We had suggestions to use the Linkedin developer APIs to provide Single-Sign-On functionality. Following is the summary of my research on the subject,
SpringBoot provides the dependency spring-boot-starter-social-linkedin to autoconfigure Linkedin. Using the dependency with spring-security we can provide users with authorizations access to the application. Below is a brief guide on how to implement the application,
A login API will be created. When a request is made to this API 2 outcomes can be expected,
If the user has connected Linkedin profile: User will be logged in and a session will be created
If not user will be redirected to connect their Linkedin account. After connecting userās profile data will be persisted in the database.
Spring Social Provider is soo awesome that it will handle all the OAuth 2.0 callbacks, authorization, and token requests.
Extra note:
By following the above approach we are able to remove thelinkedin_url form ER and class diagrams.
No since we decided to have Linkedin as the CV for users, Itās a must to have a Linkedin account. So we decided it will be ok to provide just the Linkedin sign-in.
Yeah and Spring boot provides spring-boot-starter-social dependencies for Facebook and Twitter so we can implement support for those platforms easily.
And I think itās possible to provide support for other platforms as well(Google, etc.) but need to do some research on this.
There are a few major changes that should be noted on the above PR.
Unfortunately, I couldnāt use the quoted dependency, as itās been deprecated since the end of 2019 [1]. So as a solution I used spring-boot-starter-security with spring-security-oauth2-client[2].
This way we will be able to provide log-in using any provider that supports OAuth or OpenID(Facebook, GitHub, Google, etc.)
The above PR only covers authenticating users against Linkedin OAuth. And will be making separate PR for the below issue: Requirements: JPA Entities have to be completed
@DevTeam please send me your Linkedin accounts to add you to the SEF application.
For the current sprint, I am assigned to continue this task. Iām doing the LinkedIn authentication part and meanwhile, @Gravewalker is continuing the Kubernetes integration.
I and @YohanAvishke had a discussion on the user authentication today.
Here are the main points we discussed.
This PR is merged now.
When a user goes to a page which needs authorization, it will redirect the user to linkedin login page, and taken back to the same page after the user login and authorize the app. An access token is created and kept in the session when a user log in correctly. the token will be available for 2 months.
For testing and developing, the redirect uri have to be added to the Authorized redirect URLs list in linkedin developer dashboard because it depends on the ip.
Good job @piumal1999 @Gravewalker the DB issue you were facing is fixed now. And if there are any redirection failures just add the IP to the list of secure links list in, https://www.linkedin.com/developers/apps/72779526/auth
Let us know how the tokens will be generated and handled in the gateway service. And if you face any issues just contact me or @piumal1999
We discussed to do several changes to the current auth-server module in order to get a working product.
In the current version, after a user logs in, he/she will be redirected to the the previous page automatically by the spring boot default configuration. So we canāt just use it as it is because we need to integrate it with the app module.
So we discussed to remove the automatic redirection. The app module will be used as the resource server and the auth-server will be used as the authentication server. So every request from the frontend should go through the auth-server. (The app module should not be accessible directly)
And the permissions for each endpoint have to be set on the security configurations of auth-server.
Example:
An endpoint we already use in backend and frontend:
GET {app-module-ip}/admin/programs
In the app module, it wonāt change.
In the frontend, an prefix like /auth/ need be added to the endpoint. ({auth-server-ip}/auth/admin/programs)
In the auth-server we need to create a new controller for /auth path.And add it to security configurations as a path which needs authentication.
In that controller, it should extract the url (removing the prefix) and send a http request with the relevant data to app module.
Btw, i wonāt be available for few weeks due to my exams. So @anjisvj@miluckshan-j could you also have a look on this.
Thanks for the update. I just entered the game! ā¦and completed the āinvokerā functionality (the term that I forgot ) I will try to finalize the login as well.
Hi everyone,
In the previous standup meetings, it was stated that there was an error in the /me endpoint when using it with the frontend (But worked when calling using directly). As i can remember, the error was a 500 Internal server error with an null point exception. To reproduce it, i set up the backend and frontend in my local machine but in there, it worked properly. Iāll briefly tell how i setup it so you can try it and let me know if something is wrong.
Cloned both repos.(master branches)
Replaced endpoint URLs in frontend according to the backend because its running on a differnet port (localhost:8080/ ā> localhost:8080/api/)
Updated the resources/application.yml in backend (client-id, client-secret, datasource details)
Deployed the frontend (port:3000) and the backend(port:8080)
Navigated to the homepage of frontend (with CORS enabled)
Here, a 403 error occurs with /me endpoit because a user havenāt logged in
Navigated to the auth url http://localhost:8080/oauth2/authorization/linkedin using a different tab and authenticated from linkedin (can link it with sign up botton). After loggin in, it redirects to http://localhost:8080/. I think we have to change the redirection URI on backend configuration to rdirect it to the frontend.
Reloaded the home page
There were no any 500 errors.
So i couldnāt reproduce that error. Maybe the error was due to some database errors. I used my previous database which had some sample data. Hereās the profile generated when logging.(I changed the image url btw)
Good job @piumal1999 Thanks for the update. Iāll follow your steps and see if I can reproduce the error on my local instance. Iāll give an update by the end of the day. If I find no errors it means that we can simply deploy the app in 2 heroku dinos right?
Yeah @piumal1999 your were right, even I did the same thing and setup the project and itās working without any errors. @anjisvj@jaye what exactly was the error that you guys encountered the other day? If you guys can recall.
I checked it by deploying the front-end and backend using heroku.
The session is created only in the backend when a user login through the authorization uri. So we have to find a way to pass the created session to the frontend domain.
(And, if we deploy the frontend and backend in different ports of same domain, it will work properly like we saw in the localhost)
Am i right? @YohanAvishke
I changed the redirection uri of the authentication service to redirect to the frontend after logging. But it creates the JSESSIONID cookie in the backend itself before the redirection.
In most of the stackoverflow threads i read, it was said that using the same domain with different ports like we did in localhost would fix the issue. But in heroku, we canāt open two ports.(But possible to create subdomains)
Also i tried changing the cookie domain through the application.yml file. But it throws a 500 error with java.lang.IllegalArgumentException: An invalid domain [scholarx-frontend.herokuapp.com] was specified for this cookie
I think it doesnāt provide the ability to create cookies in other domains.
Creating a cookie manually using a cookie editor plugin didnāt solved the issue either.
) I will try to finalize the login as well.
