I am using Spring Boot to set up an application using OAuth2 as an Authentication Service provider and behind the scenes i use Auth0 for the login flow.
My application has been set up correctly and informations corresponding to my client (OAuth client) are defined properly in my application.properties file.
After Auth0 configuration, i am able to register and connect seemlessly to my application using google.
Here is my Custom OAuthUser class:
package com.interco.reconciliation.model;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.core.user.OAuth2User;
import java.util.Collection;
import java.util.List;
import java.util.Map;
public class CustomOAuth2User extends User implements OAuth2User {
private final Map<String, Object> attributes;
@Override
public Map<String, Object> getAttributes() {
return this.attributes;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return getRoles();
}
@Override
public String getName() {
return getProviderId();
}
public CustomOAuth2User(User user, Map<String, Object> attributes) {
super(user.getUsername(), user.getEmail(), user.getProviderId(), user.getRoles());
this.attributes = attributes;
}
}
Here is my CustomOAuthUserService class:
package com.interco.reconciliation.service;
import java.util.Optional;
import java.util.logging.Logger;
import com.interco.reconciliation.model.CustomOAuth2User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.stereotype.Service;
import com.interco.reconciliation.model.User;
import com.interco.reconciliation.repository.UserRepository;
@Service
public class CustomOAuth2UserService extends DefaultOAuth2UserService {
@Autowired
private UserRepository userRepository;
private static final Logger LOGGER = Logger.getLogger(CustomOAuth2UserService.class.getName());
@Override
public OAuth2User loadUser(OAuth2UserRequest oAuth2UserRequest) {
OAuth2User oAuth2User = super.loadUser(oAuth2UserRequest);
LOGGER.info("OAuth2User loaded: " + oAuth2User.getAttributes().toString());
String providerId = oAuth2User.getAttribute("id");
User user = this.userRepository.findByProviderId(providerId).orElseGet(() -> {
User newUser = new User();
newUser.setUsername(oAuth2User.getAttribute("username"));
newUser.setEmail(oAuth2User.getAttribute("email"));
newUser.setProviderId(providerId);
return this.userRepository.save(newUser);
});
LOGGER.info("Returning CustomOAuth2User");
return new CustomOAuth2User(user, oAuth2User.getAttributes());
}
}
And here is my WebSecurityConfig class:
package com.interco.reconciliation.config;
import static org.springframework.security.config.Customizer.withDefaults;
import com.interco.reconciliation.service.CustomOAuth2UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
import java.io.IOException;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {
@Value("${okta.oauth2.issuer}")
private String issuer;
@Value("${okta.oauth2.client-id}")
private String clientId;
private final CustomOAuth2UserService customOAuth2UserService;
@Autowired
public WebSecurityConfig(CustomOAuth2UserService customOAuth2UserService) {
this.customOAuth2UserService = customOAuth2UserService;
}
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable) // remove later or configure appropriately in production
.cors(withDefaults()) // remove later or configure appropriately in production
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/").permitAll()
.anyRequest().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo ->
userInfo.userService(customOAuth2UserService)))
.logout(logout -> logout
.addLogoutHandler(logoutHandler()));
return http.build();
}
private LogoutHandler logoutHandler() {
return (request, response, authentication) -> {
try {
String baseUrl = ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString();
response.sendRedirect(issuer + "v2/logout?client_id=" + clientId + "&returnTo=" + baseUrl);
} catch (IOException e) {
throw new RuntimeException(e);
}
};
}
}
Now what i want is after getting user details from OAuth2 Service provider, store them to my database from other business related purposes such as linking roles to users and securing routes, linking other entities to users etc.
However i still don't see the user registered to my database.
Please some help would be really appreciated
Data duplication in an information system is a prolific source of problems. You should probably not persist more than the user subject in your database (or another unique, non-null, and immutable value).
Instead, consider your authorization server (Auth0 in your case) as a user service. All OpenID Providers I know expose a REST API (and Auth0 is no exception). Call this service when you need to: