-2

I not really understand of concept how exactly I have to link front with back in clue oauth2. I see few library in spring witch oauht2-client and oauth2-resource-server. As client use ionic of application which get token from google and then send this **id token ** to my backend spring boot application which use oauth2-resource-server and I validate this beawer token and return data from api resource.

But I want create a local user (registration user) but I not really anderstand where and main how a must create this local user.

Now it's just validate id token from google and return info from api resource.

Which right way use oauth2? I think It's will be like:

  1. User approve google oauth2
  2. Front send request with id Token
  3. Backend check if user already exist (if not create from id token info)
  4. Backend create access token and return to front
  5. Front get info from resource server with access token

Can you explain how I must do that right?

My code on spring boot

security.conf

SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http .authorizeHttpRequests() .requestMatchers("/open").permitAll() .anyRequest().authenticated() .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .oauth2ResourceServer().jwt() .and().and() .cors().and().csrf().disable() .build(); } application.aml

spring: security: oauth2: resourceserver: jwt: issuer-uri: accounts.google.com jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs

build.gradle

implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server' implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-web'

dur
  • 15,689
  • 25
  • 79
  • 125
evilGenius
  • 1,041
  • 1
  • 7
  • 16

1 Answers1

0

You should configure an OAuth2 authorization server on your backend (ideally an OpenID Provider with social login features for your "login with Google" feature). This OAuth2 authorization server will handle user registration and authentication (with authorization-code flow).

There are plenty of such solutions to either run on your servers (Keycloak is a famous one), or use from the cloud (Auth0 and Amazon Cognito are just samples in many offers). You could even build your own authorization server with Spring (there is a spring-authorization-server project for that, but be aware that it will require much more effort to get started).

Regarding your ionic frontend, either:

  • make it a public OAuth2 client with a lib for your framework (for instance angular-auth-oidc-client if using Angular), but this is not the trend
  • insert an intermediate OAuth2 client on your server between your frontend and the REST API. This is call Backend For Frontend pattern and aims at hiding the OAuth2 token from the browser or mobile applications. Spring Cloud Gateway can be configured as BFF.

My tutorials cover most of this subjects.

ch4mp
  • 6,622
  • 6
  • 29
  • 49
  • I look your project and have some question. If I wanna use only spring boot without keycloak or somthing else. Then I must have two service where first it's authorization server and second resource-server? And if it so, then client who get id token from google will be Ionic? And if Ionic client then auth-server have to register new user by api? So many question ... – evilGenius Apr 10 '23 at 09:07
  • 1
    And as many answers in the tutorials linked. Do not skip the OAuth2 essentials section on main tutorials Readme – ch4mp Apr 10 '23 at 14:50