I cannot find a complete example anywhere of a Spring Security Web App with Open Id registration similar to stackoverflows.
I would say I'm pretty techy guy but I find Spring Security extremely intimidating with its weird Spring XML DSL.
I have found bits and pieces of how one would do the good ole' stackoverflow registration using:
Spring Security Open ID sample WAR
Hillerts Blog 3 part blog posting
Spring Security Official Doc on OpenId (the email attributes are wrong see next link)
Stackoverflow posting about email attributes
JQuery OpenId library for picking your OpenId provider Stackoverflow has a modified one that seems to include Facebook
Best Article on the subject but a little long winded
Another example like previous one for Google App Engine
But no complete examples (WAR). Does anyone know or have a working example (ie WAR) that does more than just authenticate with an in-memory openid urls?
UPDATE: The latest version of Spring Social does a very good job of managing Oauth registration. We ended up using it instead. Although its not OpenId I have grown to prefer Oauth over OpenId. For those interested in there is a project to use OpenId with spring social: https://github.com/molindo/spring-social-openid
Have you looked at the latest version of the sample code (for the 3.1 release)?
It has several improvements to make it simpler to use Google and Yahoo authentication together (with different attribute exchange configurations simultaneously), uses a similar login dialog to stack overflow and performs simple registration in the case of users who have not previously accessed the app.
See this issue https://jira.springsource.org/browse/SEC-1431 (and the linked one) for more information.
I know this is not really helpful in answering your Question but I am currently building a Grails based web application and initailly started using Spring Security but also found it difficult to setup.
I then changed to Apache Shiro and it is much simpler to implement. But it doesn't have support for openid out of the box, but the nimble grails plugin does so you may be able to use that as an example to write your own.
Yes,
There is a war to download on http://repo1.maven.org/maven2/org/springframework/security/spring-security-samples-openid/3.0.1.RELEASE/
Maybe it can help you.
It's not exactly OpenID, it uses Facebook Connect, but checkout Spring's GreenHouse. That's great code written by the guys from Spring you can use to jumpstart your app.
Yes, In spring application, user can authenticate into your application with open ID provider.
1) Here is the sample example of spring open ID login application.
2) Here is the sample example of spring security social login application and blog here.
Related
Preface: I created the following issue in GitHub of the plugin and Alvaro Sanchez, the author of the plugin, recommended me to ask here which is the dedicated discussion channel for it.
We are migrating our Grails-based application to Kubernetes to allow multiple instances running simultaneously. The inherent problem is that the application will ask users to re-login if the request is served by the other pod that is not the previously same pod. We want to replace session-based authentication with token-based authentication.
I have come across writing on medium explaining how to use this plugin come long the source code published on GitHub, however, this tutorial didn't show how to customise the form-based login or something along those lines.
The key point here is to verify the existence of the defined token in order to redirect the login URL. However, I don't actually understand how and where we could intervene LoginController spring security core to check both username and token.
Apart from that, I cannot find any tutorials as well as documentation relevant to our need, so then I have raised this problem which someone experienced users can share their solutions.
If you have any idea, helpful tutorials or source code, could you please share with us?
Thank you in advance!
I'm new to mautic. We have an java application that manages authentication of its users. It also support openid connect/ jwt/oauth flows. We are planning to use mautic as a separate server . How do I integrate my application with mautic? Seems like the mautic only support SAML for SSO. Does that mean our application now need to act as SAML IDP? Or is there a way to get mautic to support JWT/oauth/openid connect
Can you clarify why you need to authenticate users, will these all be people who will be working in the back-end of Mautic? Otherwise you won't need to use authentication for regular folk accessing resources or landing pages you create, they don't need to log in.
The developer documentation would be a good place to start for all things technical/development, which you can find here: https://developer.mautic.org/ - this includes information about authorisation and specifically OAuth which might be helpful: https://developer.mautic.org/#authorization.
You'll find some documentation on using the SAML function here if you're going that route: https://www.mautic.org/docs/en/authentication/saml.html
Happy to help if you get stuck!
already googled a lot, but all results seem to link to oauth provider plugins, examples and tutorials.
I am looking for a oauth consumer example for Grails 3 which let's me login a user to my app with a google account.
One example I've found uses pac4j : https://github.com/pledbrook/talk-submissions/blob/master/build.gradle
I would like to see an example which is based only on spring-security.
Is such an example already available? If not, which plugins should do the trick?
Check out the spring-security-rest plugin. AFAIK, this is about as much help as the Grails plugin ecosystem is going to provide for this (as of today).
http://alvarosanchez.github.io/grails-spring-security-rest
Specifically for the google login use-case:
http://alvarosanchez.github.io/grails-spring-security-rest/latest/docs/#_google
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario:
I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
#EnableOAuth2Sso
#EnableOAuth2Resource
Spring Cloud oauth2 SSO sample
Spring oauth2 SSO with a whole bunch of other stuff too
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.
I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.
It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.
S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.
I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...
What is the best way to implement a simple identity provider and security for Web Api?
Thanks!
I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.
I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges
Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
Well, security is hard :)
As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.
If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples
(Why do you need more reputation to comment on SO than to answer?)