Add a login with Google Authorization Server Sample

[asaikali]

The current sample authorization server uses spring security form login. A sample showing how to have the authorization server delegate to google or another social login provider is quite useful. For my use case I to be able to support from based login and social OIDC logins. Implementing this sample can help ensure that the configuration APIs are flexible enough to allow multiple authentication providers.

[erikmartino]

There should probably be two different where the user can choose between them at login, for example Google and Github. If you host a SAAS solution, it is quite useful to delegate authentication to each customer organisations own OIDC provider.

[ojhughes]

I was thinking about this, should the authorization server ever delegate authorization? I understand the authorization server would delegate the storage of users / credentials to LDAP or a DB but I thought that the process of authorizing a client should be performed by the authorization server. The existing Spring resource server already works with the various social logins.

[jgrandja]

@ojhughes

should the authorization server ever delegate authorization

There are a number of OAuth/OIDC providers that deliver this type of feature via Social login authorization delegation. This is typically delivered in a product, so it's not clear if we would deliver such support within the framework.

Either way, it will be a good exercise to deliver a sample that demonstrates this authorization delegation pattern.

[pangyiwei]

I tried something for this:

1. Add spring-boot-starter-oauth2-client to the authorization project dependencies
2. Configure the default security filter chain with the oauth2Login().
3. Update application.yml with the oauth2 client registration config (With your Google OAuth2 Credentials)

Would this be right for the sample? Would be glad to submit a PR for this if necessary

[jgrandja]

@pangyiwei The sample you created does not integrate Authorization Server. It simply uses client features only. We would need the authorization related data to be stored via OAuth2AuthorizationService. The sample you have stores the data via OAuth2AuthorizedClientService.

[pangyiwei]

@jgrandja Ahh I see. I had the impression that this could be done similarly to how the sample was for the form login where the resource owner will have to be authenticated (by Google) first before the authorization is saved by OAuth2AuthorizationService. Noted that this was the flow done in processAuthorizationRequest() in the OAuth2AuthorizationEndpointFilter class. Hence, I thought that the sample would mainly involve configuration of Google as an OAuth2 client (for the authorization server).

Thank you for the clarification.

[natami]

Any progress/timeline on this issue?