1

I have OAuth2(AuthorizationServer) enabled on my spring boot application

I wanna authenticate facebook users using REST request when they pass their access token from mobile app.

i have controller that receives facebook token 

@RequestMapping(value = "/login-with-fb", method = RequestMethod.POST)
public boolean fb(@RequestParam String token) {
    System.out.ptintln("Yay i have the token"+token);

    return true;
}

This is as much as this controller should do, I guess all the magic should happen in filter, which is injected by my Resource Server here:

   @Override
protected void configure(HttpSecurity http) throws Exception {

    .antMatcher("/**").authorizeRequests()//All request are protected by default
    .antMatchers("/abc/**").permitAll()
    .antMatchers("/xyz/**").hasAuthority("ROLE_USER")
    //We plugin facebook filter here
    .and().addFilterBefore(facebookFilter(), BasicAuthenticationFilter.class);

}

And finally how would the filter look like? 

private Filter facebookFilter() {
    // What goes here? I assume we need to get the token, 
    // pass it to FB to validate it again then retrieve/create user 
    // and then somehow generate and return  an OAuth2 token 
    // So that user can use that token instead of FB token 
    // to access secure content on my server 
}

Or is there a better way to achieve the same?

zalis
  • 1,191
  • 1
  • 11
  • 20
  • I believe you will want to read this tutorial https://spring.io/guides/tutorials/spring-boot-oauth2/ – EdH Feb 06 '17 at 05:10
  • Thanks @EdH, but this tutorial shows how to achieve this when the login process is performed from web server, not mobile app. The main difference here is that on webserver you can handle redirects to Facebook and back, but on mobile app all this happen on the app itself and server is not aware of it. So you only end up with a token after successful authentication – zalis Feb 06 '17 at 05:14
  • I think you can still do the same steps, except you want to use the @ResourceServer annotations instead of the SSO client. That will add the necessary filters to the servlet contexts to validate the supplied token against the remote OAuth server. The calls into the REST endpoints would require the token in the header, but you can set it up the same way, without the bespoke filter config. That's my understanding, but maybe I am misunderstanding. – EdH Feb 06 '17 at 11:11
  • mhh interesting, however there is one caveat, i already have existing authorization Server (OAuth2) that provides tokens for my users using username/password. How would authentication manager know which authorization server to use? As for the same steps, i assumed @EnableOAuth2Client annotation is mandatory to invoke all the facebook magic ... – zalis Feb 06 '17 at 11:34
  • My understanding was that the annotation just hooked in the logic to verify and possibly renew the token from an external source? It used (mostly) the same spring properties to define the uri endpoints. Likely you'll need a clientId/clientSecret pair which is different from anything used by your mobile application. But I would have thought that your resource server (presuming you don't have any WebUI going on) would just look for the token attached to the incoming REST calls and validate them. – EdH Feb 07 '17 at 03:10
  • I can't recall if the token validation needs to hit up your Auth Server (which would need to validate the token, not Facebook), or whether the public key validation is sufficient (if it's a JWT). – EdH Feb 07 '17 at 03:10
  • i doubt that would work as i need facebook to validate its token, as facebooks tokens are slightly more complex than standard JWT token – zalis Feb 07 '17 at 10:26
  • Hmm, that is a bit of a wrinkle. I"m running out of ideas :) I know there's a product called KeyCloak that acts as an Auth Server that also can federate remote Auth Servers (like Facebook). So it is possible, I suspect it's complicated though – EdH Feb 07 '17 at 21:28
  • Did you find any solution to your question ? – louis amoros Oct 05 '18 at 20:57
  • 1
    @louisamoros, yes, the above approach is wrong and will never work. Use this guide, its pretty simple once you get your head around it https://spring.io/guides/tutorials/spring-boot-oauth2/ – zalis Oct 23 '18 at 09:46

0 Answers0