Authenticate a user with my own OAuth provider

2,246 views
Skip to first unread message

Fernando Falci

unread,
Aug 30, 2013, 12:38:54 PM8/30/13
to pac4...@googlegroups.com
I created my provider OAuth statement based on the model of Sparklr2.
It seems to work well with Tonr2, answering your calls.

However Torn2 only consumes some information from the provider. I need an example of how to do an authentication (Spring Security). How to make Spring accept (or not) the answer of my OAuth provider?

I tried to create my own client (looking to implement FacebookClient), but without success.
I do not have much experience in this area.

Is there an easy way to do this?
Thanks

Jérôme LELEU

unread,
Aug 30, 2013, 1:23:25 PM8/30/13
to Fernando Falci, pac4...@googlegroups.com
Hi,

Just to be sure we understand each other, pac4j-oauth library implements OAuth clients for various OAuth providers, using the authorization code grant type. So your OAuth provider must of course support this kind of grant type.


pac4j-oauth is built on top of Scribe https://github.com/fernandezpablo85/scribe-javaScribehandles OAuth communication at a basic level : get request token, get authorization url (for authentication/authorization), get access token and sign requests (when calling the OAuh provider).

To communicate with an OAuth provider, you need to have a specific Api like these ones : https://github.com/fernandezpablo85/scribe-java/tree/master/src/main/java/org/scribe/builder/api or these ones (in pac4j) : https://github.com/leleuj/pac4j/tree/master/pac4j-oauth/src/main/java/org/scribe/builder/api. This Api is mostly defined according to the provider urls (Facebook, Twitter, Google...)

In addition to this Api, you will use the appropriate service : https://github.com/fernandezpablo85/scribe-java/tree/master/src/main/java/org/scribe/oauth for OAuth v1 or OAuth v2.


pac4j is a more generic and abstracted API on top of OAuth, OpenID, CAS, HTTP... supporting the global mechanism (on client side) :
- not authenticated, be redirected to the provider for authentication : getRedirectionUrl method
- after successful authentication, be redirected back to the application with credentials you extract :getCredentials method
- retrieve the user profile thanks to the credentials (and the OAuth provider) : getUserProfile method.

In pac4j, you will need to create two classes :


2) the user profile retrieved by the client. It has a definition of the attributes and their types.


I have two caveats though :

1) generally people implement new clients for existing web sites (url like www.facebook.com) and I assume that your OAuth provider is only available locally (for example : http://localhost:8080/oauthProvider). This means that you will a Scribe Api with local urls. In this case, the base url certainly needs to be defined by configuration when you create the Api in the init() method of thepac4j-oauth Client (for production environment)

2) to retrieve the user profile, you need a "/profile" url, exposed by your OAuth provider to return the user attributes and identifier when requested with the access token (the JSON format is somehow a standard).


Hope it's clearer.
Best regards,
Jérôme



2013/8/30 Fernando Falci <falc...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "pac4j-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Fernando Falci

unread,
Sep 2, 2013, 1:43:00 PM9/2/13
to pac4...@googlegroups.com
In my company, we have a system with multiple users, and now we will start a new system. We want users to navigate freely between applications (since they have permission to access both).

We want to centralize login. Just like Google does with its products: to access Google Groups, Gmail or Youtube, you are always redirected to accounts.google.com

So we created a project called Accounts. This is a OAuth Provider/Server.
In addition to the url's "oauth/token", "oauth/authorize", "oauth/access_token" he has a url "/api/me" that provides information (in JSON) about the current user.

Question 1: is this the right way?

Created a AccountsProfile (extending OAuth20Profile) and AccountsClient (extending BaseOAuth20Client). Also created a AccountsApi (extending StateApi20), do not know if this last is necessary.

When I run on my machine, tomcat takes on the environment "dev" and then he knows that the provider is in http://localhost:8080/accounts
In my client application, all URL can be accessed only by an authenticated user, so I used /** like pattern.
This is my config file: http://pastebin.com/KwAe7veQ

AccountsAPI return something like: http://localhost:8080/accounts/oauth/authorize?client_id=votos&response_type=code&redirect_uri=http://localhost:8080/votos/callback?client_name=AccountsClient&scope=trust 
When I try to access any URL on the client system (called "votos"), I am redirected to the login form at /accounts/login. After logging in, the browser goes to: http://localhost:8080/votos/callback?client_name=AccountsClient&code=GXau41 then throws an exception: Response body is incorrect. Can not extract the token from this: '<! DOCTYPE html> ...
Full message here: http://pastebin.com/XCRxe3zc

The snippet of HTML in the response is the login form Accounts. It seems that he lost the section/token between requests.
With this information, can you tell me what is wrong? If you need any other information, please ask.

