Hell.
In the documentation of google drive SDK, it is not mentioned what does setState create.
I'm going to implement Google drive Server-side Authorization. I found the code in documentation.
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson.JacksonFactory;
import com.google.api.services.oauth2.Oauth2;
import com.google.api.services.oauth2.model.Userinfo;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
// ...
class MyClass {
// Path to client_secrets.json which should contain a JSON document such as:
// {
// "web": {
// "client_id": "[[YOUR_CLIENT_ID]]",
// "client_secret": "[[YOUR_CLIENT_SECRET]]",
// "auth_uri": "https://accounts.google.com/o/oauth2/auth",
// "token_uri": "https://accounts.google.com/o/oauth2/token"
// }
// }
private static final String CLIENTSECRETS_LOCATION = "client_secrets.json";
private static final String REDIRECT_URI = "<YOUR_REGISTERED_REDIRECT_URI>";
private static final List<String> SCOPES = Arrays.asList(
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile");
private static GoogleAuthorizationCodeFlow flow = null;
/**
* Exception thrown when an error occurred while retrieving credentials.
*/
public static class GetCredentialsException extends Exception {
protected String authorizationUrl;
/**
* Construct a GetCredentialsException.
*
* #param authorizationUrl The authorization URL to redirect the user to.
*/
public GetCredentialsException(String authorizationUrl) {
this.authorizationUrl = authorizationUrl;
}
/**
* Set the authorization URL.
*/
public void setAuthorizationUrl(String authorizationUrl) {
this.authorizationUrl = authorizationUrl;
}
/**
* #return the authorizationUrl
*/
public String getAuthorizationUrl() {
return authorizationUrl;
}
}
/**
* Exception thrown when a code exchange has failed.
*/
public static class CodeExchangeException extends GetCredentialsException {
/**
* Construct a CodeExchangeException.
*
* #param authorizationUrl The authorization URL to redirect the user to.
*/
public CodeExchangeException(String authorizationUrl) {
super(authorizationUrl);
}
}
/**
* Exception thrown when no refresh token has been found.
*/
public static class NoRefreshTokenException extends GetCredentialsException {
/**
* Construct a NoRefreshTokenException.
*
* #param authorizationUrl The authorization URL to redirect the user to.
*/
public NoRefreshTokenException(String authorizationUrl) {
super(authorizationUrl);
}
}
/**
* Exception thrown when no user ID could be retrieved.
*/
private static class NoUserIdException extends Exception {
}
/**
* Retrieved stored credentials for the provided user ID.
*
* #param userId User's ID.
* #return Stored Credential if found, {#code null} otherwise.
*/
static Credential getStoredCredentials(String userId) {
// TODO: Implement this method to work with your database. Instantiate a new
// Credential instance with stored accessToken and refreshToken.
throw new UnsupportedOperationException();
}
/**
* Store OAuth 2.0 credentials in the application's database.
*
* #param userId User's ID.
* #param credentials The OAuth 2.0 credentials to store.
*/
static void storeCredentials(String userId, Credential credentials) {
// TODO: Implement this method to work with your database.
// Store the credentials.getAccessToken() and credentials.getRefreshToken()
// string values in your database.
throw new UnsupportedOperationException();
}
/**
* Build an authorization flow and store it as a static class attribute.
*
* #return GoogleAuthorizationCodeFlow instance.
* #throws IOException Unable to load client_secrets.json.
*/
static GoogleAuthorizationCodeFlow getFlow() throws IOException {
if (flow == null) {
HttpTransport httpTransport = new NetHttpTransport();
JacksonFactory jsonFactory = new JacksonFactory();
GoogleClientSecrets clientSecrets =
GoogleClientSecrets.load(jsonFactory,
MyClass.class.getResourceAsStream(CLIENTSECRETS_LOCATION));
flow =
new GoogleAuthorizationCodeFlow.Builder(httpTransport, jsonFactory, clientSecrets, SCOPES)
.setAccessType("offline").setApprovalPrompt("force").build();
}
return flow;
}
/**
* Exchange an authorization code for OAuth 2.0 credentials.
*
* #param authorizationCode Authorization code to exchange for OAuth 2.0
* credentials.
* #return OAuth 2.0 credentials.
* #throws CodeExchangeException An error occurred.
*/
static Credential exchangeCode(String authorizationCode)
throws CodeExchangeException {
try {
GoogleAuthorizationCodeFlow flow = getFlow();
GoogleTokenResponse response =
flow.newTokenRequest(authorizationCode).setRedirectUri(REDIRECT_URI).execute();
return flow.createAndStoreCredential(response, null);
} catch (IOException e) {
System.err.println("An error occurred: " + e);
throw new CodeExchangeException(null);
}
}
/**
* Send a request to the UserInfo API to retrieve the user's information.
*
* #param credentials OAuth 2.0 credentials to authorize the request.
* #return User's information.
* #throws NoUserIdException An error occurred.
*/
static Userinfo getUserInfo(Credential credentials)
throws NoUserIdException {
Oauth2 userInfoService =
new Oauth2.Builder(new NetHttpTransport(), new JacksonFactory(), credentials).build();
Userinfo userInfo = null;
try {
userInfo = userInfoService.userinfo().get().execute();
} catch (IOException e) {
System.err.println("An error occurred: " + e);
}
if (userInfo != null && userInfo.getId() != null) {
return userInfo;
} else {
throw new NoUserIdException();
}
}
/**
* Retrieve the authorization URL.
*
* #param emailAddress User's e-mail address.
* #param state State for the authorization URL.
* #return Authorization URL to redirect the user to.
* #throws IOException Unable to load client_secrets.json.
