I am trying to authenticate my user from my Android application to my server using Spring Security OpenID, to call webservices (secured by Spring Security).
I looked AccountManager from Android to get google account (I obtain email address).
So, how to authenticate using OpenID (I cannot post j_spring_openid_security_check because user action is needed to authorize access, and is a webpage...) ?
or How to secure my REST Webservices call (if OpenID authentication is not possible) ?
Related
I am using Cognito in AWS. There are no users in the Cognito User-Pool, instead of this it is connected to a federated IDP through OpenId Connect. The federated IDP is an Microsoft ADFS.
I have another application, which is using the Cognito OpenId Connect solution for securing an web Application.
The User access the Web Applikation, is beeing redirected to the IDP Login page. He authenticates against the federated IDP, gets back to the Website and is logged in there.
Everything is fine in this scenario.
The same web application offers a REST Api, too. With this connection I have some trouble. There is no human user who is consuming this API, but I have a service account created in ADFS.
First of all I need to get the access code:
https://demo-cognito-trg.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=1************q&redirect_uri=https://my-redirect-domain/management&state=STATE&scope=openid+profile+email
From that URL I can get the authorization code and use this to get an access_token from the oauth2/token endpoint. But when I do a GET on this ressource, I get a webpage where I need to authenticate myself.
What call do I need to perform so that I can use f.e basic auth to signin my service user?
I have my Spring Boot application, that provides some rest endpoints. Those rest endpoints need security, and I want to use the Oauth2 for it.
My idea is to use Google oauth2 token for that. I don't want to provide login functionality in my Spring Boot app, so I just want to check that the Bearer token is there and get the user info from it to display his/her data accordingly.
I'm checking this tutorial, but I don't think it's exactly what I want
https://www.baeldung.com/spring-security-5-oauth2-login
I would like to explain some scenrios that should be considered while deciding the security approach:
If your application users exists in google, means users having google accounts, then you can go for google authorization server oauth 2.0 https://developers.google.com/identity/protocols/OAuth2, In this case your should register on google developer portal, and application will recieve the access and refresh token after successful authentication of users. After that OpenId call can be made to google to get the user information
Above flow and integration will same as, Like you see the link on Quora application for "Login via google".
Now in services you can request validate the Bearer token via google oauth 2.0 validate endpoint and call the userinfo endpoint to fetch the user information.
if you go for JWT token then there wont be requirement to reach out to google authorization server for token validation and userinfo call.
Second approach is to build your own oauth 2.0 server using springBoot - https://spring.io/guides/tutorials/spring-boot-oauth2/
Use API gateway layer for token validation and further authorization can be done on microservices using spring security.
At the end of this tutorial you have more info for Google’s userInfo endpoint response:
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
You can check there :)
Apologies, I work predominantly with iOS lately, and its been a while since I've worked with Spring.
Tools:
Kotlin
Spring Boot
Spring Social
Problem:
I'm building an app that allows typical 'Login with Facebook' type functionality.
I'd like to send the OAuth token obtained by the iOS client to the backend to authenticate with. If the token is valid, the backend will return successful authentication, otherwise indicate invalid credentials.
After logging in with the OAuth token, some profile information will be retrieved.
Question:
Most of the Get Started guides seem to follow the authentication with OAuth using username and password credentials.
Using Spring Social+Facebook, how can I:
Authenticate using an OAuth access token and retrieve profile data?
It is simple - Spring's FacebookTemplate can be instantiated with an oauth access token as follows:
val facebook = FacebookTemplate("$$TOKEN$$")
I am creating an application in Google App Engine java. In this application I have to authenticate the users using OAuth2. These users belongs to other Service provider lets say example.com(means they have their account on example.com). I checked the Google App Engine documentation about Authentication and Authorization through OAuth. In this documentation they just provide the way to authenticate and authorize the google users not the other domains user. I have also checked the OpenID functionality in google app engine but I don't need this because example.com don't provide OpenID endpoints to authenticate user. please help me to derive a solution to authenticate the user.
I solve this problem by myself. I use Google OAuth Client Library for Java. This library can handle OAuth 1.0 and OAuth2.0 communication.
I'm developing a web application that has a REST api. At the moment the Api are protected in the server side trough spring security with a form-login authentication. Recently I also added spring social to allow access with facebook and twitter and all this works. So a user has to be registered to access some endpoint.
Now I have to build a mobile application that has to access the REST api and I was wondering what strategy I should use.
I saw that facebook has a android/ios sdk to allow the authentication on mobile side. So once theuser is authenticaded on the mobile I should do the request to my server so how should I authenticate the user on the server side to access the resources?
If you think that is not a good solution can you give me an advice how I should solve this problem?
Two options:
Your mobile app can login to your API the same way your other client code does, via form-login or spring social. Simply send the same session ID cookie with your API calls after login.
You can allow your app to accept a username and password as HTTP headers via HTTP-Basic, to save yourself the initial login step. This might be more useful if you don't need to make a lot of API calls per session.