Spring-mvc – Own Spring OAuth2 server together with 3rdparty OAuth providers

oauth-2.0spring-mvcspring-securityspring-security-oauth2spring-social

In a Spring Boot application, I have an OAuth2 Authorization/Resource servers. Based on this and Spring Security, I have secured my Spring MVC REST API endpoints.

In addition to this, I'd like to add authentication to my REST endpoints based on 3rd party OAuth providers like Twitter, Facebook, Google.

In my application I have two entities – User and SocialUser. SocialUser represents user profile in social networks. User can have 0-* associated SocialUsers. Right now I can authenticate a user in Twitter and after that I'm creating two records in my database – User and SocialUser. SocialUser contains access/refresh tokens issued by Twitter and some other profile information from this social network.

Right now I don't know how to link this User created from social network with my existing authentication\authorization flow. For this user I'd like to create my own(by my own OAuth2 authorization server) accessToken and provide it to the client.

Also, this user doesn't have username, password and email in his User entity. And also I don't know how to manually create my own access Token and send it to the client for future API calls.

I found some example:

@Inject
private TokenEndpoint tokenEndpoint;

public String createAccessToken(User user) {
    HashMap<String, String> parameters = new HashMap<String, String>();
    parameters.put("client_id", "appid");
    parameters.put("client_secret", "myOAuthSecret");
    parameters.put("grant_type", "password");
    parameters.put("password", user.getPassword());
    parameters.put("scope", "read write");
    parameters.put("username", user.getUsername());

    // principal ??
    return tokenEndpoint.getAccessToken(principal, parameters);
}

but I don't know how to create Principal based on my User entity and also I'm not sure that this is a correct way to go.

So, the main question is – how to manually generate this new token through my own OAuth server for this new user?

Please advise me how can it be correctly implemented. Thanks.

UPDATED:

I have added ProviderSignInController to my application and able right now to perform full OAuth dance with Twitter. Also, I have implemented my own Neo4jConnectionRepository and Neo4jUsersConnectionRepository because I use Neo4j as a primary database.

@Bean
public ProviderSignInController providerSignInController() {
    return new ProviderSignInController(socialAuthenticationServiceLocator, usersConnectionRepository, new SignInAdapter() {

        @Override
        public String signIn(String userId, Connection<?> connection, NativeWebRequest request) {
            System.out.println("User ID: " + userId + " social display name: " + connection.getDisplayName());
            return null;
        }
    });
}

So far, everything works good.

The one question is – how to authenticate/authorize User through my own OAuth2 Authorization server in the SignInAdapter.signIn method ?

I think I need to create OAuth2Authentication object for this user and put it into Security context.. Am I right ? If so, could you please show me an example how can this be implemented ?

Best Answer

So what you want to achieve is : when clients redirect users to your authorization server (authorization code or implicit grant) in order to obtain a token, the user can log-in using his favorite social network.

If I understand correctly, you have rolled your own implementation of single sign on (SSO) with Twitter (ProviderSignInController), and now you're left wondering how to generate a token when Twitter responds "OK".

I think you took the problem by the wrong end : Instead of building your Twitter client and generating a token programmatically, the idea is to integrate social SSO inside the flow of spring-security-oauth2, which in reality is how to integrate social SSO in Spring Security.

In the end, it's about how your authorization server secures the AuthorizationEndpoint : /oauth/authorize. Since your authorization server works, you already have a configuration class extending WebSecurityConfigurerAdapter that handles the security for /oauth/authorize with formLogin. That's where you need to integrate social stuff.

Instead of using the Spring Security built-in form authentication mechanism, you will have to plug-in your own security that either allows the user to login with a form, or starts SSO with other providers.
Spring Security is made of a bunch of abstractions, but it really just comes down to populating the SecurityContext with an Authentication object for each request.

Once the authentication process is complete, the user will continue to /oauth/authorize, consent to the client accessing some scopes, and the token will be delivered as it's usually done, without you having to generate tokens programmatically.

I have done that using SAML (Spring Security SAML extension), but in your case you should dig in the Spring Social projects, which seem to support all the major social networks out of the box.
The good news is that you already have a bunch of tools available, the "bad news" is that you will have to understand how they work to a certain degree in order to plug them together.

Related Solutions

Spring – Microservices and Spring Security OAuth2

While configuring your auh server::

Create a new clientDetails in ClientDetailsServiceConfigurer for resource server. which will be used to configure RemoteTokenService.

Configure Spring Security OAuth2 in your resource server:

Create a class which is annotate with @EnableWebSecurity ,@Configuration and extends WebSecurityConfigurerAdapter.

@Configuration
@EnableWebSecurity
protected static class ResourceConfiguration extends WebSecurityConfigurerAdapter {
  // methods        
}

Create a method with @Bean annotated which will return instance of TokenService, which will be used to create AuthenticationManager.

In this method create an instance of RemoteTokenService and set clientId, client_secret , checkTokenEndpointUrl and DefaultAccessTokenConverterWithClientRoles (this class is our implementation to get client_authority while authenticating accessToken in OAuth2 server.)

