Implementing login with Facebook and Github from scratch - Java Brains

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this tutorial I'm going to teach you how to take a brand-new spring boot and spring security project from scratch and add earth-based authentication using Facebook and github I'm gonna second what what based authentication but all along we've been talking about art as something that does authorization only and not authentication how can someone possibly use auth for authentication we are using Facebook or github or whatever else but how is it possible Kaushik you've been talking about authorization all along the good question Kaushik this is something that people have developed as a way to authenticate even though auth wasn't originally meant for authentication in this tutorial I'm going to tell you how people have managed to get watts to work for authentication and I will demonstrate how this works with Facebook and also tell you why it's not always a good idea let's check this out [Music] so the example we have taken is of a user trying to use a photo printing service in order to access a file on Google Drive the way the photo printing service can access something on Google Drive is by doing an OAuth because the service really cannot get the users Google credentials in order to authorize that request here the assumption is that the user has already authenticated to the photo printing service and they were already authenticated to Google Drive and the problem is to just have these two services talk to each other all right so we have two services that both trust the user but these two services don't trust each other in turn all right this was the intended usage of what to have services authorized with other services but now put yourself in the shoes of someone who is building that photo printing service right someone who's building that client who is trying to access the resource server what do you have to do if you are building a client and you need to access that resource server right first thing you could have to set up authentication by yourself are you creating a service you're creating a photo printing service or whatever else service that you're working on you need to authenticate your user first they may have a Google account they may have a Facebook account whatever else but you have your own service that you need to authenticate your users to so you build that authentication service and then once you authenticate it with the client the client is gonna say yes now you know who I am now please access this resource server on my behalf and then the client has to build in the ability to access the resource server know you are billing this client and of you go hang on a minute I am going to use OAuth to access maybe Google maybe Facebook or whatever else and I can get information about this users Google account or Facebook account or github account you know that you can use OAuth to get it and what do you do when you access that resource server and make an OAuth request you're basically validating that users Google account when you are successfully done auth for Google for example let's say the resource server is Google you know that that user has a Google account and you know what that email ideas right Google's API can keep you the email ID now you're probably gonna go well if that is the case why do I have to implement authentication all over again this user has already authenticated with Google Google has a reliable authentication mechanism thousands and millions of people are using it so I'm just going to rely on Google's authentication if the user has successfully authenticated and if Google says yes this user is authenticated and I trust him or her then that's fine enough for me if Google says this person is reliable and authenticated I'm just gonna rely on Google's verdict so this is typical when you're building an application and you're interfacing with a resource server which is a very popular service so something like Google or Facebook or LinkedIn or github these are popular services so if a user has an account with that particular service you can easily kind of delegate authentication to that and go okay if I'm able to successfully wat do one of these services and I get an email ID and that service says this person is authenticated now I have a one-to-one mapping do an account on Mayon I can create an account or my end or I can just rely on Google or Facebook's account and say ok if Google is happy enough to trust this user that's good enough for me I'm gonna trust this user as well so when the client does this the client kind of avoids setting up authentication on their own and it just relies on Google's authentication or Facebook's authentication that is basically us using OAuth which was originally meant for authorization to access an API and now we are kind of using that to leverage some other service for authentication purposes while us having to avoid building and authentication on our own ok so here's how it works when you create a spring security app we are in the we are working in the context of spring security here so let's say we create a spring security app you have a choice of either building authentication on your own or you can say well I'm just going to make an what call to Google this person has a Google account I'm gonna make an auth call to cuckoo and I'm Google might say hey I don't know this person our Google might say yes I know this person he is a legitimate user and here is this person's email ID that I have verified now if you building a spring security app you know well that's good enough for me I don't have to build an authentication myself so this is gonna make an auth call to get the users profile information once it gets the users profile information your spring security app is gonna put that in the security context to simulate a logged in user it's almost as if the user is logged in but basically what you're doing is not forcing the user to login you're using Google's or API to get the Google profile information okay but just technically what authentication is all about anyway user enters a username and password for example and you pick up that user's profile and save it in the security context so that you know who the current use it is this is all your doing but rather than accessing your database or your authentication api's you're using OAuth to get Google or Facebook profile api's and using that to figure out who the user is okay so this is what we're gonna be building in this tutorial we're gonna create a new spring security app from the scratch and we're gonna make this interaction happen okay since this is a very common flow spring security has a really cool annotation which lets you do this auth single sign-on functionality just by sticking a simple annotation in there and just configuring it so it makes it super simple but I want you to understand that this is the concept behind this now here you might not even want any other API from Google like we've looked at the photo printing service and we said okay the photo printing service might need to access photos from Google Drive which is what which was the reason why you wanted to do or in