*/
public static String getAuthorizationUrl(String emailAddress, String state) throws IOException {
GoogleAuthorizationCodeRequestUrl urlBuilder =
getFlow().newAuthorizationUrl().setRedirectUri(REDIRECT_URI).setState(state);
urlBuilder.set("user_id", emailAddress);
return urlBuilder.build();
}
/**
* Retrieve credentials using the provided authorization code.
*
* This function exchanges the authorization code for an access token and
* queries the UserInfo API to retrieve the user's e-mail address. If a
* refresh token has been retrieved along with an access token, it is stored
* in the application database using the user's e-mail address as key. If no
* refresh token has been retrieved, the function checks in the application
* database for one and returns it if found or throws a NoRefreshTokenException
* with the authorization URL to redirect the user to.
*
* #param authorizationCode Authorization code to use to retrieve an access
* token.
* #param state State to set to the authorization URL in case of error.
* #return OAuth 2.0 credentials instance containing an access and refresh
* token.
* #throws NoRefreshTokenException No refresh token could be retrieved from
* the available sources.
* #throws IOException Unable to load client_secrets.json.
*/
public static Credential getCredentials(String authorizationCode, String state)
throws CodeExchangeException, NoRefreshTokenException, IOException {
String emailAddress = "";
try {
Credential credentials = exchangeCode(authorizationCode);
Userinfo userInfo = getUserInfo(credentials);
String userId = userInfo.getId();
emailAddress = userInfo.getEmail();
if (credentials.getRefreshToken() != null) {
storeCredentials(userId, credentials);
return credentials;
} else {
credentials = getStoredCredentials(userId);
if (credentials != null && credentials.getRefreshToken() != null) {
return credentials;
}
}
} catch (CodeExchangeException e) {
e.printStackTrace();
// Drive apps should try to retrieve the user and credentials for the current
// session.
// If none is available, redirect the user to the authorization URL.
e.setAuthorizationUrl(getAuthorizationUrl(emailAddress, state));
throw e;
} catch (NoUserIdException e) {
e.printStackTrace();
}
// No refresh token has been retrieved.
String authorizationUrl = getAuthorizationUrl(emailAddress, state);
throw new NoRefreshTokenException(authorizationUrl);
}
}
First here, I should invoke getCredentials method, which has 2 parameters - Authorization code and State. here, what should state be? where can I get this? what does this means?
It allows to you pass an arbitrary string to consent page, and when consent page is redirecting back to your application it keeps the state as a query parameter. It's usually used to keep information about the next page and the state of the page.
If you dont have a state to keep for post-redirect, you can pass null.
Related
I created a very easy flow test with IntelliJ.
#Test
public void dummyTest() throws InterruptedException, ExecutionException {
Party Alice = aliceNode.getServices().getIdentityService().wellKnownPartyFromX500Name(new CordaX500Name("Alice", "London", "GB"));
FlowInitiatorIssueToken flow = new FlowInitiatorIssueToken(30, alice, network.getDefaultNotaryIdentity());
SignedTransaction transaction = bobNode.startFlow(flow).get();
// The error occurs because of this line ....
State state = (State) transaction.getTx().getOutputStates().get(0);
assertEquals(state.getParticipants(), alice);
VaultQueryCriteria criteria = new VaultQueryCriteria(Vault.StateStatus.ALL);
aliceNode.transaction(() -> {
Vault.Page<State> result = aliceNode.getServices().getVaultService().queryBy(State.class, criteria);
assertTrue(result.getStates().size() > 0);
return null;
});
network.runNetwork();
}
IntelliJ is not able to fulfil the test and gives me the error
statemachine.FlowMonitor. - Flow with id 3982ab19-3e5b-4737-9adf-e4a6a97d20e6 has been waiting for 117 seconds to receive messages from parties [O=Alice, L=London, C=GB]
This led to the assumption that the responder flow is not doing anything.
// ******************
// * Initiator flow *
// ******************
#InitiatingFlow
#StartableByRPC
public class FlowInitiatorIssueToken extends FlowLogic<SignedTransaction> {
private final Integer value;
private final Party counterParty;
private final Party notary;
public FlowInitiatorIssuToken(Integer value, Party counterParty, Party notary) {
this.value = value;
this.counterParty = counterParty;
this.notary = notary;
}
/**
* The flow logic is encapsulated within the call() method.
*/
#Suspendable
#Override
public SignedTransaction call() throws FlowException {
/*------------------------------
* SENDING AND RECEIVING DATA *
------------------------------*/
FlowSession issueTokenSession = initiateFlow((Party) counterParty);
/*------------------------------------------
* GATHERING OTHER TRANSACTION COMPONENTS *
------------------------------------------*/
State outputState = new State(this.value, this.counterParty);
Command<ContractToken.Commands.Issue> command = new Command<>(new ContractToken.Commands.Issue(), getOurIdentity().getOwningKey());
/*------------------------
* TRANSACTION BUILDING *
------------------------*/
TransactionBuilder txBuilder = new TransactionBuilder(notary)
.addOutputState(outputState, ContractToken.ID)
.addCommand(command);
/*-----------------------
* TRANSACTION SIGNING *
-----------------------*/
SignedTransaction signedTx = getServiceHub().signInitialTransaction(txBuilder);
/*------------------------------
* FINALISING THE TRANSACTION *
------------------------------*/
System.out.println("Hey World!");
subFlow(new FinalityFlow(signedTx, issueTokenSession));
return null;
}
}
// ******************
// * Responder flow *
// ******************
#InitiatedBy(FlowInitiatorIssueToken.class)
public class FlowResponderIssueToken extends FlowLogic<SignedTransaction> {
private final FlowSession issueTokenSession;
public FlowResponderIssueToken(FlowSession issueTokenSession) {
this.issueTokenSession = issueTokenSession;
}
#Suspendable
#Override
public SignedTransaction call() throws FlowException {
/*-----------------------------------------
* RESPONDING TO COLLECT_SIGNATURES_FLOW *
-----------------------------------------*/
class SignTxFlow extends SignTransactionFlow {
private SignTxFlow(FlowSession issueTokenSession) {
super(issueTokenSession);
}
#Override
protected void checkTransaction(SignedTransaction stx) {
}
}
SecureHash idOfTxWeSigned = subFlow(new SignTxFlow(issueTokenSession, SignTransactionFlow.tracker())).getId();
/*------------------------------
* FINALISING THE TRANSACTION *
------------------------------*/
subFlow(new ReceiveFinalityFlow(issueTokenSession, idOfTxWeSigned));
return null;
}
}
The initiator flow is executed. I can see that, because the System.out.println("Hey World!") command is showing up in the logs. However, I don't know whether the responder flow is never started by the initiator flow or it is just not reacting. Maybe you can help me with that.