@Bean
public ResourceServerTokenServices tokenService() {
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setClientId("resource_id");
    tokenServices.setClientSecret("resource_secret");
    tokenServices.setCheckTokenEndpointUrl("http://<server-url>: <port>/oauth/check_token");
    return tokenServices;
}

Override authenticationManagerBean() method and annotate it with @Bean and return an instance of OAuth2AuthenticationManager with TokenService injected.

@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
    authenticationManager.setTokenServices(tokenService());
    return authenticationManager;
}

Create a class annotated with @EnableResourceServer , @Configuration and extend ResourceServerConfigurerAdapter.

@Configuration
@EnableResourceServer
protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {
  // Mehotds
}

Override Configure methods form the super class to configure resource server. Different configurer to configure Resource server.

ResourceServerSecurityConfigurer : to configure Resource_id.

HttpSecurity : This will configure security filter to tell it that user requires authentication for protected URLs (APIs).

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("resource_id");
}

@Override
public void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
     .authorizeRequests()
     .antMatchers("/**").authenticated()
     .and()
     .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    // @formatter:on
}

.antMatcher("/**").authenticated() this line will secure every api url of your resource server. .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) will not create session.

PS:: If any thing is wrong then tell me.

Spring-boot – Integrate Spring Security OAuth2 and Spring Social

I had a similar problem on a JHipster-generated web application. Finally I decided to go with the SocialAuthenticationFilter option from Spring Social (via the SpringSocialConfigurer). After a successful social login, the server automatically generates and returns the "own" access token via redirection to the client app.

Here's my try:

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter implements EnvironmentAware {

    //...

    @Inject
    private AuthorizationServerTokenServices authTokenServices;

    @Override
    public void configure(HttpSecurity http) throws Exception {

        SpringSocialConfigurer socialCfg = new SpringSocialConfigurer();
        socialCfg
            .addObjectPostProcessor(new ObjectPostProcessor<SocialAuthenticationFilter>() {
                @SuppressWarnings("unchecked")
                public SocialAuthenticationFilter postProcess(SocialAuthenticationFilter filter){
                    filter.setAuthenticationSuccessHandler(
                            new SocialAuthenticationSuccessHandler(
                                    authTokenServices,
                                    YOUR_APP_CLIENT_ID
                            )
                        );
                    return filter;
                }
            });

        http
            //... lots of other configuration ...
            .apply(socialCfg);
    }        
}

And the SocialAuthenticationSuccessHandler class:

public class SocialAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    public static final String REDIRECT_PATH_BASE = "/#/login";
    public static final String FIELD_TOKEN = "access_token";
    public static final String FIELD_EXPIRATION_SECS = "expires_in";

    private final Logger log = LoggerFactory.getLogger(getClass());
    private final AuthorizationServerTokenServices authTokenServices;
    private final String localClientId;

    public SocialAuthenticationSuccessHandler(AuthorizationServerTokenServices authTokenServices, String localClientId){
        this.authTokenServices = authTokenServices;
        this.localClientId = localClientId;
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
            HttpServletResponse response, Authentication authentication)
                    throws IOException, ServletException {
        log.debug("Social user authenticated: " + authentication.getPrincipal() + ", generating and sending local auth");
        OAuth2AccessToken oauth2Token = authTokenServices.createAccessToken(convertAuthentication(authentication)); //Automatically checks validity
        String redirectUrl = new StringBuilder(REDIRECT_PATH_BASE)
            .append("?").append(FIELD_TOKEN).append("=")
            .append(encode(oauth2Token.getValue()))
            .append("&").append(FIELD_EXPIRATION_SECS).append("=")
            .append(oauth2Token.getExpiresIn())
            .toString();
        log.debug("Sending redirection to " + redirectUrl);
        response.sendRedirect(redirectUrl);
    }

    private OAuth2Authentication convertAuthentication(Authentication authentication) {
        OAuth2Request request = new OAuth2Request(null, localClientId, null, true, null,
                null, null, null, null);
        return new OAuth2Authentication(request,
                //Other option: new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), "N/A", authorities)
                new PreAuthenticatedAuthenticationToken(authentication.getPrincipal(), "N/A")
                );
    }

    private String encode(String in){
        String res = in;
        try {
            res = UriUtils.encode(in, GeneralConstants.ENCODING_UTF8);
        } catch(UnsupportedEncodingException e){
            log.error("ERROR: unsupported encoding: " + GeneralConstants.ENCODING_UTF8, e);
        }
        return res;
    }
}

This way your client app will receive your web app's access token via redirection to /#/login?access_token=my_access_token&expires_in=seconds_to_expiration, as long as you set the corresponding REDIRECT_PATH_BASE in SocialAuthenticationSuccessHandler.

I hope it helps.

Best Answer

Related Solutions

Spring – Microservices and Spring Security OAuth2

Spring-boot – Integrate Spring Security OAuth2 and Spring Social

Related Topic