|
|
@@ -14,7 +14,8 @@ The following sections outline detailed steps for setting up OAuth 2.0 Login wit
|
|
|
* <<facebook-login, Facebook>>
|
|
|
* <<okta-login, Okta>>
|
|
|
|
|
|
-NOTE: The _"authentication flow"_ is realized using the *Authorization Code Grant*, as specified in the https://tools.ietf.org/html/rfc6749#section-4.1[OAuth 2.0 Authorization Framework].
|
|
|
+NOTE: The _"authentication flow"_ is realized using the *Authorization Code Grant*, as specified in the https://tools.ietf.org/html/rfc6749#section-4.1[OAuth 2.0 Authorization Framework]
|
|
|
+and http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[OpenID Connect Core 1.0] specifications.
|
|
|
|
|
|
[[sample-app-content]]
|
|
|
== Sample application content
|
|
|
@@ -26,7 +27,7 @@ The sample application contains the following package structure and artifacts:
|
|
|
[circle]
|
|
|
* _OAuth2LoginApplication_ - the main class for the _Spring application_.
|
|
|
** *user*
|
|
|
-*** _GitHubOAuth2User_ - a custom _UserInfo_ type for <<github-login, GitHub Login>>.
|
|
|
+*** _GitHubOAuth2User_ - a custom _OAuth2User_ for <<github-login, GitHub Login>>.
|
|
|
** *web*
|
|
|
*** _MainController_ - the root controller that displays user information after a successful login.
|
|
|
|
|
|
@@ -120,7 +121,7 @@ The goal for this section of the guide is to setup login using GitHub as the _Au
|
|
|
|
|
|
NOTE: https://developer.github.com/v3/oauth/[GitHub's OAuth 2.0 implementation] supports the standard
|
|
|
https://tools.ietf.org/html/rfc6749#section-4.1[authorization code grant type].
|
|
|
- However, it *does not* implement the _OpenID Connect 1.0_ specification.
|
|
|
+ However, it *does not* implement the _OpenID Connect Core 1.0_ authorization code flow.
|
|
|
|
|
|
[[github-login-register-application]]
|
|
|
=== Register OAuth application
|
|
|
@@ -191,7 +192,7 @@ The goal for this section of the guide is to setup login using Facebook as the _
|
|
|
|
|
|
NOTE: Facebook provides support for developers to https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow[_Manually Build a Login Flow_].
|
|
|
The _login flow_ uses browser-based redirects, which essentially implements the https://tools.ietf.org/html/rfc6749#section-4.1[authorization code grant type].
|
|
|
- (NOTE: Facebook partially implements the _OAuth 2.0 Authorization Framework_, however, it *does not* implement the _OpenID Connect 1.0_ specification.)
|
|
|
+ (NOTE: Facebook partially implements the _OAuth 2.0 Authorization Framework_, however, it *does not* implement the _OpenID Connect Core 1.0_ authorization code flow.)
|
|
|
|
|
|
[[facebook-login-register-application]]
|
|
|
=== Add a New App
|
|
|
@@ -315,10 +316,11 @@ security:
|
|
|
authorization-uri: https://${account-subdomain}.oktapreview.com/oauth2/v1/authorize
|
|
|
token-uri: https://${account-subdomain}.oktapreview.com/oauth2/v1/token
|
|
|
user-info-uri: https://${account-subdomain}.oktapreview.com/oauth2/v1/userinfo
|
|
|
+ jwk-set-uri: https://${account-subdomain}.oktapreview.com/oauth2/v1/keys
|
|
|
----
|
|
|
|
|
|
Replace *${client-id}* and *${client-secret}* with the *client credentials* created in the previous section <<okta-login-register-application, Add Application>>.
|
|
|
-As well, replace *${account-subdomain}* in _authorization-uri_, _token-uri_ and _user-info-uri_ with the *sub-domain* assigned to your account during the registration process.
|
|
|
+As well, replace *${account-subdomain}* in _authorization-uri_, _token-uri_, _user-info-uri_ and _jwk-set-uri_ with the *sub-domain* assigned to your account during the registration process.
