Custom Spring OAuth2 Security with Spring Social Integration

I had a similar requirement to get the facebook access token and create my own JWT token by checking the facebook token on the server side.

I changed the project mentioned here: https://github.com/svlada/springboot-security-jwt

My settings are as follows (I assume you already have a facebook access token):

LoginRequest.java

 public class LoginRequest { private String token; @JsonCreator public LoginRequest(@JsonProperty("token") String token) { this.token = token; } public String getToken() { return token; } public void setToken(String token) { this.token = token; } } 

AjaxLoginProcessingFilter.java

 @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { if (!HttpMethod.POST.name().equals(request.getMethod()) || !WebUtil.isAjax(request)) { if(logger.isDebugEnabled()) { logger.debug("Authentication method not supported. Request method: " + request.getMethod()); } throw new AuthMethodNotSupportedException("Authentication method not supported"); } LoginRequest loginRequest = objectMapper.readValue(request.getReader(), LoginRequest.class); if (StringUtils.isBlank(loginRequest.getToken())) { throw new AuthenticationServiceException("token not provided"); } UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(loginRequest.getToken(), null); return this.getAuthenticationManager().authenticate(token); } 

AjaxAuthenticationProvider.java

 @Component public class AjaxAuthenticationProvider implements AuthenticationProvider { @Autowired private BCryptPasswordEncoder encoder; @Autowired private DatabaseUserService userService; @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { Assert.notNull(authentication, "No authentication data provided"); String username = null; try { username = getUsername(authentication.getPrincipal()); } catch (UnsupportedOperationException e) { } catch (IOException e) { } //You can either register this user by fetching additional data from facebook or reject it. User user = userService.getByUsername(username).orElseThrow(() -> new UsernameNotFoundException("User not found")); if (user.getRoles() == null) throw new InsufficientAuthenticationException("User has no roles assigned"); List<GrantedAuthority> authorities = user.getRoles().stream() .map(authority -> new SimpleGrantedAuthority(authority.getRole().authority())) .collect(Collectors.toList()); UserContext userContext = UserContext.create(user.getUsername(), authorities); return new UsernamePasswordAuthenticationToken(userContext, null, userContext.getAuthorities()); } private String getUsername(Object principal) throws UnsupportedOperationException, IOException { HttpClient client = new DefaultHttpClient(); //I am just accessing the details. You can debug whether this token was granted against your app. HttpGet get = new HttpGet("https://graph.facebook.com/me?access_token=" + principal.toString()); HttpResponse response = client.execute(get); BufferedReader rd = new BufferedReader(new InputStreamReader(response.getEntity().getContent())); StringBuffer result = new StringBuffer(); String line = ""; while ((line = rd.readLine()) != null) { result.append(line); } JSONObject o = new JSONObject(result.toString()); //This is just for demo. You should use id or some other unique field. String username = o.getString("first_name"); return username; } @Override public boolean supports(Class<?> authentication) { return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)); } } 

In addition, I also had to add a custom BeanPostProcessor to override the default behavior of UsernamePasswordAuthenticationFilter, to accept only a token as a field instead of a username and password.

UserPassAuthFilterBeanPostProcessor.java

Public class UserPassAuthFilterBeanPostProcessor implements BeanPostProcessor {

 private String usernameParameter; private String passwordParameter; @Override public final Object postProcessAfterInitialization(final Object bean, final String beanName) { return bean; } @Override public final Object postProcessBeforeInitialization(final Object bean, final String beanName) { if (bean instanceof UsernamePasswordAuthenticationFilter) { final UsernamePasswordAuthenticationFilter filter = (UsernamePasswordAuthenticationFilter) bean; filter.setUsernameParameter(getUsernameParameter()); filter.setPasswordParameter(getPasswordParameter()); } return bean; } public final void setUsernameParameter(final String usernameParameter) { this.usernameParameter = usernameParameter; } public final String getUsernameParameter() { return usernameParameter; } public final void setPasswordParameter(final String passwordParameter) { this.passwordParameter = passwordParameter; } public final String getPasswordParameter() { return passwordParameter; } 

Configuration:

 @Bean public UserPassAuthFilterBeanPostProcessor userPassAuthFilterBeanPostProcessor(){ UserPassAuthFilterBeanPostProcessor bean = new UserPassAuthFilterBeanPostProcessor(); bean.setUsernameParameter("token"); bean.setPasswordParameter(null); return bean; }