Reputation: 41
Spring Security 3 using OAuth2 for SSO
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario: I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
Upvotes: 3
Views: 6415
Answers (3)
Reputation: 2019
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
- @EnableOAuth2Sso
- @EnableOAuth2Resource
- Spring Cloud oauth2 SSO sample
- Spring oauth2 SSO with a whole bunch of other stuff too
Upvotes: 2
Reputation: 7817
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.
Upvotes: 1
Reputation: 22742
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
Upvotes: 3
Related Questions
- Spring SSO and account creation
- Spring Security with SSO
- SSO with Spring Security 3.x.x
- Spring boot SSO with Oauth2 and Spring-boot-starter-parent version 2+
- SSO in OAuth2Client in Spring Boot Security
- Integrate Spring Security OAuth2 and Spring Social
- Spring security - implement oauth2 sso
- Spring OAuth2: support auth and resource access with both SSO and custom auth server
- Oauth2 authentication failed
- SSO using spring-security-oauth2 : Authentication Code never read