I need to use both Facebook and Google as OpenId Sing in providers. I have integrated them with Spring Security using the SocialAuthenticationFilter, as described in the documentation and having a look at the sample app.
I have sucessfully configured Facebook.
The problem is when I try to authenticate with Google:
In OAuth2AuthenticationService.getAuthToken():
...
AccessGrant accessGrant = getConnectionFactory().getOAuthOperations().exchangeForAccess(code, returnToUrl, null);
At this point I can see that accessGrant contains an accessToken, so it seems to be correct so far. It fails in the following call:
// TODO avoid API call if possible (auth using token would be fine)
Connection<S> connection = getConnectionFactory().createConnection(accessGrant);
createConnection() ends up calling GoogleConnectionFactory.extractProviderUserId(AccessGrant accessGrant):
Google api = ((GoogleServiceProvider)getServiceProvider()).getApi(accessGrant.getAccessToken());
UserProfile userProfile = getApiAdapter().fetchUserProfile(api);
...
and getApiAdapter().fetchUserProfile(Google) -> google.plusOperations().getGoogleProfile(); throws a 403 exception:
org.springframework.web.client.HttpClientErrorException: 403 Forbidden
Why can't it get the GoogleProfile? Apparently the scope I set and what is prompted to the user is correct...
The complete project is available here: https://github.com/codependent/spring-boot-social-signin
Excerpts from the config:
SecurityConfig:
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/secure*").authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
//.loginProcessingUrl("/secure-home")
.failureUrl("/login?param.error=bad_credentials")
.and()
.logout()
.logoutUrl("/logout")
.deleteCookies("JSESSIONID")
.and()
/*.rememberMe()
.and()*/
.apply(new SpringSocialConfigurer());
}
@Bean
public SocialUserDetailsService socialUserDetailsService(){
return new SocialUserDetailsService(){
@Override
public SocialUserDetails loadUserByUserId(String userId) throws UsernameNotFoundException{
return new SimpleSocialUserDetails(userId);
}
}
}
}
SocialConfig:
@Configuration
@EnableSocial
class SocialConfig extends SocialConfigurerAdapter{
@Override
void addConnectionFactories(ConnectionFactoryConfigurer cfConfig, Environment env) {
FacebookConnectionFactory fcf = new FacebookConnectionFactory(env.getProperty("facebook.clientId"), env.getProperty("facebook.clientSecret"))
fcf.setScope("public_profile,email")
cfConfig.addConnectionFactory(fcf)
GoogleConnectionFactory gcf = new GoogleConnectionFactory(env.getProperty("google.clientId"), env.getProperty("google.clientSecret"))
gcf.setScope("openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo#email https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/tasks https://www-opensocial.googleusercontent.com/api/people https://www.googleapis.com/auth/plus.login");
cfConfig.addConnectionFactory(gcf);
}
@Bean
@Scope(value="request", proxyMode=ScopedProxyMode.INTERFACES)
Facebook facebook(ConnectionRepository repository) {
Connection<Facebook> connection = repository.findPrimaryConnection(Facebook.class);
return connection != null ? connection.getApi() : null;
}
@Bean
@Scope(value="request", proxyMode=ScopedProxyMode.INTERFACES)
Google google(ConnectionRepository repository) {
Connection<Google> connection = repository.findPrimaryConnection(Google.class);
return connection != null ? connection.getApi() : null;
}
@Override
UsersConnectionRepository getUsersConnectionRepository(ConnectionFactoryLocator connectionFactoryLocator) {
//return new JdbcUsersConnectionRepository(dataSource, connectionFactoryLocator, Encryptors.noOpText());
InMemoryUsersConnectionRepository rep = new InMemoryUsersConnectionRepository(connectionFactoryLocator)
rep.setConnectionSignUp(new ConnectionSignUp(){
public String execute(Connection<?> connection){
Facebook facebook = (Facebook)connection.getApi();
String [] fields = [ "id", "email", "first_name", "last_name", "about" , "gender" ];
User userProfile = facebook.fetchObject(connection.getKey().getProviderUserId(), User.class, fields);
return userProfile.getEmail();
}
})
return rep;
}
@Override
UserIdSource getUserIdSource() {
return new AuthenticationNameUserIdSource()
}
}
Fixed, I had to enable the Google+ API on the Google Developer console.