0

EDIT:

I'm doing this for the first time and I don't know what to choose for my case. I've got a Spring MVC project set up on my server(it's just a single page web app) and would like to add some "custom API calls" so that my users can access their data on behalf of my app .

Examples (Imagine a blank page where a user added his preferred links in his listBox):

facebook.com/get_my_latest_posts gym.com/pay_my_membership butcher.com/buy_2kg_beef

The user can edit/add links anytime he wants. When he clicks a link , the link is being called and the user receives his facebook latest posts, confirmation that the gym membership has been paid or confirmation that he bought 2kg of beef. (a result based on what link was called)

I wouldn't want to bring the user always a login page, so I'll try to use an access token where possible.

Does this sound like science fiction ?

If it doesn't, then I saw the spring social examples but wouldn't be better if I used a library like google's OAUTH library or Apache Oltu ?

Oleg
  • 1,479
  • 3
  • 21
  • 42
  • Is it even possible to do such kind of "user customizable services" ? – Oleg Apr 14 '17 at 11:24
  • Can you explain more precisely what do you mean by _users can use their particular custom services_? Are you talking about services a user operates on its own? Or do you just want to fetch user data from the social media platform? It is hard to grasp what service means in your context. – ksokol Apr 15 '17 at 10:07
  • 1
    Your idea is to build a mashup which aggregates data from various APIs and visualizes it in one ui, right? A user can select a data source/service like Facebook, gym.com, etc. from a predefined list of providers. Over time the list grows as you are adding more and more provider to your application. Right? – ksokol Apr 15 '17 at 11:28
  • @KamillSokol yes I would like to do that :) – Oleg Apr 15 '17 at 12:02
  • 1
    From a technical point of view it's doable. But you can't prevent that your users have to authenticate with every third party once in a time. This happens usually when there is no access or refresh token or the token has expired. The third party has to support OAuth2 and you'll need to register an OAuth2 client in every third party on your own. You could incorporate OpenID or Oauth0 in your application in order to reduce the number of various logins. But I doubt that every third party supports it. Do you know that? – ksokol Apr 15 '17 at 12:50
  • @KamillSokol let's assume that every third party supports Oauth 2.0 and that I registered my app as a Oauth2 client. At this point I saw a lot of examples provided by spring security but only with social platforms which is not quite exactly my case here. I don't know where to start and have no idea about what OAuth2.0 client library to choose for my needs. I will gladly give the bounty but I think there must be an answer posted. – Oleg Apr 15 '17 at 13:07
  • I didn't answer yet. Got your point. It doesn't matter if you are authenticating against a social media platform or some other party. The authentication flow still remains the same. The challenge is how to handle all those tokens on a per user basis. That leads me to my last next question. Do you consider using a third party as authentication source or do plan to maintain your own user base in your application? – ksokol Apr 15 '17 at 15:12
  • @KamillSokol third party authentication source (hopefully this way, I'll have less headaches) – Oleg Apr 15 '17 at 15:24

2 Answers2

3

Spring Social, Google's OAuth Client Library for Java and Apache Oltu fulfill the oauth specification and are all good candidates. Every library comes with some predefined providers. Spring Social and Apache Oltu contains some popular platforms like Facebook, Twitter, Github or Google. Google OAuth Client Library for Java comes along with the Google API Client Library for Java in order to connect to Google services. In Spring Social and Google OAuth Client Library those providers are optional.

All three libraries are written in a generic way so that one can connect to any oauth provider. I think that Spring Social could require less integration work than Apache Oltu or Google OAuth Client Library in regard to other Spring modules like Spring Security or MVC. In the end it all boils down to your personal preference for a library.

If you decide for Spring Social, take a look at this quickstart demo (ignore the README.md and just run ./gradlew bootRun). It already contains everything you described in the comments of your question:

  • authenticate user through a third party
  • integrate several platforms in one application and fetch user data on demand (imagine the dropdown menu items for example Twitter profile or Timeline represents facebook.com/get_my_latest_posts or gym.com/pay_my_membership)

As you can see in the demo, you can't prevent that your users have to authenticate with every third party once in a time. This happens usually when there is no access or refresh token or the token has expired.

Take a look at the Spring Social documentation on how to add a new service provider.

Summary

All three libraries are extensible and fit your needs. There are many examples on the internet for every library. Spring Social could require less integration work into an existing Spring application.

Your application is just a host for many oauth clients for different services (so no science fiction here). You'll need to think about storing the access and refresh token on a per user basis somewhere (database?). You'll need to provide an after authorization callback url in your application for every service you want to integrate.

ksokol
  • 8,035
  • 3
  • 43
  • 56
1

Defiantly friend.

You should try implementing token service to access your web-application.

It is the best way and considered as a good practice.

Please try configuring your own oAuth server using your google account.

Below link has good explanation how we can do that.

https://oneminutedistraction.wordpress.com/2014/04/29/using-oauth-for-your-javaee-login/

Another example. Below one is also a good example for beginners.

https://stormpath.com/blog/token-auth-for-java

Harshit Thacker
  • 114
  • 7
  • On SO, it is recommended not to just post links, as they could be removed in the future. Wherever it's doable, you should post the link **and** quote the specific important part, int his case, the pros and cons I suppose – Turtle May 03 '17 at 13:55
  • Sure Nathan I will take care from next time. Intension behind posting links directly is. I just wanted to give credit to that blog writer and dint wanted to take whole credit. As I just found its already answered somewhere else. – Harshit Thacker Jun 03 '17 at 13:20
  • You should do both: "As said in this blog (with link), , so ". – Turtle Jun 06 '17 at 08:59