Mobile sign up with spring social

Question

I am trying to use spring social for my REST services and my mobile app.

I wonder what the best approach is.

I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.

My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.

On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.

As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/

Seems like it required the "Proof Key for Code Exchange" flow as stated in: https://auth0.com/docs/api-auth/grant/authorization-code-pkce

Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.

Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!

Answer 1

In such scenarios, I use a standalone authorization server with identity federation (preferably an OpenID Provider either on premise like Keycloak or in the cloud like Auth0, Amazon Cognito, Okta and many others).

This OP centralizes users definition (and provides with the "login with ..." feature). It is also the only reference for all my OAuth2 clients and resource servers.

In the apps I write:

• all the data required in the apps for user identity and access control is added to token claims by the OP
• REST APIs are configured as resource servers (requests are authorized with access tokens)
• clients are
  • one (or more) spring-cloud-gateway configured as Backend For Frontend: with spring-boot-starter-oauth2-client and TokenRelay= filter
  • mobile apps, using a lib to handle authorization_code flow, token storage and requests authorization (this lib depends on the framework used for writing the app).

Requests between Javascript based web apps and the BFF are authorized with sessions, so this apps are just front-ends, not OAuth2 clients. This is better for security because:

• OAuth2 clients on servers can be "confidential" clients (neither mobile nor web apps can keep a client secret, reason for it to be configured as "public" clients
• tokens are not exposed to Javascript (it is not even leaving the data-center)

Ideally, the BFF pattern would be applied to mobile apps too (in which case it wouldn't be OAuth2 clients anymore), but I haven't found a way to use the same session with app REST requests to the gateway and during authorization_code flow :/

Answer 2

One possible way would be

1. The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
2. The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
3. The backend service could do additional work about the user details (for example, link with existing users).
4. The backend service returns a JWT token to the mobile app, which ends the SSO.

The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).

The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.

The flow is summarized in the following drawing:

======== Edited:

We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.

Discussion is welcomed.