Announcement Announcement Module
Collapse
No announcement yet.
How to use OAuth to log into consumer? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to use OAuth to log into consumer?

    I had a look at the Facebook integration in Tonr 2. While this is a nice example of how to request resources from a provider once you're authenticated against the consumer I think the second use case is just as likely: use an OAuth provider to log into consumer.
    Example: http://stackoverflow.com/users/login -> using Facebook

    So, the question is how I could make use of
    Code:
      <!--apply the oauth client context-->
      <oauth:client>
        <oauth:url pattern="/facebook/**" resources="facebook"/>
      </oauth:client>
    
      <!--define an oauth 2 resource for sparklr-->
      <oauth:resource id="sparklr" type="authorization_code" clientId="tonr"..
    configured in applicationContext.xml for login?

  • #2
    This case isn't really the domain of OAuth (and, by extension, isn't the domain of OAuth for Spring Security).

    What you're talking about is decentralized authentication, which is what technologies like OpenID is designed to address. OAuth is about delegated authorization. They can both work together, but are designed to address different things. Here are a couple of links with good information:

    http://stackoverflow.com/questions/1...enid-and-oauth
    http://softwareas.com/oauth-openid-y...the-same-thing

    For the case of Facebook, they have some JavaScript utilities and things that you can use to log in. You'll probably need to extend some Spring Security libraries so that you can tie the Facebook id to the user id of your application. Check out the Greenhouse project for some examples:

    Source code: http://git.springsource.org/greenhouse
    Live project: https://greenhouse.springsource.org/

    Comment


    • #3
      Thank you for the helpful links. I'm very well aware of the difference(s) between OpenID and OAuth - I think.

      However, IMO you really can use both for this particular use case I'm talking about:
      - you have a consumer web site X.com which offers some services
      - you don't want your users to create yet another username/password combination to log into X.com (corner stone of OpenID)
      - hence, you offer users to either
      a) create an account at X.com with a username/password combination specific for X.com
      b) log in using an OpenID and most likely requesting user attributes through OpenID AX (attribute exchange) from the OpenID provider to populate the user profile at X.com
      c) log in using OAuth and asking for permission for X.com to obtain profile information on behalf of the user from the OAuth provider
      In case of b) and c) X.com might not get all information from the providers to fully initially an X.com user profile. So, upon first login it might display a partially populated registration form asking the user to fill in the missing data and continue.

      I have yet to check-out greenhouse in more detail (i.e. looking at its source code) but doesn't the 'Sign in with Facebook' exactly do what I described above in c)?

      Comment


      • #4
        Yes, each of those scenarios make sense to me.

        So let's get back to your original question about any tools that might be needed to "use an OAuth provider to log into consumer". What exactly do you mean by that, and what specifically could be added to the library to futher enable that?

        Comment


        • #5
          Originally posted by stoicflame View Post
          What exactly do you mean by that, and what specifically could be added to the library to futher enable that?
          Sorry about that. I always feel sorry for the poor readers if one can't understand what I mean. Looks I failed again to properly expressing myself. Thanks for your patience.

          First, I'm not sure that there's anything that needs to be added to the library (hope my message didn't imply that). I was simply wondering how I need to configure OAuth for Spring Security to achieve c). It may be possible or it may be not. I'm not familiar with the code yet to tell.

          The Tonr 2 example shows how to request resources from Facebook on behalf of the user. However, the example still requires the user to log into Tonr 2 using his Tonr username/password combination i.e. the user can't use his Facebook credentials to access Tonr's /facebook/** resources.

          Code:
          <http auto-config='true' access-denied-page="/login.jsp">
            ...
            <intercept-url pattern="/facebook/**" access="ROLE_USER" />
            ..
          </http>
          I want to support a-c in one and the same application. It will be similar to http://www.gerixsoft.com/user/login (Facebook integration seems broken). The application has one single login page but conceptually three different login forms: username/password, OpenID, link to Facebook with redirect URL.

          Thanks to the "Spring Security 3" book chapter 8 I've got OpenID covered. So, a) and b) work just fine. I offer two login options on login.jsp. Excerpt from the configuration:

          Code:
          <http auto-config="true" use-expressions="true">
            <intercept-url pattern="/login.jsp" access="permitAll" />
            <intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
            
            <form-login login-page="/login.jsp" login-processing-url="/login" default-target-url="/"/>
            <logout logout-url="/logout" />
            
            <remember-me services-ref="rememberMeService"/>
            
            <openid-login login-processing-url="/openid_login">
              <attribute-exchange>
                <openid-attribute name="firstName" type="http://schema.openid.net/namePerson/first" />
                <openid-attribute name="lastName" type="http://schema.openid.net/namePerson/last" />
                ...
          How is it possible to add OAuth for Spring Security configuration elements to achieve c)?

          Comment


          • #6
            So OAuth for Spring Security doesn't provide any configuration elements for c) because it requires some custom "core" Spring Security providers.

            Personally, I've never done what you're describing, but I know people who have. I'll see if I can get someone to respond, as it would be helpful to have in a thread.

            Comment

            Working...
            X