|
|
|
|
|
|
[TIP]
|
|
|
.OAuth client properties
|
|
|
@@ -391,24 +393,21 @@ NOTE: The default redirect URI is _"{scheme}://{serverName}:{serverPort}/oauth2/
|
|
|
|
|
|
- *scopes* - a comma-delimited string of scope(s) requested during the _Authorization Request_ flow, for example: _openid, email, profile_
|
|
|
|
|
|
-NOTE: _OpenID Connect 1.0_ defines these http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[standard scopes]: _profile, email, address, phone_
|
|
|
+NOTE: _OpenID Connect Core 1.0_ defines these http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[standard scopes]: _profile, email, address, phone_
|
|
|
|
|
|
NOTE: Non-standard scopes may be defined by a standard _OAuth 2.0 Provider_. Please consult the Provider's OAuth API documentation to learn which scopes are supported.
|
|
|
|
|
|
- *authorization-uri* - the URI used by the client to redirect the end-user's user-agent to the _Authorization Server_ in order to obtain authorization from the end-user (the _Resource Owner_).
|
|
|
- *token-uri* - the URI used by the client when exchanging an _Authorization Grant_ (for example, Authorization Code) for an _Access Token_ at the _Authorization Server_.
|
|
|
- *user-info-uri* - the URI used by the client to access the protected resource *UserInfo Endpoint*, in order to obtain attributes of the end-user.
|
|
|
-- *user-info-converter* - the `java.util.function.Function` implementation class used to convert the *UserInfo Response* to a `UserInfo` (_OpenID Connect 1.0 Provider_) or `OAuth2User` instance (_Standard OAuth 2.0 Provider_).
|
|
|
+- *jwk-set-uri* - the URI used to retrieve the https://tools.ietf.org/html/rfc7517[JSON Web Key (JWK)] `Set`,
|
|
|
+ which contains cryptographic key(s) that are used to verify the https://tools.ietf.org/html/rfc7515[JSON Web Signature (JWS)] of the *ID Token* and optionally the *UserInfo Endpoint* response.
|
|
|
+- *user-name-attribute-name* - the name of the attribute returned in the *UserInfo Endpoint* response that references the *Name* of the end-user.
|
|
|
|
|
|
-TIP: The `java.util.function.Function` implementation class for an _OpenID Connect 1.0 Provider_ is *org.springframework.security.oauth2.client.user.converter.UserInfoConverter*
|
|
|
- and for a standard _OAuth 2.0 Provider_ it's *org.springframework.security.oauth2.client.user.converter.OAuth2UserConverter*.
|
|
|
-
|
|
|
-- *user-info-name-attribute-key* - the _key_ used to retrieve the *Name* of the end-user from the `Map` of available attributes in `UserInfo` or `OAuth2User`.
|
|
|
-
|
|
|
-NOTE: _OpenID Connect 1.0_ defines the http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[*"name"* Claim], which is the end-user's full name and is the default used for `UserInfo`.
|
|
|
+NOTE: _OpenID Connect Core 1.0_ defines the http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[_name_ Claim], which is the end-user's full name and is the default used for `DefaultOidcUser`.
|
|
|
|
|
|
IMPORTANT: Standard _OAuth 2.0 Provider's_ may vary the naming of their *Name* attribute. Please consult the Provider's *UserInfo* API documentation.
|
|
|
- This is a *_required_* property when *user-info-converter* is set to `OAuth2UserConverter`.
|
|
|
+ This is a *_required_* property for `DefaultOAuth2User`.
|
|
|
|
|
|
- *client-name* - this is a descriptive name used for the client. The name may be used in certain scenarios, for example, when displaying the name of the client in the _auto-generated login page_.
|
|
|
- *client-alias* - an _alias_ which uniquely identifies the client. It *must be* unique within a `ClientRegistrationRepository`.
