I'm quite new to Oauth, but need to learn how to do it in Java so that we can authenticate a REST request. Here's what I've got so far.
After a bit of reading, I decided to try ScribeJava. I made a custom API that implements DefaultApi10a and points to our endpoint. I set up the service like so:
final OAuth10aService service = new ServiceBuilder()
.apiKey("key")
.apiSecret("secret")
.build(TestApi.instance());
This didn't work. After doing a bunch of digging, it appears that because we're using a self-signed certificate I'm not able to get to the remote host. I was getting an error saying that there was a problem connecting to the remote service. ScribeJava appears to not have a way to disable the verification of using a self-signed certificate.
Since we want to be able to authenticate using the authorization header on the request, how would I go about generating just the header portion with a Java library? I've looked all around and couldn't find anything.
For reference, we have successfully made good Oauth REST calls using Python with something simple like this:
headeroauth = OAuth1(Oauth1Key, Oauth1Secret,
signature_type='auth_header')
myResponse = requests.get("endpoint_here", auth=headeroauth, verify=False)
Any input on how to accomplish somewhat of the same thing using Java?
There are plenty of libraries I like to use to create an OAUTH login. But in my opinion, the easiest one is JWT (Json Web Token). You can find the usage instructions here:
https://github.com/auth0/java-jwt
Basically what you want to do is to follow these three steps as login flow:
1) When user tries to log in, verify his username and password and if success then generate a JWT signed with a KEY STORED IN YOUR BACKEND. The library itself its very clear on how to sign a Json Web Token object.
2) Return the token signed to the user, user will send this token to you inside every request's Header for each of your REST services/endpoints that you require authentication
3) What you first do with the token you get from the user is to verify the signature (library is also very clear on how to do this). If validation passes means that the token is trustful and you can go on with your App.
The cool thing about JWT is that you can place non private information inside the token that is useful to you so you don't have to look for it in database all the time. For example, the userId, the user email, the token time expiration itself, etc.
Obviously this data will go to the user inside the Token as a base-64 String, so probably If he is smart enough he can decode it and see what is inside (he will see his userId, username or whatever you have placed inside the token), but what he cannot deal with is the signature. So if he tries to play smart and change any value inside the token and encode a new one to hack you, your token signature validation will fail and you can proceed with whatever punishment you decide..
Here you can see a live example of the JWT content decoded and encoded.
Hope this helps!