You provided a solution for a problem I have fought with the whole week. You are such a good teacher. Your channel will take off as soon as more people migrate to Spring Security 6. Thank you and I genuinely wish you all the best for creating such awesome content. Subscribed!!
hey great tutorial. Could you please extend this tutorial with react where user can login using frontend (user/email, google and github) and the backend is protect by spring oath 2. In the whole internet, i can not find that easily. most of them either fronetend only or backend only.
Thanks for a clear and great tutorial. How I can combine it with other UI client such as vue. In other words, what is the right way to call login from a client and return user info and token to the ui client. Thanks again 🙏
could be very involved answer because how diverse javascript ecosystem is, but if you want to use only front end, since you can't keep a secret, you'd instead generate cryptographic random - code verifier -> code challenge and use that instead. Extension to flow is called PKCE (Proof Key for Code Exchange). Most popular frameworks have a library, so I'd search for one you could use. It's not considered as secure, so I'd recommend you use a back end as well, like I did with spring, in this video. If you want to stay in javasript land, you'd replace java -> node.js, and i.e. spring web -> express, spring security -> passport.js. Passport.js framework has authentication modules for various oauth2/oidc providers, they call them authentication strategies. Hope that helps
if I understood correctly, you'd like to generate jwt token from your BE? You'd have to use spring security oauth2 authorization server dependency, not oauth2 client, and use token based authentication, where your FE sends JWT in header in every request using "Authorizarion: Bearer ". Your resource server can be the same BE application or totally different, but you'd use spring boot starter oauth2 resource server dependency
Great video! You solved most of my doubts but I have one more, how I can login with my credencials in the form and after that return a JWT token? I want to generate to give it to my FE
I think you are asking about token based authentication where you have UI implemented in FE (like angular or react) and back end in spring and don't care about social login? It's different then what I showed here. It's usually implemented: All your UI is implemented in FE (login/register/change password, etc). FE has login form that submits to BE i.e. /api/authenticate which returns JWT token to FE and is publicly accessible endpoint FE usually stores JWT in local /session storage and uses token in other request to BE that require authentication by setting Authorization header (Authorization: Bearer ) BE security in spring is configured with stateless session and has Jwt Filter configured to resolve token from api request that need to be authenticated. At some point I'll do a video about it and difference between session and token based authentication.
@@kanezi What you said is correct, Im new to oauth2 and if I understand correct, httpBasic() is not oauth so, how can the FE send the user credentials to the BE to generate the access token using oauth2? Or I need to expose a login page to return the authorization code to the FE? I want to use oauth2 because I want to implement social login also in some moment
I'll need to test to confirm, but... You have 2 identity providers, your app and google. Let's assume that both your app and google use jwt tokens. When user logs in via username/password your app generates and returns jwt token. When you press sign in via google button, that triggers oauth2 flow in BE, which when successful will result in google jwt that you'll return to your FE. When you access secured api's by FE, you'll have 2 Jwt filters in BE that check issuer of jwt and if your app issued the token, you'll validate it, and if google issued the token, you can use Google API client library, GoogleIdTokenVerifier class to verify the token.
@@kanezi I understand, one last question, how can I generate the access token for the FE with user credentials using the oauth2 flow? I had to pass by the form 100%?
I'll try to make a video, it's too much for a single message... You'd use library to generate and validate jwt tokens, one popular is io.jsonwebtoken: github.com/jwtk/jjwt I've found one blog post that I think has situation in BE similar to what you're trying to do: careydevelopment.us/blog/how-to-implement-a-json-web-token-jwt-solution-in-spring-boot Try to check that out...
Hi, This video is so good and easy to understand each steps. I have a request could please make a video on my query please please. I want implementation of (i) .hasRole() in @Bean SecurityFilterChain and (ii) JWT authentication in this video by which form login user can access our secured endpoint (iii) and I do not have any idea that how a github or google logged in user can access our secured endpoint so please implement that necessary step as well by which github or google logged in user can also access our secured end points
in this video everything except public endpoints is secured. When user logs in with google or github ANY endpoint will be accessible - isAuthenticated() part. If you wanted to, you could use hasAuthority('SCOPE_*') and then pass in google or github scopes user gets automatically when logging in with oauth2 provider instead of isAuthenticated. Spring oauth2 support takes care of jwt token validation. Have a look at this video: ua-cam.com/video/_WdIlz33FKE/v-deo.html in there we add additional endpoints for actuator, and we use hasAuthority()
Why everyone is making tutorials of socal login with thymeleaf and static spring resources WTF.. 2023 and I cant find tutorial for regular Spring rest api social login
I got you, java backend rest social login + js frontend tutorials will be on the channel in 2023! I plan to showcase more features, like password reset so it's more involved to do
You provided a solution for a problem I have fought with the whole week. You are such a good teacher. Your channel will take off as soon as more people migrate to Spring Security 6. Thank you and I genuinely wish you all the best for creating such awesome content. Subscribed!!
I really appreciate your kind words!!
Olino Hudson, Can you briefly explain which problem you were facing ?
@Solo Wolf Stateless Oauth2 authentication where I have full control over the access tokens
Amazing video, explained everything step by step slowly.
