Use SpringSecurity's OAuth2 functionality on demand on custom endpoint
Question
We have a Spring Boot web app which uses JWT based authentication/authorisation. Now, we want to add OAuth2 support so that users can login using their Google account. That would be easy to do using Spring Security .
However, the requirement is a bit different.
If the user wants to use the Google login functionality, he first needs to link their Google account. Basically login into our application using his/her credentials, and on their profile page link their Google account.
The flow would be something like the following:
- Click the “ Link Google account ” button on user's profile which redirects them to Google
- In Google choose the account you want
- Google returns with a code. After that, make a request to our backend, on an authenticated endpoint eg
POST /users/{userId}/accountswhich will receive the token returned by Google - In the backend, verify this token by making a request to Google
- If all is good, link user's account with Google by updating the db accordingly
My question is, for step 4 , what is the best practice for that? How can I use all the stuff that Spring Security is offering to achieve this?
Thank you in advance,
1 answers
solution1
1 2020-12-16 14:39:32
You have the authorization code and you exchange for access token all over https and all in backend.
There is no need to validate access token ( I don't think spring security even does this part for integration with google ) at your end.
This should be done by google when you request its resource.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.