问题
In Spring Boot application I have secured my Spring MVC REST endpoints with Spring Security and Spring OAuth2. I have own Authorization\Resource servers so in order to comunicate with our API, client(AngularJS) needs to obtain acessToken from my API Authorization Server.
Everything works fine but for authentication/authorization on my API, user needs to create his account and provide us with his username/password.
I'd like to simplify this process and would like to propose user to authenticate on my API via Google/Facebook/Twitter oAuth providers.
Right now I have no clear understanding how it must work.. For example one of my ideas - Facebook will issue own accessToken and pass it back to my API. Based on this accessToken my API will issue own accessToken and pass it back to client application(AngularJS). Or should I pass Facebook accessToken directly to client app ?
What is the correct architecture for the described case ? How should it work ?
Maybe there is some example that demonstrates this architecture based on Spring framework ?
回答1:
If you want to delegate authentication to an external provider you can use the OAuth2ClientAuthenticationProcessingFilter, or the convenience annotations and external configuration provided in Spring Cloud Security. Example (from the Spring Cloud Security home page):
Aplication.java:
@SpringBootApplication
@EnableOAuth2Sso
public class Application {
...
}
application.yml:
spring:
oauth2:
client:
clientId: bd1c0a783ccdd1c9b9e4
clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
accessTokenUri: https://github.com/login/oauth/access_token
userAuthorizationUri: https://github.com/login/oauth/authorize
clientAuthenticationScheme: form
resource:
userInfoUri: https://api.github.com/user
preferTokenInfo: false
That works with github if your app is running on port 8080 (I believe). Similar configuration works with facebook, cloud foundry, google and other OAuth2 providers.
回答2:
In case of own OAuth2 or OAuth2 + JWT tokens please take a look into the following question Integrate Spring Security OAuth2 and Spring Social especially answer provided by @rbarriuso. You have to provide your own SocialAuthenticationSuccessHandler and send a redirect with own oauth2Token after successful authorization with any 3rdparty OAuth2 providers.
In other words the main idea of this technology agnostic solution is to issue your own access token and provide it to user after his successful authentication with the 3rdparty OAuth2 providers.
来源:https://stackoverflow.com/questions/29547671/rest-spring-own-oauth2-server-oauth2-providers-like-facebook-google-yahoo