Rest authentication with spring security and mongodb

Question

I've implemented a Spring app with mongodb and now I've implemented Rest authentication with Spring security and Mongodb, and now I have to add the Authorization header, and it only shows the data from the api call if the Authorization is ok, from now it's ok, but I'm wondering how do I get this value? I mean I want to make a Login to the app, should I have an authorization for this? If not, the login response should return this authorization to use it in next calls? I also have read about aws token also of oauth2, but I really want to know the process, I mean, what's the flow a normal user can Log in to the app and then make calls with authorizations?

My platforms are :

DB -- MongoDB

Server -- Spring

Web -- Angular

App -- Android

This is a project for a Quiz game, that could support multigame options (more than 1 player playing at once)

So what I need to understand is from APP / WEB I have to make a call let's say api/v1/login and then send the user and password, ok, where's the part when I have to create the bcrypted and salt stuff to store it into db? Do I have to do it on the app and then send for instance the SHA stuff via JSON in the Login call or it's better to send the password to server so server does all of the stuff and store the stuff on the db?

Answer 1

In the scenario you describe there is no sense to use neither OpenID Connect or OAuth2. There is a single server for both authentication and resources. The scenario could be roughly this:

1. Client (Angular or App) send the credentials to the server in plain text over a secured HTTP connection to log in
2. Server responds with an access and refresh token
3. Both tokens need to be saved on the client device (e.g. Local Storage)
4. You send the access token along with every request that requires authentication
5. Before the access token expires you trigger a certain REST call to refresh the tokens using your refresh token
6. Server sends back a new access and a new refresh token. Store them and delete the old ones.

Using SpringBoot you pretty much get it all for free. Unless you don't a have specific example I'd spare giving code snippets. You'll find wonderful and concise examples on the auth0 site.

Find here an Angular tutorial of how to send the access token along with your requests

Regarding your DB questions, a simple but valid scenario could be to store (in the DB) the encrypted password alongside your user. If a user logs in, he will send you the plain text password which you need to encrypt and compare it to the one you stored. Never store the plain text password, just use it for the login process. There are several best practices you might want to consider using passwords in Java applications.

Answer 2

I strongly suggest to you to use Spring Security, OAuth2 and JWT tokens in order to protect your REST API. The flow is the following:

• user can log on the app
• a token is generated
• this token is set in the header of each request

Usually tokens have a time duration Basically OAuth2 defines 2 entities:

• Authorization Server: it's the entity responsible for the authorization process. It checks the provided credentials and if all is OK it generates the token
• Resource Server: it's the entity who will expose the REST API. This entity will check if in every request a token is present and the token is valid

Moe information are available here https://www.baeldung.com/spring-security-oauth-jwt

UPDATE

Here https://github.com/angeloimm/spring_oauth I uploaded a simple sample og Spring (and not spring boot) OAuth JWT authentication based on DB H2.

You can download it and adapt it to mongodb. I think it's enough simple to adapt it. Sadly it's a very intense working period for me and I'm not able in doing it.

I hope it's useful

Angelo