I'm using Spring Security 3.0.x and I'd like my users to authenticate using OpenId and Facebook. Currently I've got the OpenId-part working, but I'm confused about how users can login with Facebook. I've read about the OAuth for Spring security, but as fas as I undestand, it is only good for accessing resources. The example applications authenticate with username and password.
So my question is, how do I authenticate users with Facebook using Spring security?
Spring Security doesn't address this (as of yet). Check out Spring Social which is designed to connect your app to Facebook, Twitter, etc. Also check out this blog post, where they have integrated Spring Social and Spring Security.
I have created a new project called spring-security-social for Facebook, which provides an authentication filter based on spring-security-oauth. As opposed to spring-security-facebook, it is actively maintained by acoveo software development and builts upon the new spring-security-oauth release.
You can also use https://github.com/pac4j/spring-security-pac4j which supports OAuth (Facebook, Twitter, Google...), CAS, SAML, OpenID (Connect) and GAE. See the demo: https://github.com/pac4j/spring-security-pac4j-demo
Related
I’m developing a spring boot application where users can register into the system by providing the necessary information. The platform should provide users to authenticate with their registered user credentials or social media login credentials (google/Facebook).
For simple user authentication, I want to create a simple post request to the server with the user name and password and after validating, the server returns a token. I do not want to use the spring security form login here.
But for social media logic, I believe I have to go with oAuth.
I’m new to spring Boot and spring security. Do I need to integrate both JWT authentication and OAuth authentication for this scenario? A suggestion would be highly appreciated
What you. describe about user management (user registration, login, logout) are standard features of OAuth2 / OpenID authorization-servers. You should pick one "from the shelf" either on premise (like Keycloak) or in the cloud (like Auth0, Amazon Cognito, and many others). Many solutions include "social" identities federation.
REST APIs are resource-servers. See those tutorials for security configuration and tests with mocked identities.
UIs are clients. You should use an OAuth2 client lib to handle OAuth2 flows. Find one for your framework Spring has one if your UI is generated on server with Thymeleaf or alike, but there are libs for Angular, React and other frameworks running in browsers.
Spring OAuth2 client libs can also be used in BFF (backend for front-end) scenario when browser client is not OAuth2 (it is secured with session, not access-token) and talks to an app on the server which is the OAuth2 client (spring-cloud-gateway is a sample but you could also write your own app with spring-boot-starter-oauth2-client). This app translates the request with session into into one with access-token before forwarding it to resource-server. The aim is to hide tokens from Javascript in the browser.
I have some web applications built with spring boot and react. Both react and spring boot servers run in their corresponding container.
I want to build oauth based single sign on (SSO) functionality for all these applications. For example, if user goes to any of applications and try to login, it should redirect to the same page providing OAuth based SSO functionality (may be using google OAuth or facebook OAuth). Logging in once should login across all apps (and possibly logging out once should log out across all apps).
What all I found regarding OAuth2 in official docs is this example. It creates an application which configures the Spring security to redirect to google login and once the login is successful, it redirects back to index.html specified in the same application.
However, I already have multiple applications which I want all to redirect to single webpage which contains button "Login with Google" (along with other options like login with facebook and username / password). Upon successful google authentication, I want it to redirect to corresponding application which initiated the login.
Q1. Is it possible with some simple redirects? If yes how?
I did not found any tutorial explaining how to achieve this. I came across only this tutorial which makes use of makes uses Keycloak Authorization server with spring boot to demonstrate login across two apps. But Keycloak is not the part of spring boot.
Q2. If answer to Q1 is no, then how can I achieve OAuth2 based SSO across multiple apps, with all of them redirecting to single login webpage and redirecting to corresponding app upon successful authentication? Can you please elaborate the process or point me to some tutorial?
Update: I came across another post which seem to explain the same but with now deprecated #EnableAuthorizationServer annotation.
The Federated Identity sample is one of the samples available for Spring Authorization Server. It demonstrates how to configure Google and GitHub (you can also configure Facebook and others in a similar way) as a 3rd party authentication or identity provider.
If you follow the instructions in the readme and run the messages-client (client) and messages-resource (resource server) in the samples directory, you can test out the entire flow.
So to answer your questions (hopefully simply):
Yes, using Spring Security OAuth2 client support and Spring Authorization Server as demonstrated in the samples mentioned above. If you're looking for examples of a javascript frontend, see this branch (specifically the angular-client sample) and this webinar for more info on single-page apps and Spring Authorization Server.
N/A
How can I implement a java backend probably on top of Spring, we will use only REST api's to access backend.
user can login through standard login/password, and social authentication (facebook, google etc.). Is there a standard oauth2 implementation which we can use for this requirement.
Any help will be appreciated.
Thanks!
You could use Apache Oltu Client library to implement login through Facebook, Google, ... You have to implement your own user management for storing the API token, and to provide your login/password authentication. https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart
You can also use spring social project that is built on the top of spring application framework
- Spring social facebook
- spring social main page
Is there a way to authenticate a user using wordpress security, something similar to authenticating with facebook or twitter? It seems that when using facebook to authenticate, an application gets something injected into its session to allow the requesting application to know that the user has been authenticated and is logged in. Is there something in wordpress or something I can write to provide this facility.
I would like to have a wordpress site for static information and for the more dynamic type information use a spring web application. Similar to what you would do with an apache web server hosting html files and move to tomcat for the jsp.
It's quite easy to do OpenID authentication with Spring Security. If you don't want to do it yourself you may want to consider using Janrain Engage to support all kinds of "social logins".
My question is related to following Stackoverflow questions already present here... I am asking this question just to be more specific and get the latest suggestions, excuse me if you find it a duplicate question ..
Facebook Connect question and LogIn using Spring Security Questions
currently I am working on a task which requires me to deal with open login support. I have used Spring Security 3.0.5 in this application. Successfully provided authentication support to a set of open Id providers (gmail,yahoo,myopenid,openid,aol, wordpress, blogger, livejournal etc. ). Now next I want to provide support for four big names facebook, twitter, linkedin and live(msn).
In a separate demo application I have romanced with Spring Social to provide facebook login and got kind of success there. Similar steps can be used for linked and twitter login. But Since I am handling the login using Spring Security in original project I want to achieve the facebook, twitter, linkedin and live login also using spring security only. and unfortunately not getting much information regarding this.
Any tutorial or source regarding this will be helpful...
edit 1:
just came across Spring Security Social... that is also not a desirable solution in its present state...
Spring Security doesn't address this (as of yet). Spring Social which you saw is designed to connect your app to Facebook, Twitter, etc.
Check out this blog post, where they have integrated Spring Social and Spring Security.
EDIT: Work is being done on adding an official integration between the two - check this fork of the Spring Social project on Github.
Check Spring Security with OpenID and OAuth.
This is solution:
socialsignin spring security.
It is based on spring-social and work perfect.