Announcement Announcement Module
Collapse
No announcement yet.
How to use spring social in a multi tenant application Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to use spring social in a multi tenant application

    I'm working on a multi tenant application where each of the customer's have their on url like abc.services.com and xyz.services.com.

    Now I want to integrate Spring Social to this application for the purpose of Single Sign On and social application integration.

    The problem we are facing is since we have to register the callback url with the service provider like Google, Facebook or Twitter are not able to complete the connect request since the client url and applications callback url registered with the provider are different.

    I'm using the ConnectionController provided by Spring Social.

    Ex: The user logs in to 'abc.services.com' and goes to the page and asks to connect to 'Google'. But the applications callback url is registered as 'social.services.com' in Google. When the user tries to initiate the connection the 'Google' provider will respond back to 'social.services.com' instead of 'abc.services.com' but this domain does not have a authenticated user, which will cause the request to fail.

    Any help to resolve this issue will be highly appreciated.

  • #2
    If I understand your problem correctly, it's that Spring Social properly determines a callback URL for each tenant. That is, abc.services.com will be the domain used in the callback URL when doing connections via the abc website and xyz.services.com will be the domain in the callback URL when doing connections via the xyz website. But, because you can only register a single callback URL with Facebook, there's going to be a mismatch for all but one of those websites.

    On the surface, this appears to be a shortcoming with Facebook and it's be nice if you could register multiple callback URLs for an app. I sorta thought that you could do that at one time, but I just looked and couldn't find where to configure additional URLs, so maybe I remembered wrong. Even then, I'd think that Facebook would consider each of those domains to be a *different* application and thus would require you to register different applications for each one.

    If you do that, then the problem becomes how you could have a single Spring Social application that works with multiple domains? If you did register multiple applications on the Facebook side, Spring Social would properly calculate the callback URLs for each one. But there's no way to configure multiple Facebook applications within a single Spring Social application. That would certainly prevent you from doing what you're trying to do.

    I don't have any quick answers for you, but may I suggest that you open a new feature issue at https://jira.springsource.org/browse/SOCIAL describing what it is that you're trying to do? I have a few very rough ideas of how to accomplish this, but I'll need to set aside some time to try them out...and having an issue in place like that will help me find some time to do that.

    Comment


    • #3
      Hi,

      We're also working on different env and subdomains and we haven't had issues with that before...I've override the ConnectController and set theApplicationURL on each connect and it seems to be working fine.. we're also working with fb tags integrated though javascript api and we're setting the callback url on each request. works like a charm.


      HTH,
      Yoni

      Comment


      • #4
        Sorry for the delayed response guys!

        I'm working on a multi tenant application where each customer will have a different URL.
        ex: person x may have x.something.com and y can have y.something.com

        So mine is the first case described by you where the oAuth provider(ex facebook) does not allow to register a wild card callback URL.

        My solution to this was to work with a common callback url like openid.something.com for all customers and pass a state value to the authentication/autherize request(The state value will be signed with a keypair so that the client cannot modify it). Then override the ProviderController and ConnectController to process the state value.

        Comment


        • #5
          Sounds like a good solution to the problem. I see no obvious way to tell FB to handle the wildcard domain case (although, admittedly, I didn't dig that hard either). Therefore, you must have it redirect back to a common place. It sounds like you're doing a followup redirect after connect to get the user back to the individual tenant and deciding on that redirect via some state.

          I'd be curious as to what your override for ProviderSignInController and ConnectController look like. I'm in favor of overriding those controllers as necessary, but want to be sure that I'm providing you with the hooks necessary to do it right. Is there any code you can share with me (either in this forum or via pastebin or some such thing).

          Comment


          • #6
            Thanks for your support Craig.

            Please find some of the problems I faced, I would try to share my code with you at a later stage.

            ProviderSignInController
            The signin request does not allow to pass any additional parameter like state
            After completeConnection, we need a facility call a callback method where we could some operation using the state variable

            ConnectSupport
            buildOAuth1Url: Does not allow to add a state parameter to the callback url during the fetchRequestToken() call

            ConnectController
            After successfull connectRequest need some callback point to process the request(ie: state param)

            Comment

            Working...
            X