Spring Social Authentication

[Laedislaw]

Hello,

I'm trying to understand how Facebook Signin procedure works.

If I understand correctly, the authenitcation procedure involves going through. 1) facebook authenitcation, then 2) local application. authentication

For example. I click on "signin with facebook" button situated in my app, I am taken to faacebook where I enter my credentials (if successful) I am redirected back to my app's signnin page where I enter username/ password for Spring Security, only then I am signed in.

The above process is a bit too long. I need a solution that involves only one authentication step e.g. Username/Password used only once, if successful they are authnticated on both sites. Can I do this with Spring Social?

Thanks

[skelly]

Hello,

I'm trying to understand how Facebook Signin procedure works.

If I understand correctly, the authenitcation procedure involves going through. 1) facebook authenitcation, then 2) local application. authentication

For example. I click on "signin with facebook" button situated in my app, I am taken to faacebook where I enter my credentials (if successful) I am redirected back to my app's signnin page where I enter username/ password for Spring Security, only then I am signed in.

The above process is a bit too long. I need a solution that involves only one authentication step e.g. Username/Password used only once, if successful they are authnticated on both sites. Can I do this with Spring Social?

Thanks

Yes you can, just grab some example project and run it, spring-social-showcase/spring-social-showcase-xml with some xml configuration, pick what you need.

[habuma]

Your description is almost correct. To be clear, here's an accurate description of the flow:

1. The user clicks on "Signin with Facebook", which triggers an endpoint in Spring Social's ProviderSignInController.
2. ProviderSignInController redirects the user to Facebook's **authorization** page. If the user has not yet signed into Facebook, then Facebook will prompt them to sign in. After signing in, they will be asked to authorize your application to access Facebook on their behalf.
3. The user authorizes your application at Facebook and then Facebook redirects back to your application at an endpoint that is handled by ProviderSignInController.
3b. If the user has previously authorized your application, they will not be shown the authorization page at all and Facebook will immediately redirect them back to your app.
4. If the user has previously created a connection with Facebook (via ConnectController), then the user will be signed into your application. The actual signin takes place via an implementation of SignInAdapter.
4b. If no previous connection matches, then the browser will be redirected to a registration page. After the user registers with your app, a connection will be created for future use.

The key thing is that it's actually Facebook *authorization* that takes place, but a pseudo-authentication is performed at the end of that authorization. This is demonstrated in Spring Social Showcase.

An alternate flow is one where there is no previous connection (step 4 and 4b) and instead the user's info is retrieved from Facebook and used as the user record. This is roughly what takes place in the Spring Social Quickstart.

[Laedislaw]

Your description is almost correct. To be clear, here's an accurate description of the flow:

1. The user clicks on "Signin with Facebook", which triggers an endpoint in Spring Social's ProviderSignInController.
2. ProviderSignInController redirects the user to Facebook's **authorization** page. If the user has not yet signed into Facebook, then Facebook will prompt them to sign in. After signing in, they will be asked to authorize your application to access Facebook on their behalf.
3. The user authorizes your application at Facebook and then Facebook redirects back to your application at an endpoint that is handled by ProviderSignInController.
3b. If the user has previously authorized your application, they will not be shown the authorization page at all and Facebook will immediately redirect them back to your app.
4. If the user has previously created a connection with Facebook (via ConnectController), then the user will be signed into your application. The actual signin takes place via an implementation of SignInAdapter.
4b. If no previous connection matches, then the browser will be redirected to a registration page. After the user registers with your app, a connection will be created for future use.

The key thing is that it's actually Facebook *authorization* that takes place, but a pseudo-authentication is performed at the end of that authorization. This is demonstrated in Spring Social Showcase.

An alternate flow is one where there is no previous connection (step 4 and 4b) and instead the user's info is retrieved from Facebook and used as the user record. This is roughly what takes place in the Spring Social Quickstart.

Thank You for the reply.

As things stand, when I use "signin with facebook", i have to also invoke "facebook connect" if I want establish a connection. This is required every time after signing-in to acess profile information from facebook,

Can you confirm if this is the correct behaviour? I would have thought you connect only once (during registration) to populate the "UserConnections" Table then use "facebook sign-in" after that?

Assuming the above behaviour is correct, i'd like to update the bean config so that once a user is signed-in then "facebook connect" is invoked in background so that a connection is established without the user having to do it manually.

Some advice or example on how to achive this will be appreciated.

Thanks

[habuma]

No...from the Spring Social side of things, your user must only connect once (could be at registration or post-registration). Then the "Sign In with Facebook" can take place after that.

But from Facebook's perspective, the user is authorizing your application each time...or more accurately, the user is led through the authorization flow every time. But the user may not see it that way...if they've already authorized previously (at connection time) then they won't be shown the authorization page at all and will instead be immediately redirected back to your application where the pseudo-authentication will occur.

(Note that the immediate redirect for existing authorization is a Facebook-specific thing...other providers may still prompt the user to authorize again, even if an existing authorization exists.)

The best example you can look at for this is the Spring Social Showcase (https://github.com/SpringSource/spri...ocial-showcase). Just run the app, signin as one of the sample users, create a connection with Facebook, signout, then click the "Sign In with Facebook" button and you'll see how the flow works.