springauthenticationspring-social

Can Spring Social login be used for authentication?


Spring Social's social login features appear to be built around acquiring a token which can be used to make requests to a provider's social APIs. I am interested in using it for OAuth2 authentication, without making requests to the provider's APIs. Does Spring Social perform the full OAuth2 authentication (for OAuth2 providers)? What I mean by this, is does it validate the OAuth2 request coming back from the provider?

So, for example, when the ConnectionSignUp.execute(Connection<?>) method is called, do we know that the user successfully authenticated against the provider?

If so, where in the source code is the authentication validated?


Solution

  • I'm not sure I understand the question, but let me try to answer anyway.

    The OAuth flow requires that the user be authenticated against the provider before they can authorize the app and before the app can receive a token. I the user isn't authenticated against the provider, the provider should authenticate them before prompting for authorization. Therefore, by virtue of the fact that the flow completes successfully and the app receives an access token, it can be safely assumed that the user is authenticated with the provider.

    You said you want to authenticate without making requests to the provider's APIs. Unfortunately, that's not possible in any form of an OAuth flow. Auth code, implicit, and password grant all require interaction with the provider. (I guess implicit grant doesn't necessarily deal with the API directly as it receives a token directly in response to authorization.)

    In any case, the first thing Spring Social does after authorization is turn around and fetch the user details and uses the unique user ID to perform authentication. This is in each provider implementation's API adapter (for example, FacebookAdapter: https://github.com/spring-projects/spring-social-facebook/blob/master/spring-social-facebook/src/main/java/org/springframework/social/facebook/connect/FacebookAdapter.java). Without going back to the provider and fetching user details, there's no way to know for sure that the access token received is valid.