M
M
mickydev2021-08-15 13:26:34
Java
mickydev, 2021-08-15 13:26:34

How to properly implement authorization in Spring Rest for mobile and web applications?

Guys please help me.

I'm trying to build a Rest api in Java, where the clients will be
Mobile applications (Android, IOS)
AND a web application.

And so, you need to make authorization:
native and using social networks (Google, Facebook, Vk
and possibly Apple ID).

The problem is the following, I do not quite know how to properly implement Rest authorization with mobile and web applications.
I have already re-read almost everything, but nothing has cleared up
(Or maybe I just got more confused.
Initially I thought just jwt instead of sessions and that's it.)

What I learned
1. Use single sign-on (SSO) technology
2. To implement authorization for mobile and web applications, you need to use Oauth2. Hence , Authorization Server , Resource Server and Client.

3. Instead of sessions, jwt tokens

Tools chose the following:
Spring Security + Spring Authorization Server + hibernate + MySQL

But when I started collecting I ran into a problem, since mobile applications are a public client,
i.e. use Authorization Code + PKCE, but there are no examples of implementations .

I read that there is such a Keycloak.
But I'm not sure if it suits me.
Somewhere in the comments I read that it is not quite suitable for saving users to your database.

Tell me please ,
how to properly implement authorization in rest for mobile and web applications.
And in general, am I on the right track?

And what would be more suitable for my project: Keycloak? Ory Hydra?

I'm new to rest and haven't worked before, but I've only recently learned about Oauth.

I will be grateful)

Answer the question

In order to leave comments, you need to log in

1 answer(s)
S
shalomman, 2021-08-18
@shalomman

You've made things a lot more difficult. For logins with social networks, you do not need to install your own authorization server, since in this case the authorization server is just the social network. It is enough to use any oAuth library on your back or implement the protocol yourself. For example spring-security if you work with spring.
Once a person is authorized, you need to manage his session. On a mobile app, jwt would be a good way to go, on the web it's better to use cookies, but jwt is fine too.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question