I am trying to secure REST API using Google OpenID and Spring Security 5. Is there any example that I can refer to?
I am using Spring Boot and want to learn how can I secure my Rest Api using Google OpenID.
Asked
Active
Viewed 1,350 times
1 Answers
1
There are numerous examples and tutorials for OAuth and Spring Boot. A Google search for google oauth spring boot finds dozens.
John Hanley
- 74,467
- 6
- 95
- 159
-
1Thank you for the reply. I have tried these solutions and they work fine when you put front end app in the same project as backend. I am trying to separate frontend and backend into different projects deployed on Kubernetes. I found a way to actually make it work but haven't tried it. In that case, you get one time token by sending request to Google and then send this token to server and let server get Access Token and Refresh token. Here is a doc I found: https://developers.google.com/identity/sign-in/web/backend-auth I would try to post code on GitHub once I get it working. – Nirav Dec 12 '18 at 13:48
-
1OAuth 2.0 does not work that way. If it did, this would be a security hole. You cannot pass the ID Token to a server backend and then have it obtain an Access Token or Refresh Token. You can pass the Access Token from client to backend, but the backend will not be able to refresh the token. The correct method is to implement OAuth on the backend. Save the Access Token, Refresh Token and Client ID in a session state for the client. – John Hanley Dec 12 '18 at 17:05
-
I agree with you but if I am implementing on backend service, I would not be able to promote window for User to consent permissions. I can not use implicit_grant since Google OAuth does not support it except for client side web applications. Please let me know what would be a way in this scenario. Thank you again for the help. – Nirav Dec 13 '18 at 14:08
-
1@NiravPatel - Auth 2.0 requires a solid understanding to implement correctly. Google imposes additional features and limitations. I would start reading the documentation, create some of the same applications, etc. There are nuances that you need to know that you can only learn by actually doing it. – John Hanley Dec 13 '18 at 19:08
-
Thank you @john-hanley. I sure will read more and implement in apps. – Nirav Dec 14 '18 at 03:39
-
1@Nirav I am also trying to implement same thing. Searching for the answers on the internet but not finding any relevant information. Today I found this article. It might help. https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/ – Pratik soni Aug 06 '19 at 08:24
-
Hey @Pratiksoni, Thanks for the link. However, in my case, I had to use hybrid flow. I am not sure if you have the same scenario or not. Otherwise, Spring Boots provides support out of the box for Google, Facebook, and Okta (from what I remembered) Here is the doc https://spring.io/guides/tutorials/spring-boot-oauth2/ HTH. – Nirav Aug 06 '19 at 22:37
-
`@EnableOAuth2Sso` its an old way,Is there something for `Spring Security 5` – Ashish Kamble Dec 10 '19 at 12:40