this particular case once you have this our to get the user's authentication session established you may not even talk to Google after that you may not even talk to Facebook you don't even need any of those ApS you're doing what just to get to know if Google has trust in this particular user or Facebook has trust in this particular user and if those services have a logged in session then you're gonna say yes that's my authentication and you might not even bother to call any other ApS after that all right you're using an auth called just for getting the users profile let's see how to do this using a brand-new spring security project okay so let's start out with a brand-new spring security project I'm gonna go to spring initializer it start out spring that IO and I'm going to call this iota Java brains the artifact name is gonna be let's say spring security facebook login alright and then I'm gonna add a couple of dependencies here the first thing I'm gonna add is the web dependency and then I'm also gonna add the spring security dependency so with these two we should be good to go there is an oauth2 dependency that star dot spring that IO doesn't support at least as of me recording this so that dependency is something I'm gonna add after I open this project in IntelliJ okay so I'm gonna download this have this load and then I'm gonna open this project in IntelliJ alright so here's my project in IntelliJ here's the application class I'm gonna go to the Palm D'Or XML and here you see these are the two dependencies that we have downloaded from star dot spring that IO I'm gonna add a third dependency which is what will enable this kind of an earth sign in' alright so this is called spring security or ought to Auto configure okay so this is what will give me access to that single sign-on ability that I will leverage alright so the version I'm going to choose we'll be let's pick the latest version two point one point eight is good enough alright so now that I have this I can actually go back and make the spring security application and what - SSO application which is basically saying hey spring security just do what based authentication alright so I do that by sticking this one annotation in here which is called enable or to SSO it's not enable worth to client what's to client is when you want to make an API call and you don't want to leverage or for authentication this is when you want to leverage the earth for authentication you use enable worth - SSO alright so this is the annotation now this annotation is coming from that dependency that we added in Palm D'Or XML all right so that's where it's available that's this artifact now using this artifact in here in the class path and putting that annotation out there is gonna make sure that this application is ready to do single sign-on spring security is going to look at that annotation and go okay now this is not an application where there is innate login capability we will be using single sign-on so we will be leveraging something external for logging in well that makes the question there is it going to get that external information from what does spring security gonna call to get that login information so for that what spring security is going to do is it's going to open the configuration file right so every spring boot project comes with this application alert properties and this is where you set all your application properties this is where spring security OS to SSO client is going to look to see okay who do I have to call who do I have to access to get this OAuth information to verify this user's authentication but right now this is empty and the first thing I'm going to do is change this to our Yama file because that makes it simple and I don't have to do a bunch of dots everywhere ml has this kind of nested structure which lets me put properties and configure it very easily and now here I'm going to paste this block of configuration that is useful for authentication with Facebook and with github okay I'm gonna get this block of configuration literally from the spring dot IO guides page which are the link in the video but this is where you will find what are the typical configuration values that you would need the one thing that you would need to do though is to set up an application in your target platform write the identity provider platforms let's say you want to authenticate with Facebook you need to set up an application in facebook so I'm going to show you how to do that when Facebook but it really depends on which platform you're choosing to use right if you want to do authentication with log in with Google feature for your spring security app you can have to set up an app in Google you want to do this with github you need to set up an app and github right so you need to tell the platform first that hey I am this person I am going to be creating an application which is gonna leverage your authentication so you need to tell that upfront let me show you how to configure something like this with Facebook the way to do that the Facebook is to go to developers are facebook.com/ here's how this page looks like today this may look very different for you when you're watching this video but basically I need to go to this my apps section and here is where you have all your available apps and there is a create app button here which lets you create a new app I'm gonna create let's say a test app okay so this is a new app that I'm gonna be creating and I'm gonna be using the key is generated by this app in order to do the authentication now here I have my application ready and I'm gonna go to this basic section there I have a couple of pieces of information here you notice there is this thing called the app ID okay the app ID is what uniquely identifies this app for Facebook every identity provider I think has a similar concept you have this concept of an app ID and then you have this thing called the app secret the app secret is that secret key which only a developer would know all right so you're gonna need both of these values in order to tell spring security you know who to call and whom to access okay so that's what I'm gonna do next I'm gonna copy these two values I'm gonna copy this block of configuration which is pretty standard no matter which identity provider you use and I'm gonna demonstrate how to do that by switching it to github later okay so this block has everything that spring security needs its security declined dot you have a bunch of properties which tell spring security where to access the identity information and what is the client ID and the client secret okay so these are the two values that we just saw by creating this app on Facebook I'm gonna have to go plug those values in here and put this in here but the rest of the stuff can remain as is okay so have the app ID and copying that which is the client ID here and I'm also gonna paste the client secret I am going to get rid of this particular application in the client secret after I have published this video but to remember that the client secret is something that's private you don't want to be pushing this to a source code repository you don't want to be showing it to other people because whoever