2

I have a Spring Boot application as a backend and an Angular 6 front end. They work great separately, and I used this guide as a starting point. I am now getting to the point where I want to use external OAuth to authenticate my users to get access to some of their WoW Character data.

I have a decent idea on how to restrict access to the backend with OAuth as Spring Security makes that pretty easy. What I am struggling with, is if my users are authenticated + authorized to access character A, how do I handle this on the front end and the back end?

Since Angular is handling the routing for the HTML pages, and those HTML pages call my back end, I'm not sure how to extend the authorization to Angular. I can show code, but I think this is more of a conceptual problem than a code problem.

Improve this question
3
  • What OAuth provider do you plan to use? What Angular OAuth library are you using , if any at all? You have JWT or just bare tokens? Which OAuth flow do you plan to use? Using one of the concepts is not a big deal, but it depends a bit on your details. Commented Dec 22, 2018 at 21:51
  • I'm basically just authenticating off of Blizzard's OAuth. I don't have anything picked out on the Angular side, so I guess that's what I am asking... Do I need a separate OAuth library for Angular and for Spring? Commented Dec 22, 2018 at 21:54
  • Yes, of course. Angular has no idea what Spring is :) Anyway. I can try to show an example, wait for the answer. Commented Dec 22, 2018 at 22:05

1 Answer 1

Reset to default
5

You need to give your frontend code some OAuth love. E.g this is a good library (I use it), but YMMW.

Now, the long answer:

OAuth spec defines several different "flows", and the one commonly used for client-side applications is the implicit flow. What that means is, if you wanna go vanilla, implement this yourself, you need to do something like this:

  1. On page load: check for the URL state. If a token & data are found, store them in sessionStorage.
  2. If no token in the URL, check for sessionStorage for tokens.
  3. Every HTTP request to your backend, you append the accessToken in the headers.
  4. For log in/log out, you need to redirect the user to OAuth server with a specifically crafted URL and params.

Now the longer answer:

  1. On page load, check if you have some state in, say, sessionStorage. Like, a saved accessToken or something like that. (Not exactly, but read on).
  2. If yes, you may want to validate this token at the OAuth server (sometimes you'd also save the expiration timestamp in storage, you can check that one too).
  3. On any Http request to backend, you append this token (accessToken or sometimes id_token, or it may be a jwt, bearer, whatever, let's just say token) to the headers of every request. Usually it's something like a Authentication header, with the value Bearer ${ token }.
    • Backend can now check this token, and if valid, return your data, if invalid or missing, it returns 401. (It can also do a redirect to the auth server, but please don't do that).
  4. If there is no token on page load, you might indicate this to the user. Like, ask them to log in.
  5. This login button would redirect the user to OAuth login page. They go away from your page. It's a specially crafted URL, giving your app data, like http://server/auth/your-app-name?clientId=your-client-id&redirectUrl=http://your-angular-page/where-you-wanna-land. How exactly this looks like, depends from server to server, implementation to implementation.
    • Now the user landed on their login page, gives his username/password/permissions etc (or if they're already logged in there, mgiht redirect back right away). After they log in and give your app permission, the auth server redirects the user back.
  6. Now you're back at step 1. But instead of checking for sessionStorage, you first want to check the URL. Because the url will look like: http://your-angular-page/your-route?accessToken=<some_token>&... and other similar things. Now you read the accessToken and store it locally and you're done.
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Wow! This helps out a lot. I'll give all this info a shot, thank you!!
I had a quick question @Zlatko, the Battle.Net/Blizzard OAuth API returns an auth code. Is this the code I'd use to pass between the front end/back end?
Hmm, depends on what they use - might be that that's the access token you need. Alternatively the code is now used to get an actual token. Don't ask, I know it's complicated. That is why it is best to simply use something like the library that I've linked to, handles all the crap for you.
So it actually looks like it's a bit more confusing. It seems that the angular-oauth2-oidc library doesn't handle such a flow. Blizzard also doesn't recommend using the code flow on the client due to client ID and secret sharing. However, now I'm lost as to how the server is going to tell the client to show the Battle.Net login page, if its the server invoking the OAuth API?
Nonono, the lib supports implicit flow. Which is where you just redir3ect the user to blizard to auth, and get back a token.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.