Thanks!
You didn't call CollectSignaturesFlow in your initiator; that's why you didn't initiate a "conversation" with the responder for them to sign the transaction. See example here.
SignTransactionFlow that you call in your responder is a "reply" to calling CollectSignaturesFlow in the initiator.
Btw, you must verify a transaction before you sign it in your initiator. See example here.
Another thing missing was the key of the counterParty. When initialising the command, I added
final Command<ContractToken.Commands.Issue> txCommand = new Command<>(
new ContractToken.Commands.Issue(),
ImmutableList.of(getOurIdentity().getOwningKey(), counterParty.getOwningKey()));
We're working on a Spring Boot application that is an OIDC client. The identity provider (IdP) is a third-party service and fully OpenID Connect and OAuth 2.0 compliant (as far as we can tell). As it's built with high security in mind, its UserInfo endpoint returns a signed JWT (instead of a regular one).
It seems that Spring Security does not support it. The authentication flow ends with an error message (displayed in an HTML page generated by our Spring application):
[invalid_user_info_response] An error occurred while attempting to
retrieve the UserInfo Resource: Could not extract response: no
suitable HttpMessageConverter found for response type
[java.util.Map] and content type
[application/jwt;charset=UTF-8]
My questions:
Is it correct that Spring does not currently support UserInfo endpoints returning signed JWTs?
If so, how can we add support for signed JWTs (including verfication of the signature)?
Our analysis has shown that the DefaultOAuth2UserService requests (Accept: application/json) and expects a JSON response from the IdP. However, being configured for high security, the IdP returns a signed JWT with the content type application/jwt. The response looks like the example on jwt.io. As the RestTemplate has no message converter capable of handling the content type application/jwt, the authenticaton fails.
Our sample app is as simple as it gets:
build.gradle
plugins {
id 'java'
id 'org.springframework.boot' version '2.2.4.RELEASE'
id 'io.spring.dependency-management' version '1.0.9.RELEASE'
}
group = 'com.example'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '11'
repositories {
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
}
DemoApplication.java
package demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
#SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
application.yml
server:
port: 8081
spring:
security:
oauth2:
client:
registration:
demo:
client-id: our-client-id
client-secret: our-client-secret
clientAuthenticationMethod: post
provider: our-idp
scope:
- profile
- email
provider:
our-idp:
issuer-uri: https://login.idp.com:443/idp/oauth2
HomeController.java
package demo;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
#RestController
public class HomeController {
#GetMapping("/")
String hello() { return "hello"; }
}
After more analysis, it seems Spring Boot does not support UserInfo endpoints returning signed JWTs. It's obviously an unusual setup (but still within the OAuth 2.0 / OIDC specification). What I haven't mentioned so far is that the JWT is signed with the client secret.
While Spring Boot doesn't support it, it can be added. The solution consists of:
A user service supporting signed JWTs (as a replacment for DefaultOAuth2UserService)
A HttpMessageConverter supporting JWTs (used in the user service's RestTemplate)
A JwtDecoder using the client secret
A security configuration that puts the pieces together
Note that we have changed from OAuth 2.0 to OIDC in the mean-time, thus our application.yml now includes the openid scope.
spring:
security:
oauth2:
client:
registration:
demo:
client-id: our-client-id
client-secret: our-client-secret
clientAuthenticationMethod: post
provider: our-idp
scope:
- profile
- email
provider:
our-idp:
issuer-uri: https://login.idp.com:443/idp/oauth2
The security configuration is:
package demoapp;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final ClientRegistrationRepository clientRegistrationRepository;
public SecurityConfig(ClientRegistrationRepository clientRegistrationRepository) {
this.clientRegistrationRepository = clientRegistrationRepository;
}
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService());
}
#Bean
OidcUserService oidcUserService() {
OidcUserService userService = new OidcUserService();
userService.setOauth2UserService(new ValidatingOAuth2UserService(jwtDecoderUsingClientSecret("demo")));
return userService;
}
JwtDecoder jwtDecoderUsingClientSecret(String registrationId) {
ClientRegistration registration = clientRegistrationRepository.findByRegistrationId(registrationId);
SecretKeySpec key = new SecretKeySpec(registration.getClientSecret().getBytes(StandardCharsets.UTF_8), "HS256");
return NimbusJwtDecoder.withSecretKey(key).build();
}
}
If you are using OAuth 2.0 instead of OIDC (i.e. you don't use the scope 'openid'), the configuration is simpler:
package demo;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final ClientRegistrationRepository clientRegistrationRepository;
public SecurityConfig(ClientRegistrationRepository clientRegistrationRepository) {
this.clientRegistrationRepository = clientRegistrationRepository;
}
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.userService(new ValidatingOAuth2UserService(jwtDecoderUsingClientSecret("demo")));
}
JwtDecoder jwtDecoderUsingClientSecret(String registrationId) {
ClientRegistration registration = clientRegistrationRepository.findByRegistrationId(registrationId);
SecretKeySpec key = new SecretKeySpec(registration.getClientSecret().getBytes(StandardCharsets.UTF_8), "HS256");
return NimbusJwtDecoder.withSecretKey(key).build();
}
}
The ValidatingOAuth2UserService class is - for the most part - a copy of DefaultOAuth2UserService:
/*
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package demo;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequestEntityConverter;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.client.ResponseErrorHandler;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
/**
* An implementation of an {#link OAuth2UserService} that supports standard OAuth 2.0 Provider's.
