7

I have to integrate my system with third-party provider. This system is made with Spring and Angular.

Keep in mind that I need to create a custom login form instead redirecting to thirdy-party provider form like OAuth2.

He has created following endpoints:

Get token authentication

POST http://example.com/webapi/api/web/token

“username=972.344.780-00&password=123456&grant_type=password”

The response send me a token that I must use during all next requests.

Get user info

Authorization: Bearer V4SQRUucwbtxbt4lP2Ot_LpkpBUUAl5guvxAHXh7oJpyTCGcXVTT-yKbPrPDU9QII43RWt6zKcF5m0HAUSLSlrcyzOuJE7Bjgk48enIoawef5IyGhM_PUkMVmmdMg_1IdIb3Glipx88yZn3AWaneoWPIYI1yqZ9fYaxA-_QGP17Q-H2NZWCn2lfF57aHz8evrRXNt_tpOj_nPwwF5r86crEFoDTewmYhVREMQQjxo80

GET http://example.com/webapi/api/web/userInfo

That said, What I need to implement a custom authentication?

Could I use Spring OAuth2 in this case?

Murillo Goulart
  • 154
  • 6
  • 22
  • You can find example with spring oauth2 and angular in this link: http://www.baeldung.com/rest-api-spring-oauth2-angularjs – Samir Nov 05 '17 at 11:19
  • I highly recommend this example/tutorial -> JWT authentication with Spring Boot http://www.svlada.com/jwt-token-authentication-with-spring-boot/#jwt-authentication – Harsha Jayamanna Nov 05 '17 at 17:06

3 Answers3

1

you can use Spring Security. The flow is the following. You authenticate against the Security token service. A cookie containing the authentication token is written to your browser. This token is sent on each subsequent request against the server.

On the rest server you will use Srping Security and more specifily you need to use AbstractPreAuthenticatedProcessingFilter in its implementation you will extract the token and associate it With the Security Context.

Here is example configuration of your spring Security

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {


  @Bean
  public AuthenticationManager authenticationManagerBean() throws Exception {
    // TODO Auto-generated method stub
    return super.authenticationManagerBean();
  }

  public void configure(WebSecurity web) throws Exception {
        // do some configuration here
  }

  @Override
  public void configure(HttpSecurity http) throws Exception {
       // configure your Security here 
       // you can add your implementation of AbstractPreAuthenticatedProcessingFilter here
  }

}

Here is your additional configuration

@Configuration
public class ExampleSpringSecurityConfig{


    @Bean
    public AuthenticationManager authenticationManager() {
        return authentication -> authProvider().authenticate(authentication);
    }

    private AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> userdetailsService() {
       // Construct your AuthenticationUserDetailsService here
   }

    @Bean
    public PreAuthenticatedAuthenticationProvider authProvider() {
        PreAuthenticatedAuthenticationProvider authProvider = new PreAuthenticatedAuthenticationProvider();
        authProvider.setPreAuthenticatedUserDetailsService(userdetailsService());
        return authProvider;
    }





}
Alexander Petrov
  • 9,204
  • 31
  • 70
  • Where is the login/logout endpoint? Where I store the token received? – Murillo Goulart Nov 06 '17 at 11:58
  • The token will be stored authomaticaly in the Subject Handler by spring security. This is done by the abstract class PreAuthenticatedAuthenticationToken. The login logout is part of the Token Provider. For example if you use OpenAM the OpenAM itself comes with Login and Logout. – Alexander Petrov Nov 08 '17 at 13:26
0

Yes, you can use Spring Oauth2. You have to implement the Resource Owner Password Credentials Grant Oauth2 flow. You have to create a login page for end user and your client app will send the user's credentials as well as your client system credentials (use HTTP Basic Authentication for client system credentials) to authorization server to get the token.

There are two ways to implement it-

  1. Using client system id and password - When calling the token endpoint using the this grant type, you need to pass in the client ID and secret (using basic auth).

curl -u 972.344.780-00:123456 "http://example.com/webapi/api/web/token?grant_type=password&username=addEndUserNameHere&password=addEndUserPasswordHere"

  • Using Client system ID only (no client system password) - Authorization Server should have a client setup to support this flow without any password-

Child class of AuthorizationServerConfigurerAdapter should have below code-

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {    
        clients.inMemory()
            .withClient("clientId")
            .authorizedGrantTypes("password")
            .authorities("ROLE_CLIENT")
            .scopes("read");
    }
 }

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.allowFormAuthenticationForClients();
}

Now you can use below-

POST http://example.com/webapi/api/web/token?grant_type=password&client_id=my-trusted-client&scope=trust&username=addEndUserNameHere&password=addEndUserPasswordHere

Note - This flow is less secure than other Oauth2 flows and recommended for trusted client app only because user has to provide credentials to client app.

ManishSingh
  • 1,804
  • 1
  • 12
  • 11
  • Where is the login/logout endpoint? Where I store the token received? – Murillo Goulart Oct 31 '17 at 11:22
  • Login end point - Token end point is used to get the access token, treat user as a logged-in user if token is valid. This flow is not supported by OpenID connect ID. – ManishSingh Oct 31 '17 at 11:41
  • Store the token - You can store it in browser local storage, assuming you are using Angular. – ManishSingh Oct 31 '17 at 11:42
  • Log out end point - There is no logout end point for this flow, just removed the token from local storage. – ManishSingh Oct 31 '17 at 11:43
  • Please let me know if you have any more queries. And you can get more details on this link - https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh – ManishSingh Oct 31 '17 at 18:43
0

See here example

Using JWT with Spring Security OAuth2 with Angular

In this tutorial, we’ll discuss how to get our Spring Security OAuth2 implementation to make use of JSON Web Tokens.

http://www.baeldung.com/spring-security-oauth-jwt

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore())
                 .accessTokenConverter(accessTokenConverter())
                 .authenticationManager(authenticationManager);
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey("123");
        return converter;
    }

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setTokenStore(tokenStore());
        defaultTokenServices.setSupportRefreshToken(true);
        return defaultTokenServices;
    }
}
аlex
  • 5,426
  • 1
  • 29
  • 38