Log into a Spring Security application using a 3rd party OAuth2 server

Question

I am working on a a web application secured by Spring Security. The new requirement is that the users can log in using an existing, 3rd party OAuth2 server, based on the authorization code grant, and use the API exposed by it. Think of my app as the e-banking site and 3rd party API as the banking back-end that my app calls to get a list of accounts for the user, for example.

Important points:

• The authorization server and the resource server are one and the same and are completely external to my application and out of my control
• My application has no way to establish the user's identity by itself. The user is redirected to a different page to log in and, if successful, my application just receives a token to use for that user. I'm guessing I should store this token in the user's session and keep submitting it whenever I need to call the API.
• The user in my application, once successfully authenticated, should get roles based on the OAuth2 scope that was assigned to it by the server

Questions:

• Isn't the login flow I explained above the normal authorization code grant flow? If so, what is Spring's rationale for expecting me to already have a logged in user before acquiring a token? Isn't the act of acquiring a token effectively "logging in"? How would I know how to log in the user when the whole purpose of authorization code grant is not to have the user send credentials to my app directly?
• Spring wants me to map user roles to scopes... Isn't that the exact opposite of expected? Shouldn't I receive the scope to signify what the user can do and assign the role in my app based on that?
• Is it possible to configure the server (and my app) to not ask the user to explicitly grant permissions to my app? The reason is that my app is the only way for the user to access the 3rd party API (e.g. the only way for the to get a list of their bank accounts is to use my e-banking site), thus by using my app (e-banking site), they definitely want it to be able to do its job (get the list of their accounts from the banking back-end).

Answer 1

Yes, the login flow you explained is correct. This is exactly what OAuth2RestTemplate does - stores token in session.

But I don't understand your questions fully.

1. Do you mean that Spring forces a user to be logged into Authorization Server before granting auth code? This is correct cause this is a user who allows your app to do operations on his behalf. How can he grant something without being logged in?

2. I'm not sure where does Spring forces you to map user roles to scopes. Isn't it done in Authorization Server to limit scopes that can be granted by this user? But you're right - you can use token scopes to map them to internal roles in your app if needed.

3. We used Cloudfoundry UAA to build OAuth2 Authorization Server and it has concept of auto-approved scopes (i.e. no explicit user approval is needed). You can take a look at that.

We had the same requirement and what we did was our own custom AuthenticationFilter(mapped to redirect_uri) that was exchanging received auth code to access token and then creating internal authentication with received token and also appropriate internal roles.