* <p>
* This provider supports <i>UserInfo</i> endpoints returning user details
* in signed JWTs (content-type {#code application/jwt}).
* </p>
* <p>
* For standard OAuth 2.0 Provider's, the attribute name used to access the user's name
* from the UserInfo response is required and therefore must be available via
* {#link ClientRegistration.ProviderDetails.UserInfoEndpoint#getUserNameAttributeName() UserInfoEndpoint.getUserNameAttributeName()}.
* <p>
* <b>NOTE:</b> Attribute names are <b>not</b> standardized between providers and therefore will vary.
* Please consult the provider's API documentation for the set of supported user attribute names.
*
* #see org.springframework.security.oauth2.client.userinfo.OAuth2UserService
* #see OAuth2UserRequest
* #see OAuth2User
* #see DefaultOAuth2User
*/
public class ValidatingOAuth2UserService implements OAuth2UserService<OAuth2UserRequest, OAuth2User> {
private static final String MISSING_USER_INFO_URI_ERROR_CODE = "missing_user_info_uri";
private static final String MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE = "missing_user_name_attribute";
private static final String INVALID_USER_INFO_RESPONSE_ERROR_CODE = "invalid_user_info_response";
private Converter<OAuth2UserRequest, RequestEntity<?>> requestEntityConverter = new OAuth2UserRequestEntityConverter();
private RestOperations restOperations;
private JwtDecoder jwtDecoder;
public ValidatingOAuth2UserService(JwtDecoder jwtDecoder) {
this.jwtDecoder = jwtDecoder;
RestTemplate restTemplate = new RestTemplate();
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
restTemplate.getMessageConverters().add(new JwtHttpMessageConverter());
this.restOperations = restTemplate;
}
#Override
public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
Assert.notNull(userRequest, "userRequest cannot be null");
if (!StringUtils.hasText(userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri())) {
OAuth2Error oauth2Error = new OAuth2Error(
MISSING_USER_INFO_URI_ERROR_CODE,
"Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: " +
userRequest.getClientRegistration().getRegistrationId(),
null
);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
String userNameAttributeName = userRequest.getClientRegistration().getProviderDetails()
.getUserInfoEndpoint().getUserNameAttributeName();
if (!StringUtils.hasText(userNameAttributeName)) {
OAuth2Error oauth2Error = new OAuth2Error(
MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE,
"Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: " +
userRequest.getClientRegistration().getRegistrationId(),
null
);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
RequestEntity<?> request = this.requestEntityConverter.convert(userRequest);
ResponseEntity<String> response;
try {
response = this.restOperations.exchange(request, String.class);
} catch (OAuth2AuthorizationException ex) {
OAuth2Error oauth2Error = ex.getError();
StringBuilder errorDetails = new StringBuilder();
errorDetails.append("Error details: [");
errorDetails.append("UserInfo Uri: ").append(
userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri());
errorDetails.append(", Error Code: ").append(oauth2Error.getErrorCode());
if (oauth2Error.getDescription() != null) {
errorDetails.append(", Error Description: ").append(oauth2Error.getDescription());
}
errorDetails.append("]");
oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
"An error occurred while attempting to retrieve the UserInfo Resource: " + errorDetails.toString(), null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
} catch (RestClientException ex) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
"An error occurred while attempting to retrieve the UserInfo Resource: " + ex.getMessage(), null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
}
Jwt jwt = decodeAndValidateJwt(response.getBody());
Map<String, Object> userAttributes = jwt.getClaims();
Set<GrantedAuthority> authorities = new LinkedHashSet<>();
authorities.add(new OAuth2UserAuthority(userAttributes));
OAuth2AccessToken token = userRequest.getAccessToken();
for (String authority : token.getScopes()) {
authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
}
return new DefaultOAuth2User(authorities, userAttributes, userNameAttributeName);
}
private Jwt decodeAndValidateJwt(String token) {
return jwtDecoder.decode(token);
}
/**
* Sets the {#link Converter} used for converting the {#link OAuth2UserRequest}
* to a {#link RequestEntity} representation of the UserInfo Request.
*
* #since 5.1
* #param requestEntityConverter the {#link Converter} used for converting to a {#link RequestEntity} representation of the UserInfo Request
*/
public final void setRequestEntityConverter(Converter<OAuth2UserRequest, RequestEntity<?>> requestEntityConverter) {
Assert.notNull(requestEntityConverter, "requestEntityConverter cannot be null");
this.requestEntityConverter = requestEntityConverter;
}
/**
* Sets the {#link RestOperations} used when requesting the UserInfo resource.
*
* <p>
* <b>NOTE:</b> At a minimum, the supplied {#code restOperations} must be configured with the following:
* <ol>
* <li>{#link ResponseErrorHandler} - {#link OAuth2ErrorResponseErrorHandler}</li>
* </ol>
*
* #since 5.1
* #param restOperations the {#link RestOperations} used when requesting the UserInfo resource
*/
public final void setRestOperations(RestOperations restOperations) {
Assert.notNull(restOperations, "restOperations cannot be null");
this.restOperations = restOperations;
}
}
And finally the JwtHttpMessageConverter class:
package demo;
import org.springframework.http.HttpInputMessage;
import org.springframework.http.HttpOutputMessage;
import org.springframework.http.MediaType;
import org.springframework.http.converter.AbstractGenericHttpMessageConverter;
import org.springframework.http.converter.HttpMessageNotReadableException;
import org.springframework.http.converter.HttpMessageNotWritableException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.nio.charset.StandardCharsets;
/**
* Message converter for reading JWTs transmitted with content type {#code application/jwt}.