Thanks again

Jérôme LELEU

unread,
Sep 3, 2013, 8:29:48 AM9/3/13
to Fernando Falci, pac4...@googlegroups.com
Hi,

My reply in the body of your message.
Best,

2013/9/2 Fernando Falci <falc...@gmail.com>

In my company, we have a system with multiple users, and now we will start a new system. We want users to navigate freely between applications (since they have permission to access both).

We want to centralize login. Just like Google does with its products: to access Google Groups, Gmail or Youtube, you are always redirected to accounts.google.com

So we created a project called Accounts. This is a OAuth Provider/Server.
In addition to the url's "oauth/token", "oauth/authorize", "oauth/access_token" he has a url "/api/me" that provides information (in JSON) about the current user.

Question 1: is this the right way?

Created a AccountsProfile (extending OAuth20Profile) and AccountsClient (extending BaseOAuth20Client). Also created a AccountsApi (extending StateApi20), do not know if this last is necessary.

Jérôme : Correct. If your server is implementing the OAuth 2.0 protocol, you need an AccountsProfile and an AccountsClient inheriting from OAuth20Profile and BaseOAuth20Client.
About your AccountsApi, you only need to extend from StateApi20 if you have a state parameter used to check that the response is a reply of an original request with a state parameter. Otherwise, you can just inherit from the DefaultApi20 (from Scribe).
 

When I run on my machine, tomcat takes on the environment "dev" and then he knows that the provider is in http://localhost:8080/accounts
In my client application, all URL can be accessed only by an authenticated user, so I used /** like pattern.
This is my config file: http://pastebin.com/KwAe7veQ

When I try to access any URL on the client system (called "votos"), I am redirected to the login form at /accounts/login. After logging in, the browser goes to: http://localhost:8080/votos/callback?client_name=AccountsClient&code=GXau41 then throws an exception: Response body is incorrect. Can not extract the token from this: '<! DOCTYPE html> ...
Full message here: http://pastebin.com/XCRxe3zc

The snippet of HTML in the response is the login form Accounts. It seems that he lost the section/token between requests.
With this information, can you tell me what is wrong? If you need any other information, please ask.

Jérôme :  Your urls looks good. After successful authentication, you are redirected to your application with the name of the client (pac4j info) and a code (OAuth info). At that time, your "oauth/access_token" url is called with the code, the client_id... and your OAuth server should return an access token. This is where the problem happens. pac4j is unable to read properly the access token response.
What is the format of your reponse ? By default, your AccountsApi (inheriting from DefaultApi20) has a default parser expecting some specific JSON format, but you can create your own parser. The GoogleApi20 is a good example of that : https://github.com/leleuj/pac4j/blob/master/pac4j-oauth/src/main/java/org/scribe/builder/api/GoogleApi20.java, method : getAccessTokenExtractor()...

 
Thanks again

On Friday, August 30, 2013 1:38:54 PM UTC-3, Fernando Falci wrote:
I created my provider OAuth statement based on the model of Sparklr2.
It seems to work well with Tonr2, answering your calls.

However Torn2 only consumes some information from the provider. I need an example of how to do an authentication (Spring Security). How to make Spring accept (or not) the answer of my OAuth provider?

I tried to create my own client (looking to implement FacebookClient), but without success.
I do not have much experience in this area.

Is there an easy way to do this?
Thanks

--

Jérôme LELEU

unread,
Mar 29, 2014, 2:16:36 PM3/29/14
to pac4...@googlegroups.com
Hi,

If you are looking for good examples of new OAuth providers which have been recently proposed, I would recommend you take a look at these pull requests:
- the other one to add Foursquare support: https://github.com/leleuj/pac4j/pull/33.

Best regards,
Jérôme
Reply all
Reply to author
Forward
0 new messages