Spring Social: For the New Web of APIs

Transcription

1 Spring Social: For the New Web of APIs Craig Walls - #springsocial 2011 SpringOne 2GX All rights reserved. Do not distribute without permission.

2 Agenda Socializing Your Applications Securing the Social Web Introducing Spring Social Demo Contributing to Spring Social Q & A 2

3 Socializing Your Applications SpringOne 2GX All rights reserved. Do not distribute without permission.

4 The Web is Social 800 million Facebook users Expected to reach 1 billion by million active Twitter users 200 million Twitter readers Nearly 4 in 5 active internet users visit social networks and blogs Opportunities Build/reenforce brand loyalty Listen for and react to customer opinion Drive qualified traffic to your site/product Enhance user experience 4

5 APIs Everywhere! Most service providers have a REST API Varying APIs Different concepts Different resource URLs Different formats (JSON, XML) Different error handling Most APIs secured with OAuth 5

6 Example: Searching Twitter 6

7 Example: Fetch a Facebook Profile Facebook Graph API in a nutshell: ID} ID}/{connection} 7

8 Example: Posting a Tweet Using Spring s RestTemplate: Uh-Oh! RestTemplate rest = new RestTemplate(); MultiValueMap<String, Object> tweetparams = new LinkedMultiValueMap<String, Object>(); tweetparams.add("status", "Hello from #springone2gx2011!"); rest.postforobject( " tweetparams, String.class); WARNING: POST request for " resulted in 401 (Unauthorized); invoking error handler org.springframework.web.client.httpclienterrorexception: 401 Unauthorized! at org.springframework.web.client.defaultresponseerrorhandler.handleerror(defaultresponseer rorhandler.java:75)! at org.springframework.web.client.resttemplate.handleresponseerror(resttemplate.java:486) 8

9 Securing the Social Web SpringOne 2GX All rights reserved. Do not distribute without permission.

10 OAuth Open standard for authorization The user is the security admin Whether to allow/deny access The scope of access Three versions of OAuth: OAuth 1.0 OAuth 1.0a OAuth 2 OAuth 2 is not final! 22 drafts of the specification 10

11 The OAuth 1 Dance A.Request an unauthorized request token B.Request token returned to consumer C.Redirect user to provider for authorization D.Authorization verifier returned to consumer (OAuth 1.0a) E.Exchange request token/verifier for access token F.Access token and secret returned to consumer G.Sign requests using access token to access API endpoints 11

12 Signing Requests in OAuth 1 Create a base string: Sort all query/form parameters Concatenate them, separated with & HTTP Method + & + URL + & + sorted parameters Encrypt the base string to create the signature HMAC-SHA1 is commonly supported Spec also allows for PLAINTEXT and RSA-SHA1 Add Authorization header to the request... Authorization: OAuth oauth_callback="oob", oauth_signature="cyajrkmsnvemfg71tqmbsfof6bu%3d", oauth_version="1.0", oauth_nonce=" ", oauth_signature_method="hmac-sha1", oauth_consumer_key="kqam0gipct2owetytlpsug", oauth_token=" st1sor9vkup65jaly2hfox8yqot0aa29jjvkrjsk", oauth_timestamp=" " 12

13 Introducing OAuth 2 Much simpler than OAuth 1.0/1.0a No concept of request token Leverages HTTPS No need to encrypt access token No signature or canonicalization of the request Simpler Authorization header Multiple grant types Scoped authorization Short-lived tokens, long-lived authorization Separate roles of authorization server and resource server 13

14 Authorization Code Grant Similar to OAuth 1.0a flow Starts with redirect to provider for authorization After authorization, redirects back to client with code query parameter Code is exchanged for access token Client is able to keep tokens confidential Commonly used for web apps connecting with providers 14

15 Implicit Grant Simplified authorization flow After authorization, redirects back to client with access token in fragment parameter Reduced round-trips Refresh token is not supported Commonly used by inbrowser JavaScript apps 15

16 Resource Owner Credentials Grant Directly exchanges user s credentials for an access token Useful where the client is well-trusted by the user and where a browser redirect would be awkward Commonly used with mobile apps 16

17 Client Credentials Grant Directly exchanges the client s credentials for an access token For accessing client-owned resources (no user involvement) 17

18 The OAuth 2 Authorization Header Much simpler than OAuth 1 Drafts Authorization: Bearer e139a950-2fc a2b572108c5 Differs across OAuth 2 drafts... Drafts Authorization: BEARER e139a950-2fc a2b572108c5 Draft 10 Authorization: OAuth e139a950-2fc a2b572108c5 Drafts 1-9 Authorization: Token token= e139a950-2fc a2b572108c5 18

19 Example: Facebook Profile Revisited 19

20 Example: Post a Tweet Revisited Using Spring s RestTemplate: RestTemplate rest = new RestTemplate(); HttpHeaders headers = new HttpHeaders(); String authorizationheader =...; // Create the header...somehow headers.add("authorization", authorizationheader); MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>(); parameters.set("status", "Hello from #springone2gx2011!"); HttpEntity<MultiValueMap<String, String>> requestentity = new HttpEntity<MultiValueMap<String, String>>(parameters, headers); ResponseEntity<Tweet> response = rest.exchange( " HttpMethod.POST, requestentity, Tweet.class); 20