* <p>
* The JWT is returned as a string and not validated.
* </p>
*/
public class JwtHttpMessageConverter extends AbstractGenericHttpMessageConverter<String> {
public JwtHttpMessageConverter() {
super(MediaType.valueOf("application/jwt"));
}
#Override
protected String readInternal(Class<? extends String> clazz, HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException {
return getBodyAsString(inputMessage.getBody());
}
#Override
public String read(Type type, Class<?> contextClass, HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException {
return readInternal(null, inputMessage);
}
private String getBodyAsString(InputStream bodyStream) throws IOException {
ByteArrayOutputStream buffer = new ByteArrayOutputStream();
byte[] chunk = new byte[64];
int len;
while ((len = bodyStream.read(chunk)) != -1) {
buffer.write(chunk, 0, len);
}
return buffer.toString(StandardCharsets.US_ASCII);
}
#Override
protected void writeInternal(String stringObjectMap, Type type, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
throw new UnsupportedOperationException();
}
}
Thanks #Codo. You saved my day. I did not have to use JwtHttpMessageConverter class though. I added the below in SecurityConfig class. I had to use JwksUri and SignatureAlgorithm.RS512 in my situation.
#Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.
authorizeRequests().
anyRequest().authenticated().
and().
oauth2Login().userInfoEndpoint().oidcUserService(oidcUserService());
return http.build();
}
OidcUserService oidcUserService() {
logger.info("OidcUserService bean");
OidcUserService userService = new OidcUserService();
//userService.setOauth2UserService(new ExampleOAuth2UserService(jwtDecoderUsingClientSecret("web-client")));
userService.setOauth2UserService(new ExampleOAuth2UserService(jwtDecoder()));
return userService;
}
public JwtDecoder jwtDecoder() {
String jwksUri = Config.getJwksUri();
System.out.println("jwtDecoder jwksUri="+jwksUri);
return NimbusJwtDecoder.withJwkSetUri(jwksUri).jwsAlgorithm(SignatureAlgorithm.RS512).build();
}
public class ExampleOAuth2UserService implements OAuth2UserService<OAuth2UserRequest, OAuth2User> {
...............
...............
private JwtDecoder jwtDecoder;
public ExampleAuth2UserService(JwtDecoder jwtDecoder) {
this.jwtDecoder = jwtDecoder;
RestTemplate restTemplate = new RestTemplate();
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
this.restOperations = restTemplate;
}
I have a symfony4 application and I'm using knpuniversity/oauth2-client-bundle to authenticate a user against discords oAuth endpoint.
The user clicks on the 'Login via Discord' button, he sees the authorization page from discord, accepts it and is now logged in on my page.
So far so good.
Here is what is not working:
The user is on another computer, so no session on my page. He logs in to discord web client. After that he visits my page but he is not logged in.
When he clicks again on 'Login via Discord' he sees the authorization page again instead of directly being logged in on my page.
Maybe I get something wrong here but usually when I use an oAuth login with google, facebook or anything else just like here on stackoverflow I never see the authorization page again. I click on 'login with XY' and, as long as I'm logged in to my corresponding account, I will immediately be logged in on the other page as well.
<?php
namespace App\Security;
use App\Entity\User;
use App\Repository\UserRepository;
use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
use KnpU\OAuth2ClientBundle\Client\OAuth2Client;
use KnpU\OAuth2ClientBundle\Security\Authenticator\SocialAuthenticator;
use League\OAuth2\Client\Token\AccessToken;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\RouterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class DiscordAuthenticator extends SocialAuthenticator
{
/**
* #var \KnpU\OAuth2ClientBundle\Client\ClientRegistry
*/
private $clientRegistry;
/**
* #var \App\Repository\UserRepository
*/
private $repository;
/**
* #var \Symfony\Component\Routing\RouterInterface
*/
private $router;
/**
* DiscordAuthenticator constructor.
*
* #param \KnpU\OAuth2ClientBundle\Client\ClientRegistry $clientRegistry
* #param \App\Repository\UserRepository $repository
* #param \Symfony\Component\Routing\RouterInterface $router
*/
public function __construct(
ClientRegistry $clientRegistry,
UserRepository $repository,
RouterInterface $router
) {
$this->clientRegistry = $clientRegistry;
$this->repository = $repository;
$this->router = $router;
}
/**
* #inheritDoc
*/
public function start(Request $request, AuthenticationException $authException = null)
{
return new RedirectResponse('/login/', Response::HTTP_TEMPORARY_REDIRECT);
}
/**
* #inheritDoc
*/
public function supports(Request $request): bool
{
return $request->attributes->get('_route') === 'discord_set_token';
}
/**
* #inheritDoc
*/
public function getCredentials(Request $request)
{
return $this->fetchAccessToken($this->getDiscordClient());
}
/**
* #inheritDoc
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
try {
/** #var \Wohali\OAuth2\Client\Provider\DiscordResourceOwner $discordUser */
$discordUser = $this->getDiscordClient()
->fetchUserFromToken($credentials);
$email = $discordUser->getEmail();
$existingUser = $this->repository->findOneBy(
[
'externalId' => $discordUser->getId(),
'externalIdSource' => 'discord',
]
);
if ($existingUser) {
return $existingUser;
}
$user = $this->repository->findOneBy(['email' => $email]);
if (!$user) {
$user = new User(
$discordUser->getId(),
'discord',
$discordUser->getUsername(),
$discordUser->getEmail()
);
$user->setExternalId($discordUser->getId());
$user->setExternalIdSource('discord');
$user->setToken($credentials->getToken());
$user->setRefreshToken($credentials->getRefreshToken());
$user->setTokenExpiresFromTimestamp($credentials->getExpires());
}
$this->repository->persist($user);
return $user;
} catch (\Throwable $e) {
throw new AuthenticationException($e->getMessage(), $e->getCode(), $e);
}
}
/**
* #inheritDoc
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{
$message = strtr($exception->getMessageKey(), $exception->getMessageData());
return new Response($message, Response::HTTP_FORBIDDEN);
}
/**
* #inheritDoc
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey): Response
{
$targetUrl = $this->router->generate('home');
return new RedirectResponse($targetUrl);
}
/**
* #return \KnpU\OAuth2ClientBundle\Client\OAuth2Client
*/
private function getDiscordClient(): OAuth2Client
{
return $this->clientRegistry
->getClient('discord');
}
}
<?php
namespace App\Security;
use App\Entity\User;
use App\Repository\UserRepository;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class UserProvider implements UserProviderInterface
{
/**
* #var \App\Repository\UserRepository
*/
private $repository;
/**
* UserProvider constructor.
