OAuth authorization server configuration
This ticket adds support for the configuration of OAuth authorization servers from .properties
file (and therefore environment variables) instead of using the hardcoded configuration in OAuth2TenantConfig
:
private ClientRegistration googleClientRegistration() {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build();
}
... we use properties to specify the same values for registrationId=google
with properties starting with oauth2.authorization.google
:
oauth2.authorization.google.client-name=Google
oauth2.authorization.google.client-id=articles-client
oauth2.authorization.google.client-secret=secret
oauth2.authorization.google.client-authentication-method=client_secret_basic
oauth2.authorization.google.authorization-grant-type=authorization_code
oauth2.authorization.google.scope=openid,profile,email
oauth2.authorization.google.authorization-uri=https://accounts.google.com/o/oauth2/v2/auth
oauth2.authorization.google.token-uri=https://www.googleapis.com/oauth2/v4/token
oauth2.authorization.google.user-info-uri=https://www.googleapis.com/oauth2/v3/userinfo
oauth2.authorization.google.user-name-attribute-name=sub
oauth2.authorization.google.jwk-set-uri=https://www.googleapis.com/oauth2/v3/certs
oauth2.authorization.google.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
Multiple configurations may be specified by adding other sets of oauth2.authorization.XXX
properties:
oauth2.authorization.live.client-name=Live
...
oauth2.authorization.github.client-name=Github
oauth2.authorization.facebook.client-name=Facebook
SysUser
in local database
Creating After a successful login with an external provider we need to create a local AclSid. There's a piece of TODO code in WebSecurityConfig
with a comment TODO Here we will update local database and register the user if missing
in line 265.
We have accountType
in app-blocks User
, we need something like that here so that we can always link the user to the remote provider: if you log in with Google, then you cannot log in with Facebook using the same email address!