OAuth2 Provider with custom authentication

Question

I am trying to implement a OAuth2 Provider, that authenticates users with a custom login. For understanding I looked at the Spring Boot OAuth2 Tutorial . I don't quite get, how I can implement my own Authentication meachnism to work with the OAuth2 SSO from my Server.

I want to add custom authentication mechanisms (like "user has to answer a question for authentication" or "user has to enter id and click button for authentication") instead of the Facebook and Github examples.

I read about implementing my own AuthenticationProvider, but I am stuck how to combine all the puzzle parts.

Answer 1

Let's go one step at a time. OAuth is only authz provider so not talk about authentication. Now for your usecase specifically, if you want user to be authenticated then OAuth authz code based flow makes sense (You can even go for implicit flow, check rfc 6749). Now how will this work for you. I am picking up the implicit flow for simplicity, Authz flow is just extension of it where end client gets a temporary code which it exchanges with Identity Server later to get the access token. Here are the steps:

1. Client App hits the /authorization uri with data as per rfc 6749

2. After validating the submitted data, server forwards user to Login page (or other page for authentication). After authentication, cookie is set in the browser or data is stored in server to mark a user as authenticated.

3. After authentication server redirects user to user consent page (You can even skip this if needed depending on need, But OAuth 2 spec contains this) where user specifies which all permissions (scopes) are allowed, here user can allow either allow or deny.
4. if user allows then these permissions are submitted to server and then server stores the data and redirects the user to client URI with access token in # fragement of client redirect URI (callback URI submitted during actual request)