Spring Security and Spring Social External Authentication

Question

With authentication becoming more and more difficult to do right these days, I decided it would be best to leave authentication to companies with a good reputation in security like Twitter and LinkedIn.

I have read through both Spring Security and Spring Social their docs but couldn't find anything regarding completely leaving authentication to a third party. They only talk about having a mixed system, with it's own user database.

Is it possible to do something like this with Spring as of it's current version?

I'm using Spring Boot Security 1.2 and Spring Boot Social 1.2.1 but upgrading is not an issue for me if it's necessary.

Answer 1

Stormpath exists for the exact reasons you specified: it's hard to get right and you might as well outsource this to a team with security experts (even if you're a security expert, why waste the time on it anymore?). Have you tried it?

There is a great Java SDK with social login integration to Facebook, Google, GitHub, etc built in, Java webapp support, and Spring Security integration.

Disclosure: I'm Stormpath's CTO.

Answer 2

That's right.. you still need to "link" the remote authentication (i.e. from an OAuth provider) to a local user model.

Your system is delegating authentication to the remote authority, which identifies who a user is.

A sane way to handle this is that once a user logs into an OAuth provider, for example, and you receive the callback from the user/provider, that you automatically create a user model for them in a local persistent store based on their principal at the OAuth authority (typically their email address)

In this way, the user doesn't need to register manually on your service, but you still get a strong link to an actual local model and can apply your own authorization checks based on local roles/groups etc.