0

I have some follow-up questions based on this thread:

Spring security authentication based on request parameter

The desired flow is:

  1. External service is already registered with my application and possesses a consumer key & secret given by my application.

  2. External service sends a request for a token to my application by passing the consumer key & secret.

  3. My application authenticates the consumer key & secret and provides a token (with an expiry time).

  4. External application sends the token for subsequent requests which is validated by my application (presumably using the approach in the above link).

The flow seems similar to OAuth 1 but I do not wish to present a login & access grant page to the user (like Facebook or Twitter). The user must be authenticated behind the scenes.

Instead of having to write code for token handling & authentication, is there any other option available in Spring Security to address this?

Also I wish to retain my existing form-based login to my application for direct users of the application.

Thanks in advance.

Community
  • 1
  • 1
Praveen
  • 106
  • 7
  • Your question isn't very clear. In your desired flow, you only talk about authenticating a pre-registered service, but then you talk about "the user" being authenticated behind the scenes. What user? What's their relationship with the service? And why not just use OAuth2 since that is already supported by Spring Security? Something like the client-credentials grant is appropriate for an external service accessing a resource. – Shaun the Sheep Mar 08 '14 at 15:11
  • @Luke, Sorry for the ambiguity. "The user" I am referring to is a user of the per-registered third-party service. After the service consumer key & secret are authenticated by my application and a token is returned back to it, the service sends another request with the token & the user name to retrieve profile information from my application. This user must not be presented with a login form to enter his credentials. If the service is authenticated, the users are assumed to be authenticated as well. Anybody with a valid token can send a request to my application. – Praveen Mar 09 '14 at 06:37

1 Answers1

0

That looks like a 2-Legged OAuth flow where the Request Token is pre-authenticated rather than explicilty authenticated by the User.

You can use Spring Security OAuth to implement this kind of flow. Take a look at the OAuth 2 implementation:

http://projects.spring.io/spring-security-oauth/docs/oauth2.html

Or alternatively you could modify the OAuth 1.0 implementation to support the 2-Legged process correctly. I've put together a post explaining how to modify the Spring OAuth 1.0 implementation to achieve a real 2-Legged process (their 2-Legged process is in fact a 0-Legged implementation):

http://codehustler.org/blog/spring-security-tutorial-2-legged-oauth-1-0/

Alessandro Giannone
  • 885
  • 1
  • 10
  • 27