validate OAuth 2.0 access token from a Spring RESTful resource server

Question

I want to secure my Spring RESTful backend. One way (the right?) is to use OAuth 2.0 like shown here:

http://www.youtube.com/watch?v=8uBcpsIEz2I

Within my architecture the resource server and authorization server ARE NOT the same entity. I really just provide some JSON REST services. No UI. If I read the OAuth2 RFC they just say:

The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

I found a good diagram on cloudfoundry.com (related to the above youtube video) which I'm using to illustrate my view:

"token" provider: This could/should be google or facebook for example.

RESTful backend: This is actually my code. Spring RESTful services like:

@Controller
@RequestMapping("/api/v1")
public class MyResourceToProtect {

    @Autowired
    private MyService service;

    @RequestMapping(value = "/resource/delete/{name}",
                    method = RequestMethod.DELETE,
                    consumes = MediaType.APPLICATION_JSON_VALUE,
                    headers = "Content-Type=application/json")
    @ResponseStatus(HttpStatus.OK)
    public void delete(@PathVariable("name") String name) {
        service.delete(name);
    }
}

(This is just some sample code)

Now my question: Is it somehow possible to validate the access tokens which are generated by the AuthServer (Facebook, Google)? I know that I need to have a "token to user" mapping (database) somewhere on my ResourceServer. Basically I'd like to design my RESTful API like to one from PayPal:

https://developer.paypal.com/webapps/developer/docs/integration/direct/make-your-first-call/

But how can I handle the steps 1 & 2 if I want to use Facebook or Google as auth providers? Is this even possible?

Additional thought: Probably I need to provide my own /oauth2/token endpoint and then delegate to the underlying AuthProvider.

Answer 1

Not sure how to answer all the questions with a nice bow, so I'll just put the following points out there:

• Are you trying to just consume an OAuth-secured API like Facebook in a OAuth-secured fashion? Use Spring Social.
• If you're trying to create your OWN REST API and use your OWN user context, then use Spring Security OAuth. In this case, you would require clients to authenticate using OAuth against YOUR API, not Facebook or LinkedIn, etc.
• Spring Social Security (in the 1.2.x series) supports 'signing' the user in as the result of an OAuth connection (e.g., 'signin with facebook,' '..twitter,' '..linkedin,' etc., and your application ultimately ends up with a Spring Security principal in session, just as if you had used an HTTP form to sign the user in manually.
• Spring Security OAuth doesn't care where you got the Spring Security principal from. It just cares if the principal has the right roles / scopes required by the Spring Security OAuth client. So, there's no reason you couldn't use Spring Social to securely connect to Facebook, use Spring Social Security to have that connection create a Spring Security Authentication object, and then use Spring Security OAuth to then secure any access to YOUR API, which in turn might securely connect to Facebook's API behind the scenes. Clients would use the OAuth access token for YOUR API, not Facebook. That gets handled in the service.