OAuth2 Authentication with Spring and Github

Open Authorization or OAuth is an industry level protocol used for authorization. It allows third-party services to exchange your information without the user having to give his password. This is possible as it uses authorization tokens to prove an identity between consumers and service providers. OAuth2 is an upgrade over OAuth and it inculcates more security in itself. But before moving any forward let’s understand the working and use of OAuth in detail.

Example –

Suppose we have a service ‘A’ and ‘B’. A user U is using both the services ‘A’ and ‘B’ and hence it can communicate with both the services. Now if service ‘A’ wants to access the contents of service ‘B’, then we need a third party meddler to authenticate that service ‘A’ is safe and can access service ‘B’. This meddling is then done by the user itself.

Talking from a developer aspect, suppose we are building an application X. We already know that a user uses a safe and secure platform like Facebook, Instagram, Github, etc. As such, instead of building our own sign in and login services, we can use the services of Facebook to make the user login into our application.  

When our application prompts the Facebook server, the server returns a key that is used by us to verify the authenticity of the user, each time when he/she tries to log in to our platform. The whole idea of OAuth is basically based on the fact that the third-party application is safe and secure, and we trust our services on them. 

How to Use OAuth2 in project :

Now Spring as a framework provides the feature of OAuth to the developer via its various Maven and Gradle dependencies. To use the OAuth2 in your project, follow the steps below:- 

1. Create a new project(Spring Starter) with spring web, spring-security dependency, and oauth2 auto-configure dependency.
2. Head to the default class. Add the annotation @EnableOAuth2Sso. This allows us to Enable Oauth in our application.
3. Now, when an Oauth call is made, we need to tell the Client(which is a service and here Github) to look somewhere in order to know what applications can be used to make the OAuth calls. As such, we configure our “application. Properties” file to “applications.yml”.
4. We also need various permissions from applications in order to use their security in our app. Here as we use Github, head to this page.
5. Select “New OAuth App” and then the “Register a new OAuth application” page is presented. Enter an app name and description. Then, enter your app’s home page, which should be http://localhost:8080, in this case. Finally, indicate the Authorization callback URL which is basically the URL of the path, the user should land on after authenticated with GitHub.
6. Now, the app which we have created will give us Client ID and Client secret. Copy these fields.
7. Now, come back to your Spring application and open applications.yml. This file needs to be modified as below. Copy the data in yml file and it’s ready to go.

 Let’s see the given below applications.yml as follows.  

Security:
 oauth2:
    client:
           clientId: your-id
           clientSecret: your-secret
           accessTokenUri: https://github.com/login/oauth/access_token
           userAuthorizationUri: https://github.com/login/oauth/authorize
           clientAuthenticationScheme: form
      resource:
          user-info-uri: https://api.github.com/user
                     prefer-token-info: false

Descriptions of applications.yml file : 

• All the information issued above is used by the Github authorization to identify the details. We can turn “prefer-token-info” to true if we wish to use it for any further purpose.
• ClienAuthenticationScheme is set to form here as in this very example, as Github will be using a form to enter all user details. Moreover, all the above details are for Github’s internal use, and we don’t need to worry about the same.

Note — Since the applications file is yml file hence the code has to be structured as above.

Also, when we run our above application on localhost, we’ll be displaying some text to see if our OAuth is working or not, so we build a simple API and add:- 

Program Descriptions :

• The DemoApplication is the default class.
• The principal Object will take in the user details and display “hi” username when the Github auth is successfully passed.

Now run your Spring application and open localhost 8080 and see the GitHub auth work yourself!.