I'm developing a Grails REST API to use with an Angular app. I used Spring Security Rest Plugin for authentication.
I'm implementing a reset password feature, and after the user resets their password, I want to retrieve the JWT token, in order to send it to the Angular app, so the user will not need to authenticate manually.
How can I retrieve the token? Couldn't find it on the plugin docs. The commented line is what I want to achieve:
if(passwordReset?.isValid()){
passwordReset.password = request.JSON.password
User user = User.resetPassword(passwordReset)
springSecurityService.reauthenticate(user.username)
//springSecurityService.getJwtToken()
}
Related
Here is my project details,
We have a Mobile App that should send device's data to Thingsboard server.
For this, we need to have a user accounts in Thingboard, so that they can JWT token on sign-in in the Mobile App. And this JWT token is user for the data upload & retrieve.
So, for the new users, we have developed a form page to register in the APP. When user fill-up the form and submit, what api shall be used here that will create a new User entity in Thingboard and send an account activation link to provided email?
Your help would be appreciated.
Thank you.
The Thingsboard REST API has proper 'saveUser' method that can be used to create user accounts, however this endpoint requires a JWT Token with proper authorization to Create Users.
We had a similar problem and ended up creating a custom REST api service to wrap the Thingsboard Native REST and user a hardcoded username and password in order to auth the account creations. We did this to avoid having the username and password hardcoded in our Mobile App. We later switched to adding the users directly in database with an ORM.
We had to use this approach because we user Thingsboard PE, if you use TB CE you can try to modify the REST Api in order to allow this endpoint to be used without JWT.
The swagger UI can be checked at:
{base_url}/swagger-ui.html
and the crate user endpoint is:
{base_url}/api/user?sendActivationMail=true
I have implemented spring security for UsernamePassword based authentication.
Tables like oauth_access_token, oauth_client_details etc are created by spring.
Tokens generated by tokenEndpoint.postAccessToken(principal, parameters); are stored in oauth_access_token table.
Scenario:
I need to have both usernamPassword based authentication and Google OAuth support.
Now I have to integrate Google OAuth in my application.
I can't use Google's API for every request validation so once I get the user profile from Google I'm trying to generate the token using tokenEndPoint and give it to client (Mobile App/Front end).
Problem:
-> I can't use "password" as grant type, as there is no password in this case and if I use password as grant type then Spring security uses password in DB for password validation
Is my approach correct.? what should I do here to store tokens in oauth_access_token table?
What is the best practice to support Social login and generate custom token which will be shared with the client.?
I am newbie to OAuth2 and understood its implementation theoretically very well. I followed this link to handle OAuth2 callback URL Build Authorization Callback Handler. But i am using Spring Security in my project, so i don't have to do much work myself. I am using salesforce API. Whenever there is UserRedirectionRequiredException, the spring security OAuth2's ClientContextFilter handles it and redirects for authorization.It all works very Well. I am able to get contacts , tags from salesforce account using RestTemplate and salesfore Resource.
The question is how to handle oauth2 callback URL using spring security. whenever i call any salesforce api e.g getContacts, if access token is available it works. But if i don't have accesstoken, the user is redirected and when authorized, the access Token is obtained from provider but the control goes to my Oauth2callback url and finishes there. Now i have again to call the getContacts Api and it retrives the contacts.
Help me in implementing OAuth2Callback URL using spring security so that when i call any Api, if unauthorized, after authorizing and retrieving accesstoken it automatically calles back to that API rather than stoping on my OAuth2callback URL.
I want to build three example apps. One will be a sinatra oauth2 provider and second will be rails app with angular.js on frontend and rails on backend and third with sinatra on backend and angular.js on frontend.
Our Rails/Sinatra app will be authenticate users using satelizer and our custom provider.
These is our Oauth2 workflow right now.
Using Satellizer we get the authorization code from provider. We send this code to our backend.
In backend using this authorization code, secret key and other params, we send an request to provider to get an access token.
Using this obtain access token we call '/me' action to get an uid, email and other user attributes from provider.
In the same action we parse the response body and we find or create user based on uid.
We are wondering about this step which should somehow set the user's authentication token.
store the provider access token in user database record.
generate new authentication token and change it on every request
Generate JWToken with user uid and token and send it back to satellizer.
Then on each request Satellizer include Bearer JWToken in header. After recive request our backend verify header token stored in database and call sing_in method in our case devise(sign_in, store: false) maybe in sinatra app we will use warden.
What do you think about this concept? Maybe we are missing something. These is our first oauth2 authentication implementation and we are worried about it.
How do I secure my API when I want an app to be able to retrieve app-specific information without a user logged in and when I have an OAuth provider for another section of my API? Can I use the client app's OAuth credentials to hit the API without a user logged in?
I have create an OAuth provider and client using doorkeeper following railscasts 353. I can successfully authenticate a user to my provider app and make requests on behalf of the user to my provider API.
However, a portion of the API is user independent, meaning that the information returned from the API is not specific for a user and therefore a user should not have to be logged in. For example, assume an ecommerce site and items and prices are stored on the provider for multiple clients. I want a client app to be able to securely retrieve the items/prices associated the retrieving app without a user having to be logged in. So if you went to example.com the items would be displayed even if a user is logged in via OAuth.
I have only be able to retrieve this information via OAuth when a user has logged in through OAuth (creating an access_token). Is there a way to use OAuth without having a user present (I've been trying to read about 2-legged OAuth and if that is an appropriate solution)? Or do I need to use Api keys (or Http Basic Auth) for the application to retrieve the application specific data?
If OAuth is not the right solution because I do not have a user present, could/should I use HTTP Basic Auth over SSL and use the client site's OAuth secret key as the API key for the basic auth username?
If you need to authenticate your client apps in you API (without requiring a user specifically) use the Client Credentials flow