Facebook Authentication Using Spring Boot + Spring Social Simple Example
The user authorization for access to our application using Facebook is done using OAuth2 Authorization Code Grant Type.
In a previous post we had seen the working of OAuth2 Authorization Code Grant Type.
In the example we had implemented the authorization server and resource server. So when ever the client wished to fetch some data from the resource server he will first need to get a valid token from the authorization server.
Many real world applications like Quora, StackOverflow make use of authorization and resource servers of existing social organizations like google and Facebook for authenticating a user.
Consider the use case of Quora. Go to Quora.com.
Spring Boot Security - Implementing OAuth2Spring Boot Security - Introduction to OAuth Spring Boot OAuth2 Part 1 - Getting The Authorization Code Spring Boot OAuth2 Part 2 - Getting The Access Token And Using it to fetch data. Spring Boot + OAuth 2 Client Credentials Grant - Hello World Example. Spring Boot + OAuth 2 Password Grant - Hello World Example. Facebook Authentication Using Spring Boot + Spring Social Simple Example.
If you are a new user you need to signup. You can signup using google or facebook account. When doing so you are authorizing Google or Facebook to allow quora to access you profile info with Quora. This authorizing is done using OAuth2 Authorization Code Grant. Here you have in no way shared your credentials with Quora.
In the above example of Quora, we have 3 actors-
- Resource Owner - This is the user who wants to sign up using Quora.
- Client Application - This will be Quora
- Resource Server - This will be Gmail or Facebook.
- Authorization Server - The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application.
The client application must first register with the authorization server associated with the resource server. This is usually a one-time task. Once registered, the registration remains valid, unless the client application registration is revoked. At registration the client application is assigned a client ID and a client secret (password) by the authorization server. The client ID and secret is unique to the client application on that authorization server.
For example if we click on Continue with Google, we get the following screen. Here we can see Quora client id.
Quora got this client id and a secret key when it registered with Google.
The actual authorization process that takes place between Quora and Google using OAuth is as follows-
In this example we will be creating a simple application that uses Facebook credentials to authenticate the user and get his basic details using Spring Social. The aim of this chapter is to learn the basics of Spring Social. In the next chapter we will be implementing a full fledged SSO login using Facebook, Google and Twitter login.
What is Spring SocialThe Spring Social project enables your applications to establish Connections with Software-as-a-Service (SaaS) Providers such as Facebook and Twitter to invoke APIs on behalf of Users.
Spring social provides a wrapper over the API's exposed by the social media sites. Spring social hides the complexity of calling the Social Media sites using OAuth and simplify these calls.
You can get more information about Spring Social on their home page.