Multiple SSO providers in Spring Boot Auth server

Question

I have read and implemented my own Auth server following this tutorial from Spring. There are multiple SSO providers - Facebook, Github and a custom auth server. In this tutorial, the auth server contains the handling of other SSO providers.

I have a separate resource server that links to my auth server using the following properties:

security.oauth2.resource.userInfoUri=http://localhost:9000/user

I am able to get the token from my auth server using a cUrl command:

curl acme:acmesecret@localhost:9000/oauth/token -d grant_type=password -d username=user -d password=...
{"access_token":"aa49e025-c4fe-4892-86af-15af2e6b72a2","token_type":"bearer","refresh_token":"97a9f978-7aad-4af7-9329-78ff2ce9962d","expires_in":43199,"scope":"read write"}

But what I fail to understand is how can I use the other SSO providers to get such token as well from the auth server? The resource server should not care how did I get the token and whether I am authenticated using Facebook or my custom auth server. It should simply ask the auth server what is the Principal (logged user) and then decide which resources to show him, right?

I don't have any UI and this will be backed for a mobile application so I need to udnerstand how to handle the authentication using REST reqeusts.

Answer 1

If I understand your question correctly,

how can I use the other SSO providers to get such token as well from the auth server?

This custom Auth server is abstracting out your interaction with FB or Github and issuing you it's own token. The token that your custom Auth server spitting out is not an FB or Github token, it's a token generated by your custom Auth server (After authenticating with FB/Github token).

Then why do we need FB/github?

How else your custom Auth server can identify a person, It sure can use user Id and Password; consider 'login with FB' as another nice option it gives to the user.

How to add other SSO providers like digitalocean in addition to FB and github?

Just do the same as we did for FB and Github (register a client id with digital ocean and then in auth server application, Add client Id and secret in the properties/yaml file etc)

The resource server should not care how did I get the token and whether I am authenticated using Facebook or my custom auth server. It should simply ask the auth server what is the Principal (logged user) and then decide which resources to show him, right?

Yes, your understanding is correct.

Edit (To answer question asked in the comment)

But lets say I log in with Facebook through my Auth server. Where do I find the token that I can use with the Resource server? Let's say I have a RestClient and want to make a request to obtain some resource belonging to a user which went through the Facebook auth process via my auth server. Where do I find the token to use?

If that's a requirement, I think you can use this example instead; you may not need a custom auth server as such. Whole point of having custom auth server is abstracting out the interaction with FB or github.

Or

If you still want to go with custom auth server direction, then expose an endpoint from Auth server (which will get you the resources you need from FB) and then make use of that from your resource server.