*
* #param \App\Repository\UserRepository $repository
*/
public function __construct(UserRepository $repository)
{
$this->repository = $repository;
}
/**
* #inheritDoc
*/
public function loadUserByUsername($username): UserInterface
{
$user = $this->repository->findOneBy(['email' => $username]);
if (!$user) {
throw new UsernameNotFoundException(sprintf('No User with username %s found', $username));
}
return $user;
}
/**
* #inheritDoc
*/
public function refreshUser(UserInterface $user): UserInterface
{
if (!$user instanceof User) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
}
// TODO find out how to use the refresh token to get a new one
return $user;
}
/**
* #inheritDoc
*/
public function supportsClass($class): bool
{
return $class === User::class;
}
}
security:
providers:
user_provider:
entity:
class: App:User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
logout:
path: /logout
target: /login
guard:
authenticators:
- App\Security\DiscordAuthenticator
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
<?php
namespace App\Repository;
use App\Entity\User;
use Doctrine\Common\Collections\Criteria;
use Doctrine\ORM\EntityManager;
/**
* Class UserRepository
*/
class UserRepository
{
/**
* #var \Doctrine\ORM\EntityManager
*/
private $entityManager;
/**
* #var \Doctrine\ORM\EntityRepository
*/
private $repository;
public function __construct(EntityManager $entityManager)
{
$this->entityManager = $entityManager;
$this->repository = $entityManager->getRepository(User::class);
}
/**
* Finds an entity by its primary key / identifier.
*
* #param int $id
*
* #return \App\Entity\User|null
*/
public function find(int $id): ?User
{
return $this->repository->find($id);
}
/**
* Finds all entities in the repository.
*
* #return \App\Entity\User[]
*/
public function findAll(): iterable
{
return $this->repository->findAll();
}
/**
* Finds entities by a set of criteria.
*
* #param array $criteria
* #param array|null $orderBy
* #param int|null $limit
* #param int|null $offset
*
* #return \App\Entity\User[]
*/
public function findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null): iterable
{
return $this->repository->findBy($criteria, $orderBy, $limit, $offset);
}
/**
* Finds a single entity by a set of criteria.
*
* #param array $criteria
* #param array|null $orderBy
*
* #return \App\Entity\User|null
*/
public function findOneBy(array $criteria, array $orderBy = null): ?User
{
return $this->repository->findOneBy($criteria, $orderBy);
}
/**
* Counts entities by a set of criteria.
*
* #param array $criteria
*
* #return int
*/
public function count(array $criteria): int
{
return $this->repository->count($criteria);
}
/**
* Select all elements from a selectable that match the expression and
* return a new collection containing these elements.
*
* #param \Doctrine\Common\Collections\Criteria $criteria
*
* #return \App\Entity\User[]
*/
public function matching(Criteria $criteria): iterable
{
return $this->repository->matching($criteria);
}
/**
* #param \App\Entity\User $user
*
* #throws \Doctrine\ORM\ORMException
* #throws \Doctrine\ORM\OptimisticLockException
*/
public function persist(User $user): void
{
$this->entityManager->merge($user);
$this->entityManager->flush();
}
}
<?php
namespace App\Controller;
use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
/**
* #Route(path="discord/")
*/
class DiscordOAuthController extends AbstractController
{
/**
* #var \KnpU\OAuth2ClientBundle\Client\ClientRegistry
*/
private $clientRegistry;
/**
* DiscordOAuthController constructor.
*
* #param \KnpU\OAuth2ClientBundle\Client\ClientRegistry $clientRegistry
*/
public function __construct(ClientRegistry $clientRegistry)
{
$this->clientRegistry = $clientRegistry;
}
/**
* #Route(name="discord_redirect_authorization", path="redirect_authorization")
*
* #return \Symfony\Component\HttpFoundation\Response
*/
public function redirectAuthorizationAction(): Response
{
return $this->clientRegistry->getClient('discord')
->redirect(['identify', 'email', 'guilds']);
}
/**
* #Route(name="discord_set_token", path="set_token")
*
* #return void
*/
public function setTokenAction(): void
{
// empty as authenticator will handle the request
}
}
At the time I was working on this I didn't had much time and only briefly looked into the documentation.
Now I have had more time and put some time into reading the whole documentation of Discords oAuth.
