0

I have a webapp, where the backend Rest Server and front end is Angular 2 spa. I have split the backend into Resource server and Authserver. My current webapp allows the end users to

  • Either register manually and log in to use website
  • Or use Facebook to log in.

For use case 2,i.e. Facebook log in,I am doing the following

    1. get fb token, via FB js SDK.(requested by angular frontend)
    1. send this token to Resource server
    1. Verify it in resource server by calling the FB api and verifying token validity and user_id
    1. Now generate my webapp's token from my webapps' Auth server
    1. And use this token for further API validations

In step 4, I am not sure how to proceed further. From docs, it seems that most suitable grant is password in this case. If I use "password" grant_type, then i need to supply username password from Resource server, Which i can not because my passwords stored in DB are Bcrypt encoded(encrypted).

How should i solve this issue. This is a rather very common use case, I am wondering what others do to validate their APIs after logging through facebook? Do they use FB tokens for all successive API validations or their local tokens.

Can someone point out what is the correct grant_type i should use so that i don't lose track of logged in user?

TruckDriver
  • 1,383
  • 13
  • 28
  • take a look at client_credentials: https://stackoverflow.com/questions/34842895/difference-between-grant-type-client-credentials-and-grant-type-password-in-auth – StvnBrkdll Jan 06 '18 at 19:59
  • @mangotang If i use client credentials, then how do i pass user id/username in the jwt token, i will be needing this later in some APIs . Also the spring default token end point /oauth/token does not accept extra params – TruckDriver Jan 06 '18 at 20:09
  • the client no longer need the username, the JWT token is the mechanism for confirming the client's identity with the resource server. when the resource server receives the jwt token from the client, the resource server validates the jwt token with the authorization server. if the authorization servers says the jwt token is valid, then it is safe for the resource server to authorize the client's request. Also take a look here for help in making your decision: https://auth0.com/docs/api-auth/which-oauth-flow-to-use – StvnBrkdll Jan 06 '18 at 20:17
  • @mangotang No , it is not correct. Imagine an API , followRequest(A id, B id), which lets A to follow B. But if C can use his own Valid Token and call this API that would mean A followed B, which A never initiated. – TruckDriver Jan 06 '18 at 20:19
  • If you want to verify that the JWT token is for the user making the request, Spring has "token enhancers" that can add data to the JWT token. You could use this to embed the username in the JWT token before it is signed and encoded, and then the resource server can decode the JWT token, and verify that the username in the JWT token has the authority for the action. You may want to look into oauth2 scopes for help in authorization. scopes can be used to identify what the client can and can't do. – StvnBrkdll Jan 06 '18 at 20:24
  • @mangotang, hope I am not bothering u, but TokenEnhancer sits in Auth server, and the token generation request is coming from Resourcer server , which has knowledge of username/id, how can i pass this to authserver ? – TruckDriver Jan 06 '18 at 20:26

0 Answers0