In my previous article, I mentioned that in this phase of the bootcamp I will be developing a project for Green Fox Academy to manage employees’ progression at work. Naturally, this is done in a team, so anything I write in the following lines is the result of the combined work of me and my colleagues.
This week, we tried to implement authentication in our project (Lvl-Up) making use of Google API and OAuth2. A little heads up: this was not an easy task. First, we read extensive documentation and watched many videos on the subject. When we felt we could grasp the concept, we tried to implement it but, that too, proved to be complicated. So here is what we learnt from our experience:
What is OAuth2 and why should we use it?
OAuth 2 is “an authorisation framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorising third-party applications to access the user account”.
For sure, you have come across it already, when trying to login to a website and, instead of using a new email/password combination to register on that said website, you login with your Google, Facebook or Twitter account, for example.
But why would you want to do that?
Before OAuth2 came into the picture, the most common alternative was a custom form login created by the application. Here, the user would authenticate, or “prove they are who they say they are”. How? Providing a unique combination of username and password. But this creates two problems:
- On one hand, the user can either give their password to someone else or get it stolen, meaning that someone else could log in under that user’s account.
- On the other hand, this solution creates a problem of storing passwords securely. If the web application is storing all the username/password combinations in a database, it risks that this database is hacked, compromising the security of all of the users.
OAuth2 provides a more secure alternative to this. Let’s take our own application, Lvl-Up, as an example. When the users access our application, we need them to authenticate. For that we redirect them to Google, that will ask for their credentials. If these are correct, Google will send our application an access token and a refresh token. The access token carries the necessary information for the user to access a resource, but it is usually short-lived (like five minutes or so). On the other hand, the refresh token carries the information necessary to get a new access token issued by the authentication server, and it has a longer duration, allowing the user to stay authenticated without having to re-enter the username and password every five minutes. These tokens are usually Jwt tokens, but we won’t go into that in this article.
That leaves the security responsibility to a third party who, let’s face it, is probably more of an expert in that than the web application developer. And it improves users’ experience and safety feeling, since they only need one set of username/password combination that they can use across multiple applications— a combination stored with an entity they usually trust, like Google or Facebook.
How to implement OAuth2
Now that we have seen the benefits of using OAuth2 authentication, let’s take a look at how we can implement that in our project.
- The first step is to register with the authentication provider of your choice. In our case, it is Google, so we can create a new account here: https://console.developers.google.com
Google will give you some credentials that you will need to use in your project, namely in step 2.
2. In your applications.properties file, you need to define some parameters:
Please note that the preEstablishedRedirectUri is the URL where you want to direct your users one they have successfully login. This URL needs to be registered with Google, as we saw on step 1.
3. In your project, create a Configuration class that extends WebSecurityConfigurerAdapter and extend the configure() method. Ours looks like this:
In this method you can configure many other parameters but, for now, we want to keep it simple.
I hope this article helped you getting an overview of OAuth2 and its implementation. I know I had to read many of them to get a decent understanding of the subject. If you have any questions, please comment below!