Danilo Andrade Danilo Andrade - 11 days ago 5
reST (reStructuredText) Question

Spring Security Oauth2 in Rest API

I have a web service rest implemented and I'm working on security at the moment.

This web service was implemented using Spring boot. Initially I will have clients as an Android app and a web app, but in the future I think of making this API public, so I have to think about this issue as well.

I researched a lot about Spring Security Oauth2, but there were basically two doubts:


  • All the examples I've seen so far have been using a Web App client, where the server redirects to the url's authentication. In an Android App how is this authentication done? After all, I'm not working with Html on Android to be redirected.

  • I need my clients to use the Facebook login, where the user can share from within the App. Initially I thought about the possibility of the app's clients being responsible for performing this authentication and somehow sending it to my server later, as I think it would be more practical than Spring Social. Is this possible?



Thank you very much, and any tips on architecture of my use case will be welcome.

Answer

One possibility is to go for a federated identity management system like keycloak. Keycloak offers adapters for spring as well as android has full OAUTH2 support and gives you the possibility to use Facebook as identity provider. It gives you a lot of benefit, as lot of the features you most likely need are already there. On the other hand it is a big topic so be aware that it will take you some time to bring the whole setup alive. You will need to host keycloak, configure clients for Android app and you Web application, introduce keycloak adapter to both Android application and Web application and finally configure Facebook as identity provider.

EDIT:

Have a look here, this seems promising. In general, I have to admit that I didn't integrate keycloak with facebook or Android myself. We utilize it to secure our spring-boot and Java EE applications. I only was heavily involved in this in integration and by that stumbeld upon the stated functionality. There is also the possibility to do OAUTH2 in Android by hand see. Here is an example how to do facebook integration. I hope this helps and good luck ;)

Comments