How do I use OAuth within my Java GWT application?
In particular, I want to get a list of users in my Google Aps domain, using this API:
http://code.google.com/googleapps/domain/profiles/developers_guide_protocol.html
I know this sounds like a question, that probably has been asked many times before, but I couldn't find any Java code on how to realize the OAuth steps described in the API above.
I would be glad if someone could share some code, or point me to the right docs.
This tutorial by Matt Raible is easily the best one I've seen so far on OAuth and gwt. He also has a very good picture depicting the authentication flow, which I always find help. However, as Matt himself says, the solution is not 100% reliable, but it might still get you part of the way.
With this in mind, it might be better to just go with a pure javascript implementation of it. You'll find one such implementation right here. This SO thread might come in handy to you if you chose that path.
Best of luck to you.
What do you mean in your GWT application?
Do you mean client-side only?
Because on the server you can easily use the Scribe OAuth library.
It has a good documentation and is fairly simple to use.
For integrating OAuth and GWT, you should start with Scribe which handles the implementation of the OAuth:
https://github.com/fernandezpablo85/scribe-java
Next, you need to create a GWT widget that can handle the user's interactions to acquire permission to access their account. Then grab the response token, and make the API requests to the external site.
No point re-implementing OAuth when scribe already does it for you - you just need to. I'd probably aim to use a GWT Popup for doing the authentication:
http://gwt.google.com/samples/Showcase/Showcase.html#!CwBasicPopup
Related
1 - Current situation
We've got a REST API (coded with the Play framework 2.5 in Java) and four front-end interacting with it (two web apps: a back office and our site coded with React, and two mobile apps: Android and iOS).
Everything is working correctly, but without user management.
2 - What we want to do
We would like to add user management with two roles: user (can sign up and log in to our site and our mobile apps) and admin (can do everything a user can do plus can log in to the back office). In other terms, administrators can use all web services whereas users can only use some of them.
Firstly, users have to be able to sign up with email and password.
In a second time (this is not part of our MVP), we would like to give the opportunity to register using a Google or a Facebook account.
3 - Technical choice
After reading a lot, we think that an authentication whose authorization step is taken care of by Oauth2 is a suitable choice.
But, during our research, we found articles that have made us hesitate, with sentences like theses ones:
"You should only use OAuth if you actually need it. If you are
building a service where you need to use a user’s private data that is
stored on another system — use OAuth. If not — you might want to
rethink your approach!"
"To be clear, OAuth 2.0 at the hand of a developer with deep
understanding of web security will likely result is a secure
implementation. However, at the hands of most developers — as has been
the experience from the past two years — 2.0 is likely to produce
insecure implementations."
We're not going to implement Google or Facebook authentication right away and don't have a "deep understanding of web security", so we question the relevance of choosing Oauth2.
4 - Implementation
We've understood the way Oauth2 works and are not afraid by the implementation of the client side, it seems straightforward (and many projects exist to facilitate its implementation).
On the contrary, for the server side, we will have to create an authorization server and it scares us a bit because we don't know how to do. Implement the whole by ourselves seems to be a fairly substantial and difficult job (and we didn't find any example using Play Java), we're scared to make a mistake that would create a security hole and don't want to reinvent the wheel. We've found some tools like Apache Oltu or Spring Security (that I've used in another project) but we're not sure if they're suitable for what we want to do.
5 - Questions
Is Oauth2 really a suitable choice for our needs?
If we choose Oauth2, what should we do about implementation? Trying to do it by ourselves? Using a tool like Apache Oltu or Spring Security?
Thank you in advance for your answers!
I'm using the auth0-spring-security-api and I have a scenario where I need to update the app_metadata for a user when they make a request to an endpoint in my API. I've been looking for any sort of example or even method in the source that could give me a clue on how to do this and I just haven't seen anything. Does anyone know how to do this?
After a bit of searching I found a solution. The answer is essentially that you need to connect to the management API via a http request that you can find in the Auth0 management api examples for various endpoints. I was somewhat hoping that they would have some sort of existing java library to make it easier instead of having to roll my own. I did however find this github repo
that explains what is needed to connect to their API.
I have a web ui based app which I have been told, calls a rest microservice/webservice. There is no documentation for this service and there is no one who can explain the huge code to me. Moreover, the code is not self documenting.
I want to understand how the service works, by mapping the actions done on the web UI to the service calls. After googling, it seems that I can take two approaches to do that.
1 - Use chrome developer tools network module.
2 - Use fiddler or charles proxy.
Please tell me which approach is best and why. If both are not good, then please tell me how I can achieve my goal.
Thanks.
Given it has been clarified that #testmonkey has access to the source which is a spring boot rest application and the requirement is an easy way to explore and document the rest interface. Its fair to answer that YES you could use fiddler or chrome, however given access to the source a better and more complete solution is the HAL browser:
http://docs.spring.io/spring-data/rest/docs/current/reference/html/#_the_hal_browser
I'd like to know which mechanism I should use to implement authorization once I must use Central Authentication Server and it'll be written using Java. Is there any that was made thinking about cas module?
Another way would be use pac4j and Deadbolt2 at the same time, so, is that the best way so on?
Btw, I took a look at Deadbolt2 but i'm not sure if it fits well for play 2.2 version, does it?
Thanks
I'm the creator of pac4j and I don't know deadbolt2. Reading quickly the doc, it seems a bit complicated at first glance.
I had in mind to create something really easy (maybe too simple?) for authorizations in play-pac4j: get the roles from the attributes of the user profile and add a rolesRequired attribute in the #RequiresAuthentication... Would you mind opening an issue on the play-pac4j project on Github to continue this discussion? Thx
I actually want to ask that what is the way to create an API for sites such as Facebook.. Twitter etc. I am an IT Graduate and do know programming but still wonder that how do people start to create their own set of API's for such websites. And Everyday people have a new API to access the site. Can someone throw light on the standard process that is being followed so as to achieve this ?
I think there is no unique canonical way for the design of a public web API. You could find best practices through.
This will also depend of the complexity of what you want to expose.
Basically you'll want it to operate over standard HTTP and be accessible both by backend systems and by browser client. So you'll choose either XML or JSON as the dataformat as it is supported by everybody.
A common pratice would be to adhere to the REST architecture, but this is only one choice over many. Today REST is a buzz word. So many tend to use it even if not really suited to their needs.
Like any public API, you should take great care of backward compatibility and futureproof design. The whole refactoring thing can be thrown away as you can't break client code when developping new features. A classical way to deal with this is to publish API per version and let the client stick with the version it support.
Check Spring Social. It is a framework to write api to connect to social networking websites. Also for doing that you need to have knowledge of OAuth protocol which is one of the protocols used to allow access to private information with other websites.