Announcement Announcement Module
No announcement yet.
Social PreAuthenticatedProcessingFilter is it possible? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Social PreAuthenticatedProcessingFilter is it possible?

    Is it possible to implement a Pre-Authentication filter for Social Networks?
    The customer requirement is to auto login users if they are already connected and logged in a SN.
    The requirement is that the user should not click on a Login with SN button.

    Any ideas how to implement that?

    Thank you in advance.

  • #2
    It may be possible, but it's not trivial. For the sake of discussion, let's say that Facebook is the provider you want to automatically authenticate against...

    What you'd need to do is query for the user's identify from Facebook. The only way to that is if you have an access token handy. Since the user's not authenticated into your application yet, you can't just go look up the access token from a connection, so you'll have to obtain it via OAuth authorization.

    That will involve a redirect to Facebook. You could trigger this authorization automatically upon the user arriving at your application (perhaps a filter that performs the redirect if the user isn't already signed in). If you're securing your app with Spring Social, it could also be implemented as a authentication entry point.

    In any event, the fully-automatic scenario is if the user is already signed into Facebook and they have already previously authorized the application. In that case, Facebook will immediately redirect back to your app with an authorization code. Exchange the code for an access token, use the token to lookup the user's identity, and you're in.

    But, if the user hasn't yet signed into Facebook, then they'll have to sign-in with Facebook. And if they've not yet authorized your app, then they'll have to do that. So, it won't be fully automatic. Also, not all providers will automatically redirect back if already signed in and authorized like Facebook, so in those cases it won't be fully automatic, either. My concern here is that presenting a Facebook or Twitter (or some other provider) signin and/or authorization page upon trying to go to your application will confuse the user.

    So, yes I think it can be done. But (1) I'm not convinced that it's a good idea and (2) there's not much in Spring Social to directly support this use-case.