Add a login with Google Authorization Server Sample

[asaikali]

The current sample authorization server uses spring security form login. A sample showing how to have the authorization server delegate to google or another social login provider is quite useful. For my use case I to be able to support from based login and social OIDC logins. Implementing this sample can help ensure that the configuration APIs are flexible enough to allow multiple authentication providers.

[erikmartino]

There should probably be two different where the user can choose between them at login, for example Google and Github. If you host a SAAS solution, it is quite useful to delegate authentication to each customer organisations own OIDC provider.

[ojhughes]

I was thinking about this, should the authorization server ever delegate authorization? I understand the authorization server would delegate the storage of users / credentials to LDAP or a DB but I thought that the process of authorizing a client should be performed by the authorization server. The existing Spring resource server already works with the various social logins.

[jgrandja]

@ojhughes

should the authorization server ever delegate authorization

There are a number of OAuth/OIDC providers that deliver this type of feature via Social login authorization delegation. This is typically delivered in a product, so it's not clear if we would deliver such support within the framework.

Either way, it will be a good exercise to deliver a sample that demonstrates this authorization delegation pattern.

[pangyiwei]

I tried something for this:

1. Add spring-boot-starter-oauth2-client to the authorization project dependencies
2. Configure the default security filter chain with the oauth2Login().
3. Update application.yml with the oauth2 client registration config (With your Google OAuth2 Credentials)

Would this be right for the sample? Would be glad to submit a PR for this if necessary

[jgrandja]

@pangyiwei The sample you created does not integrate Authorization Server. It simply uses client features only. We would need the authorization related data to be stored via OAuth2AuthorizationService. The sample you have stores the data via OAuth2AuthorizedClientService.

[pangyiwei]

@jgrandja Ahh I see. I had the impression that this could be done similarly to how the sample was for the form login where the resource owner will have to be authenticated (by Google) first before the authorization is saved by OAuth2AuthorizationService. Noted that this was the flow done in processAuthorizationRequest() in the OAuth2AuthorizationEndpointFilter class. Hence, I thought that the sample would mainly involve configuration of Google as an OAuth2 client (for the authorization server).

Thank you for the clarification.

[natami]

Any progress/timeline on this issue?

[fwollsch]

@jgrandja it definitely works as of 0.2.0
Nothing special required to make it work either. The oauth2Login has to be configured on both HttpSecurity configurations (oauth2-server and globally) of course, but this is also the case for the formLogin.

https://github.com/gw2auth/oauth2-server/blob/main/src/main/java/com/gw2auth/oauth2/server/configuration/SecurityConfiguration.java
https://github.com/gw2auth/oauth2-server/blob/main/src/main/java/com/gw2auth/oauth2/server/configuration/OAuth2ServerConfiguration.java

[jgrandja]

Thanks for looking into this @fwollsch. I suspected it would work, however, there is another implementation strategy that could provide tighter integration with SpringAS. I'll be looking into this soon.

[schepuri-bisc]

Hello @jgrandja, thanks for looking into this. I'm looking for a sample SpringAS project that does federated authentication using external identity providers. Could you please share any progress?

[jgrandja]

@schepuri-bisc I haven't started it yet but it's planned for the 0.2.3 release. Working on other higher priority tasks.

[jgrandja]

This sample is now in main via 3fe6f86

[imaxkhan]

hi
i checked the sample
can we use azure active directory b2c as identity provider for federating authentication? what would be application.yml properties for azure?

[sjohnr]

Sorry @imaxkhan, I'm sure you can use AD but I don't know that information off-hand. You will want to check the documentation for your provider. It should be fairly similar to the sample.

[imaxkhan]

hi in this example u are adding custom claims to ID_TOKEN
is there any way to add custom claims to ACCESS_TOKEN? because API calls are being done by ACCESS_TOKEN

[imaxkhan]

Sorry @imaxkhan, I'm sure you can use AD but I don't know that information off-hand. You will want to check the documentation for your provider. It should be fairly similar to the sample.

yes as u said its working now..tnx

[sjohnr]

@imaxkhan feel free to submit any questions you have to Stack Overflow and we can take a look. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it). Having said that,

hi in this example u are adding custom claims to ID_TOKEN is there any way to add custom claims to ACCESS_TOKEN? because API calls are being done by ACCESS_TOKEN

In FederatedIdentityIdTokenCustomizer, there is:

if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
    // ...
}

You can simply do:

if (OAuth2ParameterNames.ACCESS_TOKEN.equals(context.getTokenType().getValue())) {
    // ...
}

[imaxkhan]

@imaxkhan feel free to submit any questions you have to Stack Overflow and we can take a look. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it). Having said that,

hi in this example u are adding custom claims to ID_TOKEN is there any way to add custom claims to ACCESS_TOKEN? because API calls are being done by ACCESS_TOKEN

In FederatedIdentityIdTokenCustomizer, there is:

if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
    // ...
}

You can simply do:

if (OAuth2ParameterNames.ACCESS_TOKEN.equals(context.getTokenType().getValue())) {
    // ...
}

just add same thing before like this:
@OverRide
public void customize(JwtEncodingContext context) {
if (OAuth2ParameterNames.ACCESS_TOKEN.equals(context.getTokenType().getValue())) {
extractClaims(context.getPrincipal());
}
}

private Map<String, Object> extractClaims(Authentication principal) {
    OAuth2User oAuth2User = (OAuth2User) principal.getPrincipal();
    Map<String, Object> attributes = oAuth2User.getAttributes();
    attributes.put("sub","dsdsdds");
    return attributes;
}

but we can not change attributes in access token because it is unmodifiable
the error:
java.lang.UnsupportedOperationException: null
at java.base/java.util.Collections$UnmodifiableMap.put(Collections.java:1505) ~[na:na]

I just one to add some custom claims to access token and in resource sever with custom token convertor access to this claim..but ur example only deals with ID_TOKEN

now i change it like this:
private Map<String, Object> extractClaims(Authentication principal) {
OAuth2User principal1 = (OAuth2User) principal.getPrincipal();
Map<String, Object> claims = new HashMap<>(principal1.getAttributes());
claims.put("sub", "sa");
claims.put("xyz", "da");
return claims;

but in resource server again claims in access token not being changed..even my custom claims

[sjohnr]

@imaxkhan, this is covered in the How-to guides in the reference and in the Federated Identity Sample. If you have further questions, please use Stack Overflow.