How to specify OAuth2 scope with spring-social-security SocialAuthenticationFilter?

StackOverflow https://stackoverflow.com/questions/17732858

Question

I'm using Spring Social with Spring Security to authenticate users and automatically create local accounts on my web app. How do I provide the OAuth2 scope for authentication?

In the spring-social-samples, I don't see where scope should go.

<bean id="socialAuthenticationFilter" class="org.springframework.social.security.SocialAuthenticationFilter"
    c:_0-ref="authenticationManager"
    c:_1-ref="userIdSource"
    c:_2-ref="usersConnectionRepository"
    c:_3-ref="connectionFactoryLocator"
    p:signupUrl="/spring-social-showcase/signup"
    p:rememberMeServices-ref="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices#0" />

<bean id="socialAuthenticationProvider" class="org.springframework.social.security.SocialAuthenticationProvider"
    c:_0-ref="usersConnectionRepository"
    c:_1-ref="socialUsersDetailService" />

A specific usecase for scope would be to let the user authenticate with Facebook and then get the user's Facebook email (scope="email") for creating a local account.

Was it helpful?

Solution

In your configuration, you need to specify scope as a property of the FacebookAuthenticationService. This is the service that handles calls to auth/facebook

In XML configuration, instead of:

<facebook:config app-id="${facebook.clientId}" app-secret="${facebook.clientSecret}"/>

use:

<bean id="connectionFactoryLocator" class="org.springframework.social.security.SocialAuthenticationServiceRegistry">
    <property name="authenticationServices">
        <list>
            <bean class="org.springframework.social.facebook.security.FacebookAuthenticationService">
                <constructor-arg value="${facebook.clientId}" />
                <constructor-arg value="${facebook.clientSecret}" />
                <!-- Important: The next property name changed from "scope" to "defaultScope" in 1.1.0.M4 -->
                <property name="scope" value="email" />              
            </bean>
        </list>
    </property>
</bean>

This works with Spring Social 1.1.0.M3

OTHER TIPS

You can pass additional scope parameter in a connection / signup form. See example for twitter from the official documentation:

<form action="<c:url value="/connect/twitter" />" method="POST">
    <input type="hidden" name="scope" value="publish_stream,offline_access" />
    ...
    <button type="submit"><img src="<c:url value="/resources/social/twitter/signin.png" />"/></button>
</form>

It is the same principle for facebook too, just use appropriate scope values.

Be sure that you do not missed this part:

Facebook access tokens expire after about 2 hours. So, to avoid having to ask your users to re-authorize ever 2 hours, the best way to keep a long-lived access token is to request "offline_access".

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top