JSP and OAUTH2 authentication

Question

I hope this is not a "too open" question but I am really not sure of how to handle it.

I have a working web application written in Java JSPs and some Rest interfaces with Jersey, running on Tomcat 7 and a MySQL DB. It is a quite simple, form based application. Currently I have it runnign on AWS.

The JSPs are something like this:

<%
String inmsg = request.getParameter("msg");
 %>
<html>
<head>
...

And the Rest classes like this:

@Path("/operation")
public class IntrfcOperation {

String response="";
int retcode=0;
String id;
String name;

@GET
@Produces(MediaType.APPLICATION_JSON)
public Response baserest(
          @Context HttpServletRequest hsreq,
          @Context HttpServletResponse hsresp)
  {
        response ="";
        ...
        String outjson = "{\"retcode\":\"" + retcode + "\",\"name\":\"" + name + "\",\"msg\":\"" + response + "\"}";
        return Response.status(200).entity(outjson).build();
  }

I want to incorporate an authentication layer and I am thinking of using an OpenID/Oauth2 server, probably the AWS one (IAM?). The problem I see is that this protocol (as far as I have tried it) requires a single/unique redirect url, being this the return point for every request sent to the Identity Manager. My problem is that I don't have a single URL but a bunch of them, one per JSP and Rest entry point.

What should be the correct approach to transform this? The only way I see (and don't see it as an option at moment) is to rewrite the whole application to be a single JSP script where all the different actions and pages are identified as parameters of the single entry point. Is there another simpler way?

Answer 1

OAuth2 requires you to have a URI which will accept redirects from the authentication server. Just one URI for the whole application. The code handling this URI should get values from URL parameters, save the tokens (or get them from the /token endpoint) and redirect to an application page you already have.

So there is no need for rewriting your application. For example, if you have a login page and an initial dashboard for authenticated users, the flow will be like this:

1. User gets to the login page and clicks "Authenticate by OAuth2"
2. User gets redirected to OAuth2 authentication server
3. User passes the authentication and gets redirected to your new authentication handling URI with the results of the authentication
4. Your application saves the results, considers the user authenticated and redirects him to the initial dashboard page.

You need to decide what kind of OAuth2 flow you want to use, where to store the tokens and which part of your application will have the OAuth2 client role (the Java backend or the HTML/JavaScript frontend). If you need just authentication (getting users identity), you probably need just an ID token (from the OpenID Connect extension).

For more info, you can read the well written OAuth2 RFC or some articles/tutorials than can give you a simplified view at the topic.

Edit: After successful authentication, if you want to get back to the originally requested page, include the requested URL in the state param of the authentication request. Your new authentication handler will get the state value unchanged (again as a state URL parameter) and you can redirect the user to that URL, instead of a hard-coded one (the dashboard). Note that the state value should also contain a value used for preventing cross-site request forgery as described in the OAuth2 RFC.