Announcement Announcement Module
No announcement yet.
Secure REST API with OAuth 2.0 (e.g. Facebook) Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secure REST API with OAuth 2.0 (e.g. Facebook)

    I have a very simple REST API (CRUD) that I need to secure with OAuth 2.0. For example: Facebook. The design of this very small app goes like this:

    * REST API (pure stateless) done in Java.
    * Use Backbone.js to interact with server through a REST API.
    * User will login through Facebook in order to use the Service (i.e. REST API will use OAuth to authenticate user). For every new user, a username will be saved in the database. This username will be used for detecting if its a visiting user or new user (username will not exist).

    Here's what I have done so far: I have set-up two projects - one a REST API (unsecure) and second project is a working Facebook OAuth 2.0 implementation. But I am having hard time integrating these two. What I am missing is understanding on how these two projects can come together?

    Could someone please guide me in the right direction? If someone has an example, please do share.

  • #2
    Hi, there is a 2RestTemplate, see this post.


    • #3
      So, it sounds like you're trying to secure a REST API with OAuth 2. For that, your best bet would be to look at Spring Security for OAuth ( The OAuth2-oriented Sparklr and Tonr examples should be helpful and the and apps might also give you some idea on how to secure an API with S2OAuth. If your client is a mobile app, I'd recommend configuring S2OAuth to support the resource-owner credentials grant...and use the authorization code grant for a more traditional browser-based app.

      The one thing that makes this more interesting is that you indicate that sign-in itself will be via Facebook. For that you can use Spring Social's ProviderSignInController. The Spring Social Showcase ( has a good example of doing that. The Greenhouse app also supports FB signin, so that's probably the closest to what you're trying to do.

      If you have any specific questions about any of this, feel free to ask. For S2OAuth-specific question, though, you might do better asking in the S2OAuth forum: