java - Log into a Spring Security application using a 3rd party OAuth2 server -


i working on a web application secured spring security. new requirement users can log in using existing, 3rd party oauth2 server, based on authorization code grant, , use api exposed it. think of app e-banking site , 3rd party api banking back-end app calls list of accounts user, example.

important points:

  • the authorization server , resource server 1 , same , external application , out of control
  • my application has no way establish user's identity itself. user redirected different page log in and, if successful, application receives token use user. i'm guessing should store token in user's session , keep submitting whenever need call api.
  • the user in application, once authenticated, should roles based on oauth2 scope assigned server

questions:

  • isn't login flow explained above normal authorization code grant flow? if so, spring's rationale expecting me have logged in user before acquiring token? isn't act of acquiring token "logging in"? how know how log in user when whole purpose of authorization code grant not have user send credentials app directly?
  • spring wants me map user roles scopes... isn't exact opposite of expected? shouldn't receive scope signify user can , assign role in app based on that?
  • is possible configure server (and app) not ask user explicitly grant permissions app? reason app way user access 3rd party api (e.g. way list of bank accounts use e-banking site), using app (e-banking site), want able job (get list of accounts banking back-end).

yes, login flow explained correct. oauth2resttemplate - stores token in session.

but don't understand questions fully.

  1. do mean spring forces user logged authorization server before granting auth code? correct cause user allows app operations on behalf. how can grant without being logged in?

  2. i'm not sure spring forces map user roles scopes. isn't done in authorization server limit scopes can granted user? you're right - can use token scopes map them internal roles in app if needed.

  3. we used cloudfoundry uaa build oauth2 authorization server , has concept of auto-approved scopes (i.e. no explicit user approval needed). can take @ that.

we had same requirement , did our own custom authenticationfilter(mapped redirect_uri) exchanging received auth code access token , creating internal authentication received token , appropriate internal roles.


Comments

Post a Comment

Popular posts from this blog

angularjs - ADAL JS Angular- WebAPI add a new role claim to the token -

i have created angular spa webapi backend using adal js authentication.as there no roles in ad, need manually add role claims in order give users access different api controllers. the roles stored in database. expecting inject claim through call webapi after authentication ad. webapi code might this. identity.addclaim(new claim("role", "user")); var ticket = new authenticationticket(identity, props); var accesstoken = startup.oauthbeareroptions.accesstokenformat.protect(ticket); is possible replace adal idtoken new token? is viable solution or there other better way handle this? as initial token generated azuread, possible edit token add new claim? appreciated. graph api supporting group claims. see here: http://justazure.com/azure-active-directory-part-4-group-claims/ if @ examples on page, users assigned groups , app can check group in claims. in current version of portal, need app manifest , modify it.
Read more

php - CakePHP HttpSockets send array of paramms -

i problem when make request (i can request). $link = 'http://uri/path/?param1=1&sid=2&sid=3&sid=4' $http = $httpsocket = new httpsocket(); $res = $httpsocket->get($link); if check request pr($http); i see : [line] => /url/path/?param1=1&sid%5b0%5d=2&sid%5b1%5d=3&sid%5b2%5d=4 http/1.1 and i'm getting empty response because server doesn't know parameters sid%5b0%5d=2 when try send parameters array : $data = array('param1' => '1', 'sid' => array('2','3', '4')); i see same changes %5b0%5d - additional indexes. how fix it? unfortunately , can not change server side, if send request in browser, i'll normal response in json format. when make request, can parameters this: $param1 = $_get['param1']; $sid= $_get['sid']; tip: use diferente names parameters. have multiples sid. use sid1, sid2, sid3... update: can parameters this:
Read more

node.js - Using Node without global install -

i'm working on few node & electron (atom shell) projects , i'm curious how them work without user having install node globally. i've seen few applications including node directory in project contains node.exe binary. how go setting node project use binary? edit: thought should add, i've searched everywhere answer this, unrelated results.
Read more