Clever Geek Handbook

Grails Rest API with OAuth for a mobile app

TL; DR: Reading from EDIT 1 .

I am trying to find a solution how to implement authentication, especially OAuth for my rest api to be used by a mobile app.

I found this popular plugin ( Spring Security Rest ):

http://alvarosanchez.github.io/grails-spring-security-rest/docs/guide/single.html#oauth 1

But the problem is that it is for javascript frontend app, so my frontend needs a callback url to pass the generated token (as you can see in the diagram).

In the case of a mobile app, how can I do this? Is there any other plugin or design I can implement to do this? It struck me as odd that there really aren't a lot of plugins or tutorials about stateless OAuth in Grails or Spring, but there are tons of mobile apps out there that use it.

Here's a usage example:

  • The user opens the mobile application.
  • The user registers with facebook in the mobile application.
  • The user makes a request to api / orders, which only returns his orders to him.

Who should handle the OAuth part of this? The flow in the diagram presented on the plugin cannot work with the mobile app, so if the facebook mobile app receives it, then it passes it to the web app?

I would like to understand what is the correct design / flow in this case and if there is a plugin or a way to implement it using grails.

EDIT: Is this the correct flow?

Mobile App OAuth + Auth to backend with external provider UML Sequence Diagram

If so, is there a standard way to do this with Grails?

EDIT 2: Now that I understand the flow, I need to integrate the login part with the Spring Security plugin (which already handles the rest). Here is the code that I want to integrate with the plugin, but I don’t know where or what to change in the plugin:

    // api/auth/fb
def auth(){

    //Extract fb_access_token
    String fbAccessToken = request.JSON.?fb_access_token

    //Call https://graph.facebook.com/me?access_token=fbAccessToken
    def userInfo = facebookService. ... (fbAcessToken) //Method to use in the plugin

    //Verify if the userInfo contains an error/doesn't contain a fbId
    if(userInfo.getFbId() == null ){
        respond unauthorized() // 401, Invalid access token
    }
    //Verify if this token is for our app
    else if(userInfo.getAppSecret() != System.env.getParameter("appSecret")){
        respond unauthorized() //401, token not for this app
    }
    //Register or login
    else{
        User user = User.findByFbId(userInfo.getFbId())
        if(user == null){
            facebookService.registerUser(userInfo) //Custom method implemented in the service
        }
        else{
            FbToken fbToken = new FbToken(userInfo.getToken(), userInfo.getExpiration())
            user.setFbAccessToken(fbToken)
        }

        //Login the user with spring security and let it handle the rest (token creation => storage => http answer)

    }

}
+3


source to share


1 answer


Below we explain how we connect facebook to the Grails rest plugin.



  • The client makes a request to facebook and gets the fb uid.
  • The client sends the fb uid to the server along with other data like email, etc. etc. (no matter,
    • The server gets the fb uid and re-authenticates the fbuid with facebook , then try to find the user with that fbuid in the database.
    • If user found username with email and returns a token.
    • if the user did not find the registration and started the user and sent back a response in response.
  • The client makes any subsequent call with the token returned from step 2.
+1


source






More articles:


All Articles