Closed nathandunn closed 3 years ago
I was getting it "work" here: https://github.com/nathandunn/grails4-multiple-oauth-example/settings
However, it was using a legacy API.
Using this guide instead:
https://guides.grails.org/grails-test-security/guide/index.html
Note for https://github.com/nathandunn/grails4-multiple-oauth-example this almost works.
We need to be able to specify that some users are "ADMIN" and some are not, regardless of their role. I think what happens, is that all users end up being secured in the same way and we use a separate permission service to check particular users.
This needs to be replicated using a REST-full controller with React
Potentially I need to add the OauthID to the Person object and provide grails.plugin.springsecurity.oauth2.domainClass = 'com.insilico.dmc.OAuthID'
However, its unclear.
curl api call:
curl -v -H 'Accept: application/json' -H "Cookie: jwt=
Almost working but react-google-login uses a different token strategy when decoding (i.e., not MAC512, but RS 256) so completely different, though maybe can be transcoded?
Going to use the googleapis oauth2 client instead to get a potentially more consistent token . . .
{
"alg": "RS256",
"kid": "fed80fec56db99233d4b4f60fbafdbaeb9186c73",
"typ": "JWT"
}
vs
{
"alg": "HS256"
}
Also note, this is how you add extractors to pull out users with Spring Boot (less sure about Grails, but may not be necessary):
https://medium.com/@bvulaj/mapping-your-users-and-roles-with-spring-boot-oauth2-a7ac3bbe8e7f
Even if we can do other than we can only verify with HS256
. Noted here: https://github.com/grails-plugins/grails-spring-security-rest/issues/490
So grails does not support this explicitly. Not sure fix version. Options:
1. authenticate against API directly using a redirect and refresh back with a returned JWT key
Will try 1, shoot for 2, and then do 4.
Finally will need to map to a domain class at some point as well.
For 1 it is problematic as it comes back as an httponly cookie, which I think is a good thing, but then not rebroadcast as part of the axis request.
Because the domain is not (and will not be shared likely), we can't share the httpOnly cookie (even if just different ports).
Definitely possible to put them on the same domain, but a different path. however, not sure if that would work either. As HS256 is less than preferred, especially for open-source, may look to another model.
for 1. Note the current state is here: http://github.com/nathandunn/grails4-multiple-oauth-example and https://github.com/nathandunn/test-oauth2-client
Auth0 grails integration example guides here: https://github.com/auth0/auth0-spring-security-api https://github.com/auth0-samples/auth0-spring-security-api-sample
Oh, this is the sample we want:
https://github.com/auth0-samples/auth0-grails3-spring-security-mvc-sample
or this one:
Probably the easiest thing to do would be to login the front and then use https://github.com/jwtk/jjwt#jws-key-rsa to verify the key: https://github.com/jwtk/jjwt#verification-key
jwt
token across)Follow: https://guides.grails.org/grails-oauth-google/guide/index.html (and) https://github.com/nathandunn/grails-oauth-google
https://grails-plugins.github.io/grails-spring-security-rest/latest/docs/#_google
This uses google for Outh2 as below here. This is actually using the REST plugin:
https://plugins.grails.org/plugin/grails/spring-security-rest
https://guides.grails.org/grails-oauth-google/guide/index.html
https://github.com/grails-guides/grails-oauth-google/tree/master/complete
Authorize REST version for login:
https://grails-plugins.github.io/grails-spring-security-rest/latest/docs/
good example of how to do the providers with Spring Boot:
https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/