Is it possible to leverage Spring Security while manually handling multiple oauth2 logins?
Is it possible to leverage Spring Security while manually handling multiple oauth2 logins?
The current application I'm working on makes use of oauth2 quite extensively.
For each screen, the user may be required to authenticate via an external service (while still maintaining authentication for the other screens they have already visited).
So for example:
ScreenA -> Authenticate via ServiceX
ScreenB -> Authenticate via ServiceY
ScreenC -> Authenticate via ServiceZ
It is possible for users to be authenticated to multiple login providers at the same time in a given session.
As such, I've decided to handle the oauth2 workflow manually instead of relying on Spring Boot's OAuth2 library. It does seem like this library provides multiple login providers but it looks far too complicated for such a simple scenario and I'm not sure if it's even possible to have users authenticated to multiple providers at once.
Anyway, that was the background information (if it was necessary). My plan for the implementation is to just store the access token in the session object for each of the screens. So this means that I have a separate bean in the session object for each of the screens, and I'm going to make it thread safe to account for the web session pitfalls.
Is there an easier way of doing what I'm trying to achieve? I can't find any best practices on this approach.
If my manual approach is the best way, then how do I take advantage of the other functionalities provided by Spring Security? Namely, I would like to use @PreAuthorize (perhaps define a role for each of login providers) and maybe even get WebSecurityConfigurerAdapter to work with these roles.
Ultimately, I'm having difficulty coming up with the right architecture for this situation, and I would like any tips/advice. Thanks!
I note your opinion. There's plenty of debate over on the meta discussions. Your edits are not helping me get any closer to solving this question, and so ultimately they are useless. Not trying to be rude, but please keep these kinds of comments to a minimum as your comment is not helping either. Instead, let my question be the focus.
– gjvatsalya
Sep 11 '18 at 22:52
Our aim for succinctness on this platform is not just my opinion. Please also read: Should I remove 'fluff' when editing questions? I wonder also whether the request "tips or advice" now also qualifies for the official close reasons of Too Broad or Primarily Opinion Based.
– halfer
Sep 12 '18 at 10:57
1 Answer
1
With what you have provided, it's possible to implement OAuth2 authentication.
All of the spring security features will still be useable in this scenario.
Thanks for contributing an answer to Stack Overflow!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Note we prefer a technical style of writing here, and Stack Overflow is not a forum. We gently discourage greetings, hope-you-can-helps, thanks, advance thanks, notes of appreciation, regards, kind regards, signatures, please-can-you-helps, chatty material and abbreviated txtspk, pleading, how long you've been stuck, voting advice, meta commentary, etc. Just explain your problem, and show what you've tried, what you expected, and what actually happened.
– halfer
Sep 11 '18 at 22:32