I then found the query param prompt which when set to none will only once request the authorisation and otherwise will directly redirect to the redirect_uri
Hey I would like to have the latest tweets from certain users that I will follow to be displayed on a page of my web app. So I followed the tutorial on the git of horsebird client but I don't know where I have to specify the users I want the messages from.
public class TwitterLatestTweets implements Runnable {
private final static String BUNDLE_BASENAME = "configuration.twitter";
private final static String CONSUMER_KEY = ResourceBundle.getBundle(
BUNDLE_BASENAME).getString("consumerKey");
private final static String CONSUMER_SECRET = ResourceBundle.getBundle(
BUNDLE_BASENAME).getString("consumerSecret");
private final static String TOKEN = ResourceBundle.getBundle(
BUNDLE_BASENAME).getString("token");
private final static String SECRET = ResourceBundle.getBundle(
BUNDLE_BASENAME).getString("secret");
private List<String> msgList = new ArrayList<String>();
#Override
public void run() {
/**
* Set up your blocking queues: Be sure to size these properly based on
* expected TPS of your stream
*/
BlockingQueue<String> msgQueue = new LinkedBlockingQueue<String>(100000);
BlockingQueue<Event> eventQueue = new LinkedBlockingQueue<Event>(1000);
/**
* Declare the host you want to connect to, the endpoint, and
* authentication (basic auth or oauth)
*/
Hosts hosebirdHosts = new HttpHosts(Constants.STREAM_HOST);
StatusesFilterEndpoint hosebirdEndpoint = new StatusesFilterEndpoint();
Authentication hosebirdAuth = new OAuth1(CONSUMER_KEY, CONSUMER_SECRET,
TOKEN, SECRET);
ClientBuilder builder = new ClientBuilder().hosts(hosebirdHosts)
.authentication(hosebirdAuth).endpoint(hosebirdEndpoint)
.processor(new StringDelimitedProcessor(msgQueue))
.eventMessageQueue(eventQueue);
Client hosebirdClient = builder.build();
hosebirdClient.connect();
while (!hosebirdClient.isDone()) {
try {
String msg = msgQueue.take();
msgList.add(msg);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
hosebirdClient.stop();
for (String s : msgList) {
System.out.println(s);
}
}
}
}
Is it Constants.STREAM_HOST ? Could you give me an example with the white house twitter (https://twitter.com/whitehouse) ?
You need to add a list of userIds to your endpoint, like this:
hosebirdEndpoint.followings(userIds);
You've got several examples here, in the same github project you've provided in your question. This one uses the same endpoint as in your post.
In here you can find Twitter's documentation on the endpoint, and the full list of the parameters you can use.
Good day,
I was recently testing Oauth2.0 Installed application authentication for bigquery through java api.
I used
this command line sample
as a source since i want to make it for the users eaiser to give access (it would be ugly to ask them to copy the code)
If i use SetAccessType(Offline) in GoogleAuthorizationCodeflow it says, that it automatically refreshes the access token for me.
In related I'd like to ask, if i authorize a com.google.api.services.bigquery.Bigquery instance with
com.google.api.services.bigquery.Bigquery.Builder.Builder(HttpTransport transport, JsonFactory jsonFactory, HttpRequestInitializer httpRequestInitializer)
using
credentials that have a refresh token, do i have to reauthorize it or it will update the credentials inside itself?
If it does not give me a valid connection to bigquery after one hour (token expiration time)
then which is the best method to reauthorize the client?
Shall i use credentials.RefreshToken() and then just Build another bigquery instance whith the new access token, or there is a better way?
(I may also want to change the credentials Refreshlistener, but the problem is that if i instantinate the credential with GoogleAuthorizationCodeflow.createAndStoreCredential(response, Clientid) after that i cannot get the Refreshlistener. How can i get it, so i may use that class to automatically reauthorize my Bigquery Client < maybe this is the better way is it?)
Where does the codeflow store the refreshed access token (if it refreshes it automatically)?
If i declared it like this:
new GoogleAuthorizationCodeFlow.Builder(
transport, jsonFactory, clientSecrets, scopes).setAccessType("offline")
.setApprovalPrompt("auto").setCredentialStore(new MemoryCredentialStore()).build();
Will it store my refreshed access token always in the MemoryCredentialStore?
So if i use .getCredentialStore().load(userId, credential) it will load the refreshed access token from the memorystore?
Is there a way to increase or decrease the time while an access token is valid? Since for testing purposes i really want to do so.
p.s: I was also looking into this source code of google-api-java-client
and google-oauth-java-client but i still couldn't find the sollution.
Most importantly I was looking into: class Credential at code:
public void intercept(HttpRequest request) throws IOException {
lock.lock();...
but I couldnt figure it out actually when this method is called and I eventually got lost in the problem.
Looking forward to your answer:
Attila
There's a lot of questions here. You will want to use the GoogleCredential class to gain a new access token from an existing refresh token, that you well need to store (using whatever method you want, such as MemoryCredentialStore).
The access token only lasts for an hour and there is not way to change this.
Here is an example using the installed flow:
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeFlow;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
import com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson.JacksonFactory;
import com.google.api.services.bigquery.Bigquery;
import com.google.api.services.bigquery.Bigquery.Datasets;
import com.google.api.services.bigquery.BigqueryScopes;
import com.google.api.services.bigquery.model.DatasetList;
class BigQueryInstalledAuthDemo {
// Change this to your current project ID
private static final String PROJECT_NUMBER = "XXXXXXXXXX";
// Load Client ID/secret from client_secrets.json file.
private static final String CLIENTSECRETS_LOCATION = "client_secrets.json";
static GoogleClientSecrets clientSecrets = loadClientSecrets();
private static final String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
// Objects for handling HTTP transport and JSON formatting of API calls
private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
private static final JsonFactory JSON_FACTORY = new JacksonFactory();
private static GoogleAuthorizationCodeFlow flow = null;
// BigQuery Client
static Bigquery bigquery;
public static void main(String[] args) throws IOException {
// Attempt to Load existing Refresh Token
String storedRefreshToken = loadRefreshToken();
// Check to see if the an existing refresh token was loaded.