has the client ID and the client secret can kind of simulate an access to Facebook as your app and any API quotas and all that stuff that will be associated with you so make sure the client secret is truly a secret but for your application this is where you would save it and with this you're pretty much done now believe it or not you can actually run this application and now what's gonna happen is spring security is going to say ok this is an auth - SSO application it's gonna look at the configuration and application right yeah Mel and it's gonna make a call to Facebook it knows what to call what acknowledgement to get and all that stuff it's going to make an OAuth call with the authorization token okay it's gonna make an authorization token and it's gonna make an access to it's gonna get an access token after that and that's the authorization token flow that it's gonna follow just out-of-the-box feature which was really cool now one thing I'm gonna do is I'm gonna go to my static folder here and I'm gonna create a new HTML file so that there is something to see when authentication is successful okay so I'm just gonna put this in here and put some simple and message here I'm gonna call it hello user your write something nice for the user to see after they have authenticated okay so now let me start running this application I'm gonna go here and start this main application run as a Java app this is going to start up and then I can access localhost:8080 and guess what happens when I access localhost:8080 spring security is not gonna show its login farm anymore the default login form that comes with an out-of-the-box spring application as bring security application it is going to directly redirect to Facebook and it's gonna automatically assume that you want Facebook authentication it's gonna take all that stuff so if you access localhost:8080 you notice here it's automatically redirected to Facebook and it says test app will receive your name and profile picture okay what's test app it's the app that we created so anytime you want to have an application contact Facebook for this kind of an OAuth flow you have to tell Facebook up ahead that this is what it is so that when the user is trying to use your app it can tell you this information you can even provide an icon so that you can see that there so the user will know oh this is the app that is trying to access my profile I was the one who tried to access it so this is legit so I can click on continue as user ok I'm not gonna click this because of various different reasons related to my facebook profile and my application but let me demonstrate this with github so that you know exactly how this looks like alright so here I have updated the application root yeah Mel but github properties and again I picked this up from the spring dot io guides but basically the idea is I am using the client ID and the client secret by letting github know ahead of time that this is an application that might come your way and ask for authentication information and I have setup over here so that our spring application and spring security knows whom to call now for this I'm going to restart this application and let me demonstrate what the flow looks like with github so when I access localhost 8080 notice the screen that I get it says this is the application that wants to access your public data do you wanna allow write their name of the application of spring cloud local demo this is again from the sample that I got from spring that I oh right so if I click on authorize you notice here it also says authorizing will redirect to localhost 8080 which was the URL ask the application alright I'm gonna click on authorize and I can also look at other information that it's looking for click on authorize it redirects back to localhost 8080 and we see the template placeholder pages that we have set up over there which is hello user now this means that the user has successfully authenticated what Spring Security has done as it's made to github profile API cotton the profile information and plug that in as the security context so spring security thinks this is an authenticated user being pretty much replaced the normal spring security authentication flow with this Roth flow to get profile information can a substitute the currently logged in user the current principal in memory so this is out-of-the-box feature that comes with spring security and it's super handy if you want to use this because again like I said this kind of authentication has become very common now before we wrap up I want to point out a couple of reasons why it's not always a good idea to have this kind of delegated authentication with something like Google or Facebook the first reason is since this is what there's an authorization token and an access token in place so when somebody authenticates that google for example and you are confident about the security of the service so let's say i'm super confident about the photo printing service that i give access to google then i have a little more open to doing that but if the application that i'm trying to access is not something that i'm very confident about then a user has good reason to refuse to provide access to the Google profile information because if that access token gets lost there is always a possibility of someone else impersonating as that user the second reason is then there is this auth exchange that happens the thing that the application is validating is that the user has logged into Google at that point in time when you do the sign-in with Google or sign in with Facebook however if the application is holding on to that token and probably logging the user in maybe a week from now and still saying okay last time I checked I had the earth user so I'm so good to go then that may not be valid anymore the user might have logged out of Google the user might have deleted a Google account so if an application is using OAuth tokens to authenticate then it would have to do this every time okay it has to make sure that it's current and not rely on an authentication attempt that was done a while back again I'm not saying that this is very bad because it's it works it's simple and so many people have used it sooner all those people are likely to be wrong but there is a lot of good material online which also warns against extensive use of this thing but as long as you're keeping your tokens safe and providing trustworthy service I think this is an good alternative for implementing the whole authentication mechanism yourself

Info

Channel: Java Brains

Views: 100,539

Rating: undefined out of 5

Keywords: java, java brains, tutorial, brains, koushik, kaushik, brainbytes, explained, java tutorial, learn java, java tutorial for beginners, java programming tutorial, java programming, java programming for beginners, spring, spring security, programming, spring boot, koushik kothagal, beginner, java training, authorization, authentication, spring boot microservices, userdetailsservice, spring framework, spring boot security, spring security tutorial, jwt, json web token, login with Facebook

Id: CWiwpvpCrro

Channel Id: undefined

Length: 21min 48sec (1308 seconds)

Published: Fri Dec 06 2019