21 Introducing Spring Social SpringOne 2GX All rights reserved. Do not distribute without permission.

22 API Challenges Differing APIs Different approaches endpoint URL Binding JSON/XML responses to Java objects Inconsistency in error handling Multiple versions and drafts of OAuth Signing requests for OAuth Especially challenging with OAuth 1 Long-term storage of access tokens 22

23 Spring Social Extension to Spring Framework to enable connectivity with Software-as-a-Service providers Features... An extensible connection framework A connect controller Java API bindings A sign-in controller 23

24 Spring Social Projects Spring Social Core Spring Social Facebook Spring Social Twitter Spring Social LinkedIn Spring Social TripIt Spring Social GitHub Spring Social Gowalla Spring Social Samples Includes Showcase, Quickstart, Movies, Canvas, Twitter4J, Popup 24

25 Spring Social s Key Components Connection Factories Creates connections; Handles back-end of authorization flow Connect Controller Orchestrates the web-based connection flow Connection Repository Persists connections for long-term use Connection Factory Locator Used by connect controller and connection repository to find connection factories API Bindings Perform requests to APIs, binding to domain objects, error-handling Provider Sign-In Controller Signs a user into an application based on an existing connection 25

26 Key Steps to Socializing an Application Configure Spring Social beans Connection Factory Locator and Connection Factories Connection Repository Connect Controller API Bindings Create connection status views Inject/use API bindings 26

27 proxymode=scopedproxymode.interfaces) public ConnectionFactoryLocator connectionfactorylocator() { ConnectionFactoryRegistry registry = new ConnectionFactoryRegistry(); registry.addconnectionfactory( new TwitterConnectionFactory( environment.getproperty("twitter.consumerkey"), environment.getproperty("twitter.consumersecret"))); registry.addconnectionfactory( new FacebookConnectionFactory( environment.getproperty("facebook.clientid"), environment.getproperty("facebook.clientsecret"))); } return registry; 27

28 Configuration: proxymode=scopedproxymode.interfaces)! public ConnectionRepository connectionrepository() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null) { throw new IllegalStateException( "Unable to get a ConnectionRepository: no user signed in"); } return usersconnectionrepository().createconnectionrepository( proxymode=scopedproxymode.interfaces) public UsersConnectionRepository usersconnectionrepository() { return new JdbcUsersConnectionRepository( datasource, connectionfactorylocator(), Encryptors.noOpText()); } 28

29 Configuration: public ConnectController connectcontroller() { return new ConnectController(connectionFactoryLocator(), connectionrepository()); } 29

30 Configuration: proxymode=scopedproxymode.interfaces)! public Facebook facebook() { Connection<Facebook> facebook = connectionrepository().findprimaryconnection(facebook.class); return facebook!= null? facebook.getapi() : new proxymode=scopedproxymode.interfaces)! public Twitter twitter() { Connection<Twitter> twitter = connectionrepository().findprimaryconnection(twitter.class); return twitter!= null? twitter.getapi() : new TwitterTemplate(); } 30

31 Injecting and Using the API public class TwitterTimelineController {! private final Twitter public TwitterTimelineController(Twitter twitter) {!! this.twitter = twitter;! method=requestmethod.post)! public String posttweet(string message) {!! twitter.timelineoperations().updatestatus(message);!! return "redirect:/twitter";! } 31

32 ConnectController Endpoints GET /connect Displays connection status for all providers GET /connect/{provider} Displays connection status for a given provider POST /connect/{provider} Initiates the authorization flow, redirecting to the provider GET /connect/{provider}?oauth_token={token} Handles an OAuth 1 callback GET /connect/{provider}?code={authorization code} Handles an OAuth 2 callback DELETE /connect/{provider} Removes all connections for a user to the given provider DELETE /connect/{provider}/{provider user ID} Removes a specific connection for the user to the given provider 32

33 ConnectController Flow Your Application GET /connect/{provider ID} ConnectController Service Provider (Twitter, Facebook, etc) Display connection status page 33

34 ConnectController Flow Your Application POST /connect/{provider ID} ConnectController Service Provider (Twitter, Facebook, etc) Initiate connection flow 33

35 ConnectController Flow Your Application ConnectController Service Provider (Twitter, Facebook, etc) Fetch request token (OAuth 1.0/1.0a only) 33

36 ConnectController Flow Your Application ConnectController Service Provider (Twitter, Facebook, etc) Redirect browser to provider s authorization page 33

37 ConnectController Flow Your Application ConnectController Service Provider (Twitter, Facebook, etc) Redirect browser to provider s authorization page 33

38 ConnectController Flow Your Application GET /connect/{provider ID}?oauth_token={token} GET /connect/{provider ID}?code={code} ConnectController Service Provider (Twitter, Facebook, etc) Provider redirects to callback URL 33