// If so, create a credential and call refreshToken() to get a new
// access token.
if (storedRefreshToken != null) {
// Request a new Access token using the refresh token.
GoogleCredential credential = createCredentialWithRefreshToken(
HTTP_TRANSPORT, JSON_FACTORY, new TokenResponse().setRefreshToken(storedRefreshToken));
credential.refreshToken();
bigquery = buildService(credential);
// If there is no refresh token (or token.properties file), start the OAuth
// authorization flow.
} else {
String authorizeUrl = new GoogleAuthorizationCodeRequestUrl(
clientSecrets,
REDIRECT_URI,
Collections.singleton(BigqueryScopes.BIGQUERY)).setState("").build();
System.out.println("Paste this URL into a web browser to authorize BigQuery Access:\n" + authorizeUrl);
System.out.println("... and type the code you received here: ");
BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
String authorizationCode = in.readLine();
// Exchange the auth code for an access token and refesh token
Credential credential = exchangeCode(authorizationCode);
// Store the refresh token for future use.
storeRefreshToken(credential.getRefreshToken());
bigquery = buildService(credential);
}
// Make API calls using your client.
listDatasets(bigquery, PROJECT_NUMBER);
}
/**
* Builds an authorized BigQuery API client.
*/
private static Bigquery buildService(Credential credential) {
return new Bigquery.Builder(HTTP_TRANSPORT, JSON_FACTORY, credential).build();
}
/**
* Build an authorization flow and store it as a static class attribute.
*/
static GoogleAuthorizationCodeFlow getFlow() {
if (flow == null) {
flow = new GoogleAuthorizationCodeFlow.Builder(HTTP_TRANSPORT,
JSON_FACTORY,
clientSecrets,
Collections.singleton(BigqueryScopes.BIGQUERY))
.setAccessType("offline").setApprovalPrompt("force").build();
}
return flow;
}
/**
* Exchange the authorization code for OAuth 2.0 credentials.
*/
static Credential exchangeCode(String authorizationCode) throws IOException {
GoogleAuthorizationCodeFlow flow = getFlow();
GoogleTokenResponse response =
flow.newTokenRequest(authorizationCode).setRedirectUri(REDIRECT_URI).execute();
return flow.createAndStoreCredential(response, null);
}
/**
* No need to go through OAuth dance, get an access token using the
* existing refresh token.
*/
public static GoogleCredential createCredentialWithRefreshToken(HttpTransport transport,
JsonFactory jsonFactory, TokenResponse tokenResponse) {
return new GoogleCredential.Builder().setTransport(transport)
.setJsonFactory(jsonFactory)
.setClientSecrets(clientSecrets)
.build()
.setFromTokenResponse(tokenResponse);
}
/**
* Helper to load client ID/Secret from file.
*/
private static GoogleClientSecrets loadClientSecrets() {
try {
GoogleClientSecrets clientSecrets =
GoogleClientSecrets.load(new JacksonFactory(),
BigQueryInstalledAuthDemo.class.getResourceAsStream(CLIENTSECRETS_LOCATION));
return clientSecrets;
} catch (Exception e) {
System.out.println("Could not load clientsecrets.json");
e.printStackTrace();
}
return clientSecrets;
}
/**
* Helper to store a new refresh token in token.properties file.
*/
private static void storeRefreshToken(String refresh_token) {
Properties properties = new Properties();
properties.setProperty("refreshtoken", refresh_token);
System.out.println(properties.get("refreshtoken"));
try {
properties.store(new FileOutputStream("token.properties"), null);
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* Helper to load refresh token from the token.properties file.
*/
private static String loadRefreshToken(){
Properties properties = new Properties();
try {
properties.load(new FileInputStream("token.properties"));
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return (String) properties.get("refreshtoken");
}
/**
*
* List available Datasets.
*/
public static void listDatasets(Bigquery bigquery, String projectId)
throws IOException {
Datasets.List datasetRequest = bigquery.datasets().list(projectId);
DatasetList datasetList = datasetRequest.execute();
if (datasetList.getDatasets() != null) {
List<DatasetList.Datasets> datasets = datasetList.getDatasets();
System.out.println("Available datasets\n----------------");
for (com.google.api.services.bigquery.model.DatasetList.Datasets dataset : datasets) {
System.out.format("%s\n", dataset.getDatasetReference().getDatasetId());
}
}
}
}
An alternative to authorization via storing and using a refresh token to acquire a new access token in your installed application is to use a server to server service account authorization flow. In this case, your application will need to be able to securely store and use a unique private key. Here is an example of this type of flow using the Google Java API Client:
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson.JacksonFactory;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.bigquery.Bigquery;
import com.google.api.services.bigquery.Bigquery.Datasets;
import com.google.api.services.bigquery.model.DatasetList;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
public class JavaCommandLineServiceAccounts {
private static final String SCOPE = "https://www.googleapis.com/auth/bigquery";
private static final HttpTransport TRANSPORT = new NetHttpTransport();
private static final JsonFactory JSON_FACTORY = new JacksonFactory();
private static Bigquery bigquery;
public static void main(String[] args) throws IOException, GeneralSecurityException {
GoogleCredential credential = new GoogleCredential.Builder().setTransport(TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("XXXXXXX#developer.gserviceaccount.com")
.setServiceAccountScopes(SCOPE)
.setServiceAccountPrivateKeyFromP12File(new File("my_file.p12"))
.build();
bigquery = new Bigquery.Builder(TRANSPORT, JSON_FACTORY, credential)
.setApplicationName("BigQuery-Service-Accounts/0.1")
.setHttpRequestInitializer(credential).build();
Datasets.List datasetRequest = bigquery.datasets().list("publicdata");
DatasetList datasetList = datasetRequest.execute();
System.out.format("%s\n", datasetList.toPrettyString());
}
}