Mobile sign up with spring social

12
votes

I am trying to use spring social for my REST services and my mobile app.

I wonder what the best approach is.

I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.

My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.

On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.

As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/

Seems like it required the "Proof Key for Code Exchange" flow as stated in: https://auth0.com/docs/api-auth/grant/authorization-code-pkce

Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.

Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!

1
springspring-mvcspring-bootspring-securityspring-social

1 Answers

9
votes

One possible way would be

  1. The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
  2. The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
  3. The backend service could do additional work about the user details (for example, link with existing users).
  4. The backend service returns a JWT token to the mobile app, which ends the SSO.

The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).

The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.

The flow is summarized in the following drawing: Mobile SSO Flow

======== Edited:

We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.

Discussion is welcomed.