1

I am new to spring boot and trying to implement oauth2 client with facebook as oauth2 provider. I already have a traditional JWT token authentication in place which is configured with in @EnableWebSecurity with default authentication manager and custome JWT token generator.

  • is it really required to configure AuthorizationServer and ResourceServer in above scenario?
  • if not then why my code always returns me only Code and state from facebook to call back URL.

Please have a look into the code here

Gab
  • 7,869
  • 4
  • 37
  • 68
Ashish Awasthi
  • 94
  • 8
  • I tried to merge the facebook oauth client authentication filter client with my existing JWT auth filter configuration. everything works fine just i am getting code back from facebook rather than access token ... I am not sure how i can pass the grant type in Spring boot so it will ask for ACCESS TOKEN rather than CODE from facebook. – Ashish Awasthi Jun 27 '17 at 10:17

1 Answers1

1

Oauth2 = Authorization delegation protocol NOT an authentication one.

If you want to use FaceBook and Google as identity provider then you must go with an identity federation protocol, ie OpenId Connect (OIDC).

This last add an authentication layer (using JWT id token) above oauth2 authorization layer.

Regarding more specifically your question (which is not very clear) about the spring security configuration part , it seems that the current oauth2 server implementation (AuthorizationServer and ResourceServer you're talking about are part of it) is not suitable as it is to implement an OIDC identity provider)

Regarding the code and state returned to the callback URL, it's part of the oauth2 authorization code flow and it's perfectly normal, you then have to exchange the retrieved code against an access token using the authorization server token endpoint.

(state is just here to allow to transmit an information for example a tenant id, across the oauth2 whole flow).

Here is really well written oauth2 vulgarization article.

Gab
  • 7,869
  • 4
  • 37
  • 68
  • Thanks for answer! and sorry for not well compiled question. if code behavior is normal then i have to again write an http client to talk to facebook in order to get access token which means this communication will not be taken care by spring boot oauth client? – Ashish Awasthi Jun 27 '17 at 10:24
  • I suppose Spring can handle everything including the callback handling (it probably use spring MVC or so on under the cover) but I must admit that I have a deep hatred against the spring framework as a whole and particularly the web part. Personally when I implement oauth as a client I just set up some servlet and handle the access token retrieval myself using a good old Http Client or a simple lib like apache oltu. I can't so really help you here, I apologize – Gab Jun 27 '17 at 12:24
  • It seems that your callback is already implemented in your code in Oauth2AuthController#accessToken(). However as far as I remember the code exchange against the access token must be done using POST and application/x-www-form-urlencoded as content type. – Gab Jun 27 '17 at 12:28
  • thanks Gab.. I think I am going in right direction; I just need to convert my get call to POST for getting the access token and refresh token. – Ashish Awasthi Jun 30 '17 at 09:15
  • @nailanaseem - If you are not using any custom authentication success filter then the entire code flow is handled by EnableAuthorizaitonServer decorator of springboot. – Ashish Awasthi Feb 05 '18 at 11:20