39 ConnectController Flow Your Application ConnectController Service Provider (Twitter, Facebook, etc) Exchange request token and/or code for access token 33

40 ConnectController Flow Your Application ConnectController Service Provider (Twitter, Facebook, etc) Application can make API calls via API binding 33

41 Connection Status Page View <form action="<c:url value="/connect/twitter" />" method="post"> <div class="forminfo"> <p> You haven't created any connections with Twitter yet. Click the button to connect with your Twitter account. </p> </div> <p> <button type="submit"> <img src="<c:url value="/resources/social/twitter/connect-with-twitter.png" />"/> </button> </p> </form> 34

42 Provider Sign In A convenience for users Enables authentication to an app using their connection as credentials Implemented with ProviderSignInController Works consistently with any provider 35

43 Configuration: ProviderSignInController Performs a similar flow as ConnectController Compares connections (by user ID) If there s a match, the user is signed into the application Otherwise, the user is sent to signup page Connection is be established after public ProviderSignInController providersignincontroller( RequestCache requestcache) { return new ProviderSignInController(connectionFactoryLocator(), usersconnectionrepository(), new SimpleSignInAdapter(requestCache)); } 36

44 ProviderSignInController Endpoints POST /signin/{provider} Initiates the authorization flow, redirecting to the provider GET /signin/{provider}?oauth_token={token} Handles an OAuth 1 callback GET /signin/{provider}?code={authorization code} Handles an OAuth 2 callback GET /signin Handles a callback when no oauth token or code is sent Likely indicates that the user declined authorization 37

45 Demo Spring Social Showcase SpringOne 2GX All rights reserved. Do not distribute without permission.

46 Contributing to Spring Social SpringOne 2GX All rights reserved. Do not distribute without permission.

47 Spring Social is a Social Open-Source Project You re invited to join in! Discuss in the forum Suggest improvements and report bugs Core: Facebook: Twitter: LinkedIn: TripIt: GitHub: Gowalla: Contribute improvements and fixes Create new service provider modules 40

48 Contributing Improvements and Bug Fixes Spring Social is on GitHub! Basic Steps: Fork the project Make your changes Submit a pull request 41

49 Creating a New Provider Module Create the 4 Components of Provider Connectivity: An API Binding A Service Provider An API Adapter A Connection Factory 42

50 API Binding Design Guidelines Separate binding interface from implementation Organize API hierarchically public interface Twitter extends ApiBinding { DirectMessageOperations directmessageoperations(); FriendOperations friendoperations(); GeoOperations geooperations(); ListOperations listoperations(); public interface DirectMessageOperations { SearchOperations searchoperations(); List<DirectMessage> getdirectmessagesreceived(); TimelineOperations timelineoperations(); List<DirectMessage> getdirectmessagessent(); UserOperations useroperations(); void senddirectmessage(string toscreenname, String text); } void senddirectmessage(long touserid, String text); void deletedirectmessage(long messageid); } 43

51 API Binding Implementation Support May extend AbstractOAuth1Binding or AbstractOAuth2Binding public class TwitterTemplate extends AbstractOAuth1ApiBinding { public TwitterTemplate(String consumerkey, String consumersecret, String accesstoken, String accesstokensecret) { super(consumerkey, consumersecret, accesstoken, accesstokensecret); } } Call getresttemplate() when implementing API calls public TwitterProfile getuserprofile() { return getresttemplate().getforobject( builduri("account/verify_credentials.json"), TwitterProfile.class); } 44

52 Service Provider Allows users to authorize with the remote provider public final class TwitterServiceProvider extends AbstractOAuth1ServiceProvider<Twitter> { } public TwitterServiceProvider(String consumerkey, String consumersecret) { super(consumerkey, consumersecret, new OAuth1Template( consumerkey, consumersecret, " " " " } public Twitter getapi(string accesstoken, String secret) { return new TwitterTemplate(getConsumerKey(), getconsumersecret(), accesstoken, secret); } 45

53 API Adapter Maps provider s native API onto Spring Social s connection model public class TwitterAdapter implements ApiAdapter<Twitter> { public boolean test(twitter twitter) {... } public void setconnectionvalues(twitter twitter, ConnectionValues values) {... } public UserProfile fetchuserprofile(twitter twitter) {... } public void updatestatus(twitter twitter, String message) {... } } 46

54 API Adapter Maps provider s native API onto Spring Social s connection model public class TwitterAdapter implements ApiAdapter<Twitter> { } public boolean test(twitter twitter) { try { twitter.useroperations().getuserprofile(); return true; } catch (ApiException e) { return false; } } public void setconnectionvalues(twitter twitter, ConnectionValues values) {... } public UserProfile fetchuserprofile(twitter twitter) {... } public void updatestatus(twitter twitter, String message) {... } 47

55 API Adapter Maps provider s native API onto Spring Social s connection model public class TwitterAdapter implements ApiAdapter<Twitter> { } public boolean test(twitter twitter) {... } public void setconnectionvalues(twitter twitter, ConnectionValues values) { TwitterProfile profile = twitter.useroperations().getuserprofