How to tie OAuth authentication with Spring Security

Question

I have a Grails 2.5.3 app that currently uses spring security plugin for authentication. Users login using a username/pwd.

I have updated the app now to support OAuth authentication (Using ScribeJava). Users can click a link that redirects them to OAuth providers page and upon successfully entering the credentials they are redirected back to my application. However, I have not been able to tie this functionality with spring security plugin so that when the users are redirected back to my app (after successful login from OAuth), I can actually see that they are logged in and continue to use all my spring security goodies like <sec:ifLoggedIn>.

Does anyone know of a way to do this or have an example I can take a look at?

Here is how I authenticate a user using OAuth:

//called when user clicks "login using oauth"
def authenticate() {
    OAuthService service = new ServiceBuilder()
                              .apiKey(grailsApplication.config.my.sso.clientid)
                              .apiSecret(grailsApplication.config.my.sso.clientsecret)
                              .build(MyApi.instance());
    String url =  service.getAuthorizationUrl();
    return redirect(url: url)
}

//called when oauth provider redirects to my application
def authorization_code() {
    def code = params.code
    OAuthService service = new ServiceBuilder()
                              .apiKey(grailsApplication.config.my.sso.clientid)
                              .apiSecret(grailsApplication.config.my.sso.clientsecret)
                              .build(MyApi.instance());
    println code                          
    OAuth2AccessToken accessToken = service.getAccessToken(code);
    String userProfileUrl = grailsApplication.config.my.sso.authdomain+"/userinfo"
    final OAuthRequest request = new OAuthRequest(Verb.GET, userProfileUrl);
    service.signRequest(accessToken, request);
    final Response response = service.execute(request);
    println(response.getCode());
    println(response.getBody());        
    render (text: code)
}

Answer 1

Whenever you authenticate via OAuth, the remote server return you a unique id (some numeric value) each time. You can use that id to verify the user in your end and authenticate the user using springsecurity.reauthenticate() method.

Steps to do that :

1. When user connect (authenticate first time) with service provider. Service provider send you that unique id. Save that unique id in user table.
2. And when user login via that service provider. Again service provider sends that unique id. Check if that unique id exists in your system, and if user exists with that unique id then use springsecurity.reauthenticate(userInstance) method to authenticate the user. And now you can use spring security features.

check out link: http://www.jellyfishtechnologies.com/grails-2-2-0-integration-with-facebook-using-grails-oauth-plugin/