Waw amazing job it's better than all tutorials I had seen about oauth2 , great job and thank you very much ❤
Thank you sir for this great video! Amazing one! keep making such great videos. I am a subscriber now
Nice tutorial Please continue!
glad you find it helpful, new video in series coming soon
goooood !!! nice !!!! thank you !!!
hey great tutorial. Could you please extend this tutorial with react where user can login using frontend (user/email, google and github) and the backend is protect by spring oath 2. In the whole internet, i can not find that easily. most of them either fronetend only or backend only.
Thanks for a clear and great tutorial.
How I can combine it with other UI client such as vue.
In other words, what is the right way to call login from a client and return user info and token to the ui client.
Thanks again 🙏
it's a popular question, so I intend to release series of tutorials during June and July to address it
@@kanezi much appreciated
Btw, I searched a lot amd there is no comprehensive and clear tutorial for that
How can we get the JWT in case we want to use front end?
could be very involved answer because how diverse javascript ecosystem is, but if you want to use only front end, since you can't keep a secret, you'd instead generate cryptographic random - code verifier -> code challenge and use that instead. Extension to flow is called PKCE (Proof Key for Code Exchange). Most popular frameworks have a library, so I'd search for one you could use. It's not considered as secure, so I'd recommend you use a back end as well, like I did with spring, in this video. If you want to stay in javasript land, you'd replace java -> node.js, and i.e. spring web -> express, spring security -> passport.js. Passport.js framework has authentication modules for various oauth2/oidc providers, they call them authentication strategies. Hope that helps
@@kanezi Thanks for the response! I meant how to generate the token in the BE and use it in the FE.
if I understood correctly, you'd like to generate jwt token from your BE? You'd have to use spring security oauth2 authorization server dependency, not oauth2 client, and use token based authentication, where your FE sends JWT in header in every request using "Authorizarion: Bearer ". Your resource server can be the same BE application or totally different, but you'd use spring boot starter oauth2 resource server dependency
Great video! You solved most of my doubts but I have one more, how I can login with my credencials in the form and after that return a JWT token? I want to generate to give it to my FE
I think you are asking about token based authentication where you have UI implemented in FE (like angular or react) and back end in spring and don't care about social login?
It's different then what I showed here. It's usually implemented:
All your UI is implemented in FE (login/register/change password, etc).
FE has login form that submits to
BE i.e. /api/authenticate which returns JWT token to FE and is publicly accessible endpoint
FE usually stores JWT in local /session storage and uses token in other request to BE that require authentication by setting Authorization header (Authorization: Bearer )
BE security in spring is configured with stateless session and has Jwt Filter configured to resolve token from api request that need to be authenticated.
At some point I'll do a video about it and difference between session and token based authentication.
@@kanezi What you said is correct, Im new to oauth2 and if I understand correct, httpBasic() is not oauth so, how can the FE send the user credentials to the BE to generate the access token using oauth2? Or I need to expose a login page to return the authorization code to the FE? I want to use oauth2 because I want to implement social login also in some moment
I'll need to test to confirm, but...
You have 2 identity providers, your app and google. Let's assume that both your app and google use jwt tokens.
When user logs in via username/password your app generates and returns jwt token.
When you press sign in via google button, that triggers oauth2 flow in BE, which when successful will result in google jwt that you'll return to your FE.
When you access secured api's by FE, you'll have 2 Jwt filters in BE that check issuer of jwt and if your app issued the token, you'll validate it, and if google issued the token, you can use Google API client library, GoogleIdTokenVerifier class to verify the token.
@@kanezi I understand, one last question, how can I generate the access token for the FE with user credentials using the oauth2 flow? I had to pass by the form 100%?
I'll try to make a video, it's too much for a single message...
You'd use library to generate and validate jwt tokens, one popular is io.jsonwebtoken: github.com/jwtk/jjwt
I've found one blog post that I think has situation in BE similar to what you're trying to do:
careydevelopment.us/blog/how-to-implement-a-json-web-token-jwt-solution-in-spring-boot
Try to check that out...
Hi,
This video is so good and easy to understand each steps.
I have a request could please make a video on my query please please.
I want implementation of
(i) .hasRole() in @Bean SecurityFilterChain and
(ii) JWT authentication in this video by which form login user can access our secured endpoint
(iii) and I do not have any idea that how a github or google logged in user can access our secured endpoint so please implement that necessary step as well by which
github or google logged in user can also access our secured end points
in this video everything except public endpoints is secured.
When user logs in with google or github ANY endpoint will be accessible - isAuthenticated() part.
If you wanted to, you could use hasAuthority('SCOPE_*') and then pass in google or github scopes user gets automatically when logging in with oauth2 provider instead of isAuthenticated.
Spring oauth2 support takes care of jwt token validation.
Have a look at this video:
ua-cam.com/video/_WdIlz33FKE/v-deo.html
in there we add additional endpoints for actuator, and we use hasAuthority()
@@kanezi Thank you so much for your response ❤️ I will go though the video and if I find any difficulty I will comment on that video
Why everyone is making tutorials of socal login with thymeleaf and static spring resources WTF.. 2023 and I cant find tutorial for regular Spring rest api social login
I got you, java backend rest social login + js frontend tutorials will be on the channel in 2023! I plan to showcase more features, like password reset so it's more involved to do