In a Spring Boot application, I have an OAuth2 Authorization/Resource servers. Based on this and Spring Security, I have secured my Spring MVC REST API endpoints.
In
So what you want to achieve is : when clients redirect users to your authorization server (authorization code or implicit grant) in order to obtain a token, the user can log-in using his favorite social network.
If I understand correctly, you have rolled your own implementation of single sign on (SSO) with Twitter (ProviderSignInController
), and now you're left wondering how to generate a token when Twitter responds "OK".
I think you took the problem by the wrong end : Instead of building your Twitter client and generating a token programmatically, the idea is to integrate social SSO inside the flow of spring-security-oauth2, which in reality is how to integrate social SSO in Spring Security.
In the end, it's about how your authorization server secures the AuthorizationEndpoint : /oauth/authorize
.
Since your authorization server works, you already have a configuration class extending WebSecurityConfigurerAdapter
that handles the security for /oauth/authorize
with formLogin
. That's where you need to integrate social stuff.
Instead of using the Spring Security built-in form authentication mechanism, you will have to plug-in your own security that either allows the user to login with a form, or starts SSO with other providers.
Spring Security is made of a bunch of abstractions, but it really just comes down to populating the SecurityContext
with an Authentication
object for each request.
Once the authentication process is complete, the user will continue to /oauth/authorize
, consent to the client accessing some scopes, and the token will be delivered as it's usually done, without you having to generate tokens programmatically.
I have done that using SAML (Spring Security SAML extension), but in your case you should dig in the Spring Social projects, which seem to support all the major social networks out of the box.
The good news is that you already have a bunch of tools available, the "bad news" is that you will have to understand how they work to a certain degree in order to plug them together.
This tutorial shows how to achieve exactly that (if I understood the problem correctly) : having an auth server issuing your own oauth2 tokens based on external oauth2 authentication. The corresponding code is available here.
The gist of it is that you use @EnableOAuth2Client
in addition to @EnableAuthorizationServer
and insert an OAuth2ClientAuthenticationProcessingFilter
filter before spring security default ones.