2

I've implemented a Spring app with mongodb and now I've implemented Rest authentication with Spring security and Mongodb, and now I have to add the Authorization header, and it only shows the data from the api call if the Authorization is ok, from now it's ok, but I'm wondering how do I get this value? I mean I want to make a Login to the app, should I have an authorization for this? If not, the login response should return this authorization to use it in next calls? I also have read about aws token also of oauth2, but I really want to know the process, I mean, what's the flow a normal user can Log in to the app and then make calls with authorizations?

My platforms are :

DB -- MongoDB

Server -- Spring

Web -- Angular

App -- Android

This is a project for a Quiz game, that could support multigame options (more than 1 player playing at once)

So what I need to understand is from APP / WEB I have to make a call let's say api/v1/login and then send the user and password, ok, where's the part when I have to create the bcrypted and salt stuff to store it into db? Do I have to do it on the app and then send for instance the SHA stuff via JSON in the Login call or it's better to send the password to server so server does all of the stuff and store the stuff on the db?

StuartDTO
  • 783
  • 7
  • 26
  • 72

2 Answers2

3

In the scenario you describe there is no sense to use neither OpenID Connect or OAuth2. There is a single server for both authentication and resources. The scenario could be roughly this:

  1. Client (Angular or App) send the credentials to the server in plain text over a secured HTTP connection to log in
  2. Server responds with an access and refresh token
  3. Both tokens need to be saved on the client device (e.g. Local Storage)
  4. You send the access token along with every request that requires authentication
  5. Before the access token expires you trigger a certain REST call to refresh the tokens using your refresh token
  6. Server sends back a new access and a new refresh token. Store them and delete the old ones.

Using SpringBoot you pretty much get it all for free. Unless you don't a have specific example I'd spare giving code snippets. You'll find wonderful and concise examples on the auth0 site.

Find here an Angular tutorial of how to send the access token along with your requests

Regarding your DB questions, a simple but valid scenario could be to store (in the DB) the encrypted password alongside your user. If a user logs in, he will send you the plain text password which you need to encrypt and compare it to the one you stored. Never store the plain text password, just use it for the login process. There are several best practices you might want to consider using passwords in Java applications.

Jan B.
  • 6,030
  • 5
  • 32
  • 53
  • Yes, that's what I need, but Matt could you please especify what should I do on DB? So, should I save the Bcrypted password? and it's a good idea to check if user == user and password == password instead of user == user and passwordencrypted == passwordencrypted? – Skizo-ozᴉʞS ツ Jan 13 '19 at 20:15
  • I've added a section in the post regarding the login process. – Jan B. Jan 14 '19 at 07:58
  • Thanks Matt, nice answers, there is I guess the last question I have, how do apps/web knows that token has expired? when I do an api call it returns 403 for instance and then I have to do the extra call? – StuartDTO Jan 14 '19 at 10:08
  • Speaking of tokens you typically (but not necessarily) mean a JWT which is a JSON structure that can contain multiple properties, among many others also the time when the token was issued and when it will expire. With this information you know when to refresh the token. There is no need to have the backend check the validity of the token. See https://en.wikipedia.org/wiki/JSON_Web_Token – Jan B. Jan 14 '19 at 10:53
0

I strongly suggest to you to use Spring Security, OAuth2 and JWT tokens in order to protect your REST API. The flow is the following:

  • user can log on the app
  • a token is generated
  • this token is set in the header of each request

Usually tokens have a time duration Basically OAuth2 defines 2 entities:

  • Authorization Server: it's the entity responsible for the authorization process. It checks the provided credentials and if all is OK it generates the token
  • Resource Server: it's the entity who will expose the REST API. This entity will check if in every request a token is present and the token is valid

Moe information are available here https://www.baeldung.com/spring-security-oauth-jwt

UPDATE

Here https://github.com/angeloimm/spring_oauth I uploaded a simple sample og Spring (and not spring boot) OAuth JWT authentication based on DB H2.

You can download it and adapt it to mongodb. I think it's enough simple to adapt it. Sadly it's a very intense working period for me and I'm not able in doing it.

I hope it's useful

Angelo

Angelo Immediata
  • 6,635
  • 4
  • 33
  • 65
  • 1
    Oauth is an authorization delegation protocol, not an authentication one. Oauth2 along with a JWT authentication layer is known as Open Id Connect (OIDC) – Gab Jan 07 '19 at 10:43
  • So, I have to store them in the cache of the app and in the cache of the web? I mean the access_token and the refresh_token? how do I get them from both sides? – StuartDTO Jan 07 '19 at 12:39
  • Who can generate the access_token and the refresh_token is the Authorization Server. Once you get them you must store them. How store them depends on your business logic. E.g. if the access_token never expires, well you should persist it in some way. Otherwise you can have a cache with duration equals to the token duration – Angelo Immediata Jan 07 '19 at 14:23
  • Could you please provide an example? You get those from the Spring? so I have to send them as an answer to Login? I don't need examples about Web or Android, I need examples to how to provide them by Server and what to store there – StuartDTO Jan 07 '19 at 17:18
  • Sorry I have been busy. Tomorrow I’ll provide a full working example – Angelo Immediata Jan 07 '19 at 20:39
  • @AngeloImmediata could you add the example please? – StuartDTO Jan 11 '19 at 14:22
  • See my edit section. If OK can you accept this as exact answer? – Angelo Immediata Jan 11 '19 at 18:12
  • Angelo but how do I adapt your code to spring boot? I need to use springboot – StuartDTO Jan 12 '19 at 10:03
  • I don't want to use a webapp from spring I want to use for example angular – StuartDTO Jan 12 '19 at 10:05
  • The baeldung link is for spring boot. I think you have all to adapt – Angelo Immediata Jan 12 '19 at 12:07