These are chat archives for spring-guides/tut-spring-security-and-angular-js

20th
Mar 2015
Firoz Fazil
@ffazil
Mar 20 2015 08:25
In the oauth2 example, if the API Gateway is headless how do i login and get an access token ... assuming the client is a mobile app or cannot be redirected to the login page of the Authorization server?
Do you have an example for such a scenario?
Dave Syer
@dsyer
Mar 20 2015 09:05
Can't you just send a token request directly to the auth server?
Firoz Fazil
@ffazil
Mar 20 2015 09:54
Ok. Got it. Thanks.
Dag Østgulen Heradstveit
@scav
Mar 20 2015 12:53
Say that I want to use this example, only to create two micro services, one handle user accounts, and the other serves as the API for a third and separate html/js application only, how do I go about logging the user into the resource (API in this case) server? As it is now, both AuthorizationServer and ResourceServer is on the same server, and this makes maintaining accounts easy. However, once I have a separate service to handle the user accounts for Authorization, it gets harder to say that "User X added item Y to database" on the resource servers. Any ideas how to slove this, using your example, without using the UI module?
I am able to log in to the resource server, and getting a Principal, but I need some way of connecting said principal to the resource servers user entities
Dave Syer
@dsyer
Mar 20 2015 12:55
The examples in Part V have a separate auth server and resource server.
I'm not sure what you mean by "log into the resource server" since it's just an API resource (no UI)
I don't really follow your " User X added item Y to database" use case either
What do you mean by "say that..."?
You need to audit the actions in the resource server?
Dag Østgulen Heradstveit
@scav
Mar 20 2015 12:57
What I mean, is that I need to keep track of what users does what in a database on the resource server. Say a user posts a new item, I need to be able to identify this user, locally, on the resource serve.
Dave Syer
@dsyer
Mar 20 2015 12:57
That's just regular authentication
You get that from Spring Security
Dag Østgulen Heradstveit
@scav
Mar 20 2015 13:08
Not sure how to do that, without asking for a password on the resource server again, which kinda defeats the whole point of a centralized login server. I guess I should go back and study the docs more, but thanks for your time!
Dave Syer
@dsyer
Mar 20 2015 14:01
A resource server uses the token presented in request headers to authenticate the request
The authentication includes the user if there is one
It's normal Spring Security stuff
Except that you can apply access rules in the ResourceServerConfigurerAdapter
Dag Østgulen Heradstveit
@scav
Mar 20 2015 15:38
Thank you again for responding, though I am still not sure how I will translate a token from the authorization server to an actual user on the resource server side, as all my resource server gets is the principal from the authorization server. Can I trust the username in that response and let every request from that token operate on that given user (the user is defined in a table on the resource server as well, for audit reasons and general group stuff)?
Dave Syer
@dsyer
Mar 20 2015 16:00
You can trust it as much as you trust the token (i.e. same as a cookie). If you need to load user details on the resource server as well then add a filter and transform the SecurityContext.
Dag Østgulen Heradstveit
@scav
Mar 20 2015 16:04
Thank you very much for taking time to answer me as I take my first baby steps using oauth2. This has been immensely helpful :)
Dave Syer
@dsyer
Mar 20 2015 16:04
No problem. Please keep at it.
It's a bit of a mind warp when you start. We try to make it easy to get stuff working but something that obscures the details too much for the curious.
Dag Østgulen Heradstveit
@scav
Mar 20 2015 16:07
You guys are doing a great job, and you surely make my life easier. Very rarely do I need to spend this much energy on understanding Spring stuff, which is great!
But yes, indeed it took some time to wrap my mind around it (and I doubt I am anywhere close to complete the process)