Reputation: 247
Grails Rest API with OAuth for Mobile App
TL;DR : Read from EDIT 1.
I'm trying to find a solution to how to implement authentication, especially OAuth for my rest api that will be used by a mobile app.
I have found this popular plugin (Spring Security Rest):
http://alvarosanchez.github.io/grails-spring-security-rest/docs/guide/single.html#oauth1
But the problem is that it's designed for javascript frontend app, so it needs a callback url to my frontend to pass the generated token (as you can see in the diagram).
In the case of a mobile application, how can I do that ? Is there another plugin or design that I can implement for this ? I find it weird that there's really not a lot of plugins or tutorials about stateless OAuth in Grails or Spring but there's ton of mobile apps that use that.
Here's an example of use case :
- User opens mobile app.
- User logs in with facebook on the mobile app.
- User does a request to api/orders which will return him only his orders.
Who should handle the OAuth part in this ? The flow in the diagram presented on the plugin can't work with a mobile app, so should the mobile app auth to facebook, gets the token stores it then passes it to the web app ?
I would like to understand what is the correct design/flow in this case, and if there`s a plugin or a way to implement it using grails.
EDIT : Is this a correct flow ?
If yes, is there a standard way to implement this with Grails ?
EDIT 2 : Now that I understand the flow, I need to integrate the login part with Spring security rest plugin (that already handles everything else). Here's the code that I want to integrate with the plugin but I don't know where or what to modify in the plugin :
// api/auth/fb
def auth(){
//Extract fb_access_token
String fbAccessToken = request.JSON.?fb_access_token
//Call https://graph.facebook.com/me?access_token=fbAccessToken
def userInfo = facebookService. ... (fbAcessToken) //Method to use in the plugin
//Verify if the userInfo contains an error/doesn't contain a fbId
if(userInfo.getFbId() == null ){
respond unauthorized() // 401, Invalid access token
}
//Verify if this token is for our app
else if(userInfo.getAppSecret() != System.env.getParameter("appSecret")){
respond unauthorized() //401, token not for this app
}
//Register or login
else{
User user = User.findByFbId(userInfo.getFbId())
if(user == null){
facebookService.registerUser(userInfo) //Custom method implemented in the service
}
else{
FbToken fbToken = new FbToken(userInfo.getToken(), userInfo.getExpiration())
user.setFbAccessToken(fbToken)
}
//Login the user with spring security and let it handle the rest (token creation => storage => http answer)
}
}
Upvotes: 3
Views: 2125
Answers (1)
Reputation: 301
Following is what how we tackle facebook connect with grails rest plugin.
- Client make request to facebook and get fb uid.
- Client send fb uid to server along with other details such as email, etc etc (whatever fetched from facebook after authentication)
- Server receive fb uid and re-authenticate fbuid with facebook then try to find user with this fbuid in database.
- If user found login the user with email and return back token.
- if user not found register and login the user and send back token in response.
- Client make any subsequent call with token returned from 2nd step.
Upvotes: 1
Related Questions
- Implement a REST API in a Grails app
- Grails 3 Example for oauth consumer
- Grails and OAuth
- connect/authenticate with google using grails oauth plugin
- OAuth issue in Grails
- Grails and Oauth2 Spring security
- grails oAuth 2.0 documentation?
- Authentication in RESTful Java web service for mobile clients
- Securing Grails REST service for use with mobile applications
- REST authentication internal project (iPhone to grails app) using 2 legged oauth?