|
|
|
@@ -438,7 +437,7 @@ security:
|
|
|
authorization-uri: "https://accounts.google.com/o/oauth2/auth"
|
|
|
token-uri: "https://accounts.google.com/o/oauth2/token"
|
|
|
user-info-uri: "https://www.googleapis.com/oauth2/v3/userinfo"
|
|
|
- user-info-converter: "org.springframework.security.oauth2.client.user.converter.UserInfoConverter"
|
|
|
+ jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs
|
|
|
client-name: Google
|
|
|
client-alias: google
|
|
|
github:
|
|
|
@@ -449,7 +448,6 @@ security:
|
|
|
authorization-uri: "https://github.com/login/oauth/authorize"
|
|
|
token-uri: "https://github.com/login/oauth/access_token"
|
|
|
user-info-uri: "https://api.github.com/user"
|
|
|
- user-info-converter: "org.springframework.security.oauth2.client.user.converter.OAuth2UserConverter"
|
|
|
client-name: GitHub
|
|
|
client-alias: github
|
|
|
facebook:
|
|
|
@@ -460,7 +458,6 @@ security:
|
|
|
authorization-uri: "https://www.facebook.com/v2.8/dialog/oauth"
|
|
|
token-uri: "https://graph.facebook.com/v2.8/oauth/access_token"
|
|
|
user-info-uri: "https://graph.facebook.com/me"
|
|
|
- user-info-converter: "org.springframework.security.oauth2.client.user.converter.OAuth2UserConverter"
|
|
|
client-name: Facebook
|
|
|
client-alias: facebook
|
|
|
okta:
|
|
|
@@ -468,7 +465,6 @@ security:
|
|
|
authorized-grant-type: authorization_code
|
|
|
redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}"
|
|
|
scopes: openid, email, profile
|
|
|
- user-info-converter: "org.springframework.security.oauth2.client.user.converter.UserInfoConverter"
|
|
|
client-name: Okta
|
|
|
client-alias: okta
|
|
|
----
|
|
|
@@ -498,7 +494,7 @@ security.oauth2.client.google.scopes=openid,email,profile
|
|
|
security.oauth2.client.google.authorization-uri=https://accounts.google.com/o/oauth2/auth
|
|
|
security.oauth2.client.google.token-uri=https://accounts.google.com/o/oauth2/token
|
|
|
security.oauth2.client.google.user-info-uri=https://www.googleapis.com/oauth2/v3/userinfo
|
|
|
-security.oauth2.client.google.user-info-converter=org.springframework.security.oauth2.client.user.converter.UserInfoConverter
|
|
|
+security.oauth2.client.google.jwk-set-uri=https://www.googleapis.com/oauth2/v3/certs
|
|
|
security.oauth2.client.google.client-name=Google
|
|
|
security.oauth2.client.google.client-alias=google
|
|
|
----
|
|
|
@@ -523,11 +519,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
.anyRequest().authenticated()
|
|
|
.and()
|
|
|
.oauth2Login()
|
|
|
- .clients(clientRegistrationRepository())
|
|
|
- .userInfoEndpoint()
|
|
|
- .userInfoTypeConverter(
|
|
|
- new UserInfoConverter(),
|
|
|
- new URI("https://www.googleapis.com/oauth2/v3/userinfo"));
|
|
|
+ .clients(clientRegistrationRepository());
|
|
|
}
|
|
|
|
|
|
@Bean
|
|
|
@@ -550,6 +542,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
String authorizationUri = this.environment.getProperty(clientPropertyKey + "authorization-uri");
|
|
|
String tokenUri = this.environment.getProperty(clientPropertyKey + "token-uri");
|
|
|
String userInfoUri = this.environment.getProperty(clientPropertyKey + "user-info-uri");
|
|
|
+ String jwkSetUri = this.environment.getProperty(clientPropertyKey + "jwk-set-uri");
|
|
|
String clientName = this.environment.getProperty(clientPropertyKey + "client-name");
|
|
|
String clientAlias = this.environment.getProperty(clientPropertyKey + "client-alias");
|
|
|
|
|
|
@@ -562,6 +555,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
|
|
.authorizationUri(authorizationUri)
|
|
|
.tokenUri(tokenUri)
|
|
|
.userInfoUri(userInfoUri)
|
|
|
+ .jwkSetUri(jwkSetUri)
|
|
|
.clientName(clientName)
|
|
|
.clientAlias(clientAlias)
|
|
|
.build();
|
Joe Grandja