5

I'd like to give users the option to login to a Spring Boot web application using their Google or Facebook account.

I checked The Spring Cloud Security documentation and also This GitHub issue to add such SSO functionality, but on both they only show how to configure one SSO server, so it's either Google or Facebook.

How can I add both options? on the web front-end I will add a button for each option so the users can choose which account to use, either Google or Facebook.

Or I am choosing the wrong package and should use something different altogether to achieve this?

Thanks!

Raul G
  • 413
  • 1
  • 4
  • 18

1 Answers1

7

You basically have to install a separate authentication filter for each provider. There's a tutorial here: https://spring.io/guides/tutorials/spring-boot-oauth2/.

Dave Syer
  • 52,217
  • 10
  • 149
  • 137
  • Awesome! thanks for the link. So it means that I don't need spring-cloud-security-oauth2 package? on the link I see they use plain spring-security – Raul G Jan 03 '16 at 14:45
  • Correct (since Spring Boot 1.3). – Dave Syer Jan 03 '16 at 16:04
  • 1
    @DaveSyer may be a little late to the party, but using multiple authentication servers leads to other problems (e.g. it is difficult to figure out which token came from which OAuth server). Is there a way to set up one central OAuth server that "converts" external access tokens into local tokens and use the tokens of the central OAuth server instead? – Turing85 Oct 03 '17 at 22:45
  • There's a sample app the tutorial I linked to that does precisely that. – Dave Syer Oct 04 '17 at 06:24
  • @DaveSyer if I understand the example correctly, the `/user` endpoint is your "common ground" to unify user authorization information. This seems to imply some server-side state information, i.e. the server needs to store some additional information wrt. the token. Is the same process possible with JWT? – Turing85 Oct 05 '17 at 09:45
  • Yes of course. Why not? (And the /user endpoint is just an example. Not every auth server has to have it.) – Dave Syer Oct 06 '17 at 04:34
  • @DaveSyer In my understanding, with an externally generated JWT Access token, I cannot add any information to the token (since it is signed) and a JWT Access Token has no information about the issuer. Thus, I cannot distinctly map a JWT to a user. This, in return, impllies that the server needs to store some information related to each access token, defeating the point of JWT (i.e. statelessness). Could we discuss this elsewhere, e.g. in chat? I do not want to spam the comment section. – Turing85 Oct 06 '17 at 08:42
  • I'm traveling at the minute so probably not very responsive. You can send me an email if you like (easy to discover, e.g. via github). – Dave Syer Oct 06 '17 at 12:20