This week's book giveaway is in the Spring forum.
We're giving away four copies of Spring in Action (5th edition) and have Craig Walls on-line!
See this thread for details.
Win a copy of Spring in Action (5th edition) this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

login logout using Oauth2  RSS feed

 
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I read a lot of articles about OAtuh2, and they all show that OAuth is for social logins.
But what if I want to develop a web app and want to secure the API using OAuth. What I mean is, for authentication, I don't want to use Basic Authentication(which is less secure of course), I want to login using the OAuth. No third party client or api,  I am just accessing an API developed from a client, which(API) is exposed to be used by that client only.

Is it the correct use case of OAuth? How to implement it using Spring-Security(Boot)?
 
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Do users need to provide their credentials somewhere or does your client application have a "hardcoded" secret with which it authenticates itself without the user having to do anything?
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Do users need to provide their credentials somewhere or does your client application have a "hardcoded" secret with which it authenticates itself without the user having to do anything?


It's a kind of social networking platform. User logins using their original credential.
I am exposing the API using Spring-Boot and then consuming that API using the front-end framework REACT.js

It's generally the same idea, user Signup using there Email and password and then login using those same credentials. So, I have a login form. I am stuck here from a few days, where that login form submit button should point, should I create REST endpoint for this, like the signup have a separate endpoint "api/signup" ?
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure why you want to use OAuth if you intend to store the user credentials yourself. OAuth has a "Resource Owner Password Credentials" flow, but it's only intended to slowly migrate an existing application from a username/password form to authentication through a third party.

If you're using Spring, you might want to add Spring Security and define a PasswordEncoder bean to safely hash and verify a user password. Then accept the user's credentials through a custom end point. Make sure to use POST, so the credentials can be sent in the body of an encrypted request.
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So the idea of using OAuth is only for accessing or giving access to third-party application? Otherwise application use the classic Basic Authentication for login a user who has already signup up their detail. Am I on the right track now?
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Implementing an OAuth functionality into web based application or in any sort of application is not a easy job but i have a blog or video tutorial in which i have clearly illustrated how to do this step by step and you will not be facing any kind of problem to implement this functionality.I have implemented Google login in Javascript in a video tutorial please check out the blog and i hope it will solve the query of all those who have problems working with oAuth

Implementing Google Login OAuth in Javascript
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey Shiksha, question is not for social logins. Question is - Can we use Oauth for authorization of a user using his credentials. Their is no third party application involved
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In general it's a good idea to farm out authentication. Why store user credentials if you can let someone else do it?

For a social network site I can imagine you don't want to connect it to a competing one, but it's not unheard of.

Anyway, you can use HTTP Basic and let the browser handle the login prompt, or you can just create your own login form and send the credentials like you would in any other POST request.
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:Anyway, you can use HTTP Basic and let the browser handle the login prompt, or you can just create your own login form and send the credentials like you would in any other POST request.

If I am not wrong, the Basic Authenticate and Login prompt window are two different concepts in spring security.
The one where the login prompt comes is called Form-Login and is handled by .formLogin() API of spring security. The credentials are then stored in cookies which is why Form-Login is unsafe.
Whereas, the Basic Authentication is all about resending the credentials for each request to the API.

Correct me if I am wrong. If I understood it right, then login is not applicable for Basic Authentication. Because login means I just need to send the credentials once, not with each request.
 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Wrong and wrong.

You can configure how the login form acts. Also, there's nothing inherently unsafe about cookies.

Basic Auth doesn't specify how the user must be remembered, just how the credentials are sent in the first place.

How did you get your assumptions?
 
Puspender Tanwar
Ranch Hand
Posts: 626
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:How did you get your assumptions?


I am following a Spring Security course where the Author said this:

using form­based authentication and using cookies to drive the security of our APIs is an option, but definitely not the best way to go. Driving authentication with cookies has well­known issues and so we're going to move past form­based authentication really quickly and we're going to make our way towards better solutions. The next option is basic authentication and basic authentication is a very simple algorithm. It's very mature and very well supported in clients. However, of course, this simplicity is also the reason why it's not very secure and not very flexible either............
...In Basic Auth, each interaction is essentially going to resend the credentials over the wire. So this is where token­based solutions come in. And the first solution we're going to discuss is of course OAuth.
 

 
Stephan van Hulst
Bartender
Posts: 9493
184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like the author made a lot of assumptions that are not inherently true for all applications of those technologies, just how they are often (wrongly) used.
 
It's fun to be me, and still legal in 9 states! Wanna see my tiny ad?
Download Free Java APIs to Work with Office Files and PDF
htttp://www.e-iceblue.com/free-apis.html
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!