How to use OAuth to log into consumer?

**marcelstoer** · Oct 27th, 2010, 08:09 PM

I had a look at the Facebook integration in Tonr 2. While this is a nice example of how to request resources from a provider once you're authenticated against the consumer I think the second use case is just as likely: use an OAuth provider to log into consumer.
Example: http://stackoverflow.com/users/login -> using Facebook

So, the question is how I could make use of

Code:

  <!--apply the oauth client context-->
  <oauth:client>
    <oauth:url pattern="/facebook/**" resources="facebook"/>
  </oauth:client>

  <!--define an oauth 2 resource for sparklr-->
  <oauth:resource id="sparklr" type="authorization_code" clientId="tonr"..

configured in applicationContext.xml for login?

**stoicflame** · Oct 28th, 2010, 11:01 AM

This case isn't really the domain of OAuth (and, by extension, isn't the domain of OAuth for Spring Security).

What you're talking about is decentralized authentication, which is what technologies like OpenID is designed to address. OAuth is about delegated authorization. They can both work together, but are designed to address different things. Here are a couple of links with good information:

http://stackoverflow.com/questions/1...enid-and-oauth
http://softwareas.com/oauth-openid-y...the-same-thing

For the case of Facebook, they have some JavaScript utilities and things that you can use to log in. You'll probably need to extend some Spring Security libraries so that you can tie the Facebook id to the user id of your application. Check out the Greenhouse project for some examples:

Source code: http://git.springsource.org/greenhouse
Live project: https://greenhouse.springsource.org/

**marcelstoer** · Oct 28th, 2010, 01:44 PM

Thank you for the helpful links. I'm very well aware of the difference(s) between OpenID and OAuth - I think.

However, IMO you really can use both for this particular use case I'm talking about:
- you have a consumer web site X.com which offers some services
- you don't want your users to create yet another username/password combination to log into X.com (corner stone of OpenID)
- hence, you offer users to either
a) create an account at X.com with a username/password combination specific for X.com
b) log in using an OpenID and most likely requesting user attributes through OpenID AX (attribute exchange) from the OpenID provider to populate the user profile at X.com
c) log in using OAuth and asking for permission for X.com to obtain profile information on behalf of the user from the OAuth provider
In case of b) and c) X.com might not get all information from the providers to fully initially an X.com user profile. So, upon first login it might display a partially populated registration form asking the user to fill in the missing data and continue.

I have yet to check-out greenhouse in more detail (i.e. looking at its source code) but doesn't the 'Sign in with Facebook' exactly do what I described above in c)?

**stoicflame** · Oct 29th, 2010, 10:18 AM

Yes, each of those scenarios make sense to me.

So let's get back to your original question about any tools that might be needed to "use an OAuth provider to log into consumer". What exactly do you mean by that, and what specifically could be added to the library to futher enable that?

**marcelstoer** · Oct 29th, 2010, 11:19 AM

Originally Posted by stoicflame

What exactly do you mean by that, and what specifically could be added to the library to futher enable that?

Sorry about that. I always feel sorry for the poor readers if one can't understand what I mean. Looks I failed again to properly expressing myself. Thanks for your patience.

First, I'm not sure that there's anything that needs to be added to the library (hope my message didn't imply that). I was simply wondering how I need to configure OAuth for Spring Security to achieve c). It may be possible or it may be not. I'm not familiar with the code yet to tell.

The Tonr 2 example shows how to request resources from Facebook on behalf of the user. However, the example still requires the user to log into Tonr 2 using his Tonr username/password combination i.e. the user can't use his Facebook credentials to access Tonr's /facebook/** resources.

Code:

<http auto-config='true' access-denied-page="/login.jsp">
  ...
  <intercept-url pattern="/facebook/**" access="ROLE_USER" />
  ..
</http>

I want to support a-c in one and the same application. It will be similar to http://www.gerixsoft.com/user/login (Facebook integration seems broken). The application has one single login page but conceptually three different login forms: username/password, OpenID, link to Facebook with redirect URL.

Thanks to the "Spring Security 3" book chapter 8 I've got OpenID covered. So, a) and b) work just fine. I offer two login options on login.jsp. Excerpt from the configuration:

Code:

<http auto-config="true" use-expressions="true">
  <intercept-url pattern="/login.jsp" access="permitAll" />
  <intercept-url pattern="/*" access="hasRole('ROLE_USER')" />
  
  <form-login login-page="/login.jsp" login-processing-url="/login" default-target-url="/"/>
  <logout logout-url="/logout" />
  
  <remember-me services-ref="rememberMeService"/>
  
  <openid-login login-processing-url="/openid_login">
    <attribute-exchange>
      <openid-attribute name="firstName" type="http://schema.openid.net/namePerson/first" />
      <openid-attribute name="lastName" type="http://schema.openid.net/namePerson/last" />
      ...

How is it possible to add OAuth for Spring Security configuration elements to achieve c)?

**stoicflame** · Oct 29th, 2010, 03:10 PM

So OAuth for Spring Security doesn't provide any configuration elements for c) because it requires some custom "core" Spring Security providers.

Personally, I've never done what you're describing, but I know people who have. I'll see if I can get someone to respond, as it would be helpful to have in a thread.

Thread: How to use OAuth to log into consumer?

Thread Tools

Display

Hybrid View

How to use OAuth to log into consumer?

Posting Permissions