Reputation: 166
Spring security Oauth2 client ClientAuthenticationProcessingFilter
I'm working on spring-security-oauth2-1.0.3.RELEASE, trying to set up an oauth client to get user authenticated with google.
I spent quit a while on this and still don't find much good article explaining very clearly.
What I'm doing is to put an OAuth2ClientAuthenticationProcessingFilter into the filter chain like this:
<http xmlns="http://www.springframework.org/schema/security"
use-expressions="true" pattern="/oauth.html" auto-config="true">
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />
<custom-filter ref="oauth2ClientFilter" position="CAS_FILTER" />
<sec:custom-filter ref="googleAuthFilter" after="CAS_FILTER" />
</http>
A custom-filter: googleAuthFilter is there to protect my URL.
Reading the source code of OAuth2ClientAuthenticationProcessingFilter, it requires a reference to
- an OAuth2RestOperations (rest template) which refers to an Oauth server resource (information about google)
- ResourceServerTokenServices (from Spring-security-oauth libary provider packages).
Now I'm confused. Spring-security-oauth is divided into 2 parts: client and provider.
Since I'm just setting up an Oauth client, why do I need to have a reference of a class from Oauth provider packages?
Also, How should I set up the ResourceServerTokenServices? Now I'm trying to use the defualt implementaiton. Because DefaultTokenServices again requires reference to
- TokenStore
- ClientDetailsService
- TokenEnhancer
So far I tried all the default implementations:
- TokenStore: InMemoryTokenStore
- ClientDetailsService: InMemoryClientDetailsService
- TokenEnhancer: TokenEnhancerChain
and it seems not to work...
Thanks!
Upvotes: 3
Views: 2990
Answers (2)
Reputation: 975
Check out the Spring "Social Client" tutorial,
https://spring.io/guides/tutorials/spring-boot-oauth2/#_social_login_github
That tutorial had info for Facebook & Gist. The one piece I couldn't figure out - the userInfo URL - I finally discovered not on Google but in the .YML file data shown here:
http://www.techforumist.com/google-oauth2-login-in-spring-boot-and-angularjs/
Copied locally (in the spirit of the SO practice of giving more than a URL :-)):
oauth2:
client:
clientId: <Client ID from google developer console>
clientSecret: <Client Secret from google developer console>
accessTokenUri: https://www.googleapis.com/oauth2/v4/token
userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
clientAuthenticationScheme: form
scope:
- openid
- email
- profile
resource:
userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
preferTokenInfo: true
Hope this helps you (took me a while to find all that)!
P.S. I have an application that successfully authenticates against Google using Spring Boot OAuth2 security - don't give up hope! What I currently lack is a way to unpack the data I get back to determine the user's Google email address for whitelisting - see SO link below:
Upvotes: 0
Reputation: 1983
I thought I might write something. But the version you are using is very old, recent version of Spring Security OAuth2 is very easy to use and have applied wide - many document. Let's make some search :D
http://jhasaket.blogspot.com/2014/09/securing-spring-mvc-application-using.html
Upvotes: 2
Related Questions
- OAuth2 - Spring security: ClientCredentialsTokenEndpointFilter not working
- Add filter before OAuth2AuthenticationProcessingFilter
- Oauth2 Client in Spring security
- Spring Boot Google Oauth2 all requests return a 401 Unauthorized
- OAuth2 Spring Security - OAuth2AuthenticationProcessingFilter not working
- OAuth2LoginAuthenticationFilter Spring Security
- Spring Security OAuth2 Java Config for Google Login
- Modifying the OAuth2ClientAuthenticationProcessingFilter in Spring Boot
- No Such Client Exception Spring Oauth2
- Apache Oltu Spring Security OAuth2 and Google Integration