use your app access token to fetch a user's profile, see their friends list, or post to their timeline (or anything that pertains to a user), then you're out of luck. Imagine the chaos that would ensue if all you had to do to read and post on behalf of a user is obtain an app access token! You must get the user's permission for that kind of thing.
There are 3 ways to get a user access token: Authorization code grant (which is what Spring Social's ConnectController does and is most appropriate for traditional web applications), implicit grant (which is more appropriate for client-side Javascript), and resource owner credentials grant (which is most appropriate for mobile or desktop applications where doing a browser redirect is awkward, difficult, or impossible).
The app access token you have is only intended to consume API endpoints that are application-centric and do not pertain to any given user. There are a few such operations in Facebook's API, but the only one that immediately comes to mind is that you can use an app token to create test users (see https://developers.facebook.com/docs/test_users/).
Just as most of Facebook's API is user-centric, likewise is Spring Social's Facebook API binding. If, however, there's an app-centric operation that you'd like to see added to Spring Social, I'd appreciate it if you'd let me know at https://jira.springsource.org/browse/SOCIALFB.
Related
I am working on a ReactJS application with a Java background. Is it possible to use a login other than that of keycloak.
I know it's possible to custom the default keycloak theme and add custom field also but I really want to use my reactjs login form instead of redirecting to that of keycloak.
Is it possible ?
Is it recommended ?
There is already a similar question on stackoverflow but not the right answer to the problem.
Thank you all for answering my question
Is it possible ?
Yes, the user would insert the username and password into your form. And you would perform behind the curtains a call to a Keycloak Client that you would have to configure with the "Resource Owner Password Credential Grant" flow (i.e., Direct access Grants Enabled in Keycloak). That call would be requesting a token on the user's behalf.
Now the problem with this approach is that Resource Owner Password Credential Grant should typically be avoided (source):
The resource owner password credentials grant type is suitable in
cases where the resource owner has a trust relationship with the
client, such as the device operating system or a highly privileged
application. The authorization server should take special care when
enabling this grant type and only allow it when other flows are not
viable.
You can read more on why it is not recommended to use that flow in sources such as this.
So you would be compromising a bite of security there. Moreover, you might want to provide other Keycloak functionality (e.g., OTP and social media login) that is seamlessly integrated with its Theme template. Then you might have to adapt your application based on new Keycloak releases and so on. Unless you really have a very good reason to I would not recommend it. You can opt to simply customize the default theme. It is just a form anyway, after that the user can be immediately redirected to your app.
I'm implementing an authentication and authorization mechanism to unify login mechanism's across three different websites using an external identity provider and OAuth2.
The requirements that are causing design implications.
- Users and permissions managed externally to the existing websites in an external identity provider.
- The user should only have to log in once.
- The login screen needs to be embedded in our application rather than using an identity providers.
I'm creating a login web application. I'm not sure which OAuth2 flow to use. I've used the Authorization code flow previously with Spring security, but that seems to need an external identity provider's login form.
Should I use the implicit flow directly from the login site's javascript? How concerned do I need to be that it's not as secure as the code flow.
Do I need to handroll a solution to call an idp's sdk to get tokens and then sling them into http headers for subsequent use by the other domains Presumably CORS will be an issue? I'll need to include the id token for the other domain to know which user it is - is it secure to pass around the id token via the resource user's browser.
thanks for any guidance, as you can tell its a bit of a muddle in my mind!
I am starting a new project and using javascript based UI as fronted and google cloud endpoints backed by google datastore for data storage.
I don't need to use any of the google services for user login etc. In other words, i will have my own table to store username, pwd and other profile info.
So, the questions are:
1. How will my service based frontend will hold the session?
2. How will it understand that requests are going for which user account to return user specific data?
Also to start with, I have so far created an endpoint which basically returns true or false on passing username to it. (just to mimic valid user or not).
The question is do i really need to configure any security to invoke this api from the javascript client i have?
Even if you want to use custom usernames and passwords, you'll need more than just a process to send and retrieve this data from your endpoint.
