User Registration & Login | SSO using Spring Security OAuth 2.0

4.7k views Asked by At

I am trying to implement user registration and log in flow | SSO using Spring Security Oauth 2.0 and Google as the authentication provider.

  • How should I initiate registration and login flow? What filter needs to be applied?
  • In registration flow, I will needs user's details (name, email) that are part of successful authorization response, to be persisted in my local database. How do I handle that?

  • What's the purpose of oauth2:client id="oauth2ClientFilter" ?

This is how my application context file looks like:-

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:c="http://www.springframework.org/schema/c"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/jdbc  http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd
    http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

<!-- DispatcherServlet Context: defines this servlet's request-processing 
    infrastructure -->

<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />

<!-- Handles HTTP GET requests for /resources/** by efficiently serving 
    up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />

<!-- Resolves views selected for rendering by @Controllers to .jsp resources 
    in the /WEB-INF/views directory -->
<beans:bean
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <beans:property name="prefix" value="/WEB-INF/views/" />
    <beans:property name="suffix" value=".jsp" />
</beans:bean>

<context:component-scan base-package="com.samsoft.spring" />

<!-- ================================================== SECURITY START ================================================== -->

<security:http security="none" pattern="/" />
<security:http security="none" pattern="/resources/**" />
<security:global-method-security
    secured-annotations="enabled" />

<security:http auto-config="true">
    <security:intercept-url pattern="/**"
        requires-channel="https" access="IS_AUTHENTICATED_FULLY" />
    <security:custom-filter ref="oauth2ClientFilter"
        after="EXCEPTION_TRANSLATION_FILTER" />
</security:http>
<oauth2:client id="oauth2ClientFilter" />

<oauth2:resource id="googleOauth2Resource" type="authorization_code"
    client-id="530420474177-clientid.apps.googleusercontent.com"
    client-secret="client-secret-here" access-token-uri="https://accounts.google.com/o/oauth2/token"
    user-authorization-uri="https://accounts.google.com/o/oauth2/auth"
    scope="https://www.googleapis.com/auth/calendar"
    client-authentication-scheme="form"
    pre-established-redirect-uri="https://ohad.sealdoc.com/oauth2-client/hello" />

<oauth2:rest-template id="googleOauthRestTemplate"
    resource="googleOauth2Resource" />

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="test" authorities="ROLE_USER" password="test"/>
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>



<!-- ================================================== SECURITY END ================================================== -->

EDIT

I did implemented same use case using Spring Security OpenID by:-

  1. Declaring openid:form tag with exchange attributed configured
  2. Extend the UserDetailsService as described here.

I am looking for equivalent configuration for Oauth 2.0.

1

There are 1 answers

1
OhadR On

did you register your client-app in Google? this is how oAuth2 works... the client should be registered in the provider, and get a client ID and client secret. in your XML, it seems like you did not register:

client-secret="client-secret-here"

have a read at Google oAuth2 docs

UPDATE

As for your updated question, I think that the behavior that you see is due to the fact that your application should allow access to "/oauth2/google", in your security.xml file.