Consider using something that's there already. E.g. webapp2 has a basic auth module which allows you to have your own database with usernames and passwords but already has many required security measures in place.
A tutorial I've used to implement this in the past: https://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
So the basic answer is Google Cloud Endpoints is best suited for applications which users google accounts as authentication mechanism.
So if you are using cloud endpoints, and wanted to have custom authentication mechanism, you have to create your own.
How will my service based frontend will hold the session?
Upon successful authentication (by any form either user credentials, third party social login etc), you need to setup session for that user eg; by using session cookies.
How will it understand that requests are going for which user account to return user specific data?
Cloud Endpoint cannot tell that, so you have to write an custom filter or interceptor to check if valid session or cookie exists and either reject or continue the request.
To pass the current authenticated user who is requesting the api, you need to inject the user informations somehow (using DI, or request properties etc) into the ApiEndpoints, so with that you can process the request accordingly
I currently have a website set up with Spring MVC and Spring Social so users can sign in with Facebook and Twitter.
Now I want to authorize my Android client to access my third-party web site, with Facebook (or Twitter) credentials. As stated here, this should be possible. But he does not continue to say how. Can anyone get me on the way with this? Just give me some basic outlines of how to do this. I'm really stuck here...
I'm actually in the middle of working on a project which needs to do the same thing. I implemented Spring Security & Spring Social for the website and also needed to allow for the iOS and Android apps to connect via the social sites as well.
Here's what you'll need to do:
Implement the device-specific APIs into the development of your app's projects. So, implement Facebook, twitter or whatever else as you normally would on the devices. You'll be doing the actual authenticating process there.
Implement a special URL for your apps to sign in via the social services. For example, http://yousiteapi.com/services/auth/socialSignin. You're going to need to pass ALL the parameters to this api that would normally get written to the UserConnection table implementation - providerId, userProviderId, authenticationToken, secret, etc. If a provider doesn't use one of these, just pass in null or a empty var.
Within this controller, you're going to need to reference both your implementation of the spring Social SignInAdapter AND the ConnectionSignUp classes along with your implementation of the ConnectionRepository and UserConnectionRepository and basically reproduce the whole signup process. First, you'll need to decide which provider it is via the providerId you pass back and use the provider's consumerKey and consumerSecret to implement the specific ConnectionFactory you'll need. Then, use the data you passed in to create the ConnectionData object. With the ConnectionData object, you create the actual Connection object.
Now is where you replicate the logic of the normal Spring Social login: First, use your reference of the UserConnectionRepository and call the findUserIdsWithConnection() method to see if the user has previous logged in. If not, call the ConnectionSignUp.execute() method to create the user.
Finally, you just call your SignInAdapter.signin() method to sign the user in. Don't forget to set your response to OK so your app knows this was a success.
Wow, that sounds like a lot. Actually sounds like more than it is. Hope this at least helped to point you in the right direction.
We have the need in a project to implement single sign-on for two different web applications, one being our own and one is implemented by someone else. For our own application we have user/password stored (encrypted) in the database. Since our application will be integrated in their environment, we now need a mechanism to let us authorize the user already being logged in at their side without showing a login screen again.
Since I'm not a security expert myself, I started reading (on a high-level) about a few techniques regarding SSO, e.g. OpenID, Kerberos, SAML, CAS - but I have not yet gained practical experience.
Before marching in the wrong direction - can someone provide me with own experience in that field and point me to a framework to use or a good (and recent) article about how this should be done?
One more infomation: The customer talks about preferring to pass encrypted tokens between the two webapps. Does this make sense? And does this lead to a certain technique?
We use a SAML realization for this purpose ( https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/docs/index.html ) - it was easily integrated inside our existing web applications.
The working scheme can look like as follows: you will have a login page, where the SAML framework redirects user. so, after successful login, he got a cookie with the auth token, and redirected back to the web application page. you will also have an identification webservice, which you can call, passing the token provided, and be able to get the auth credentials (user role, etc) from there, so all your web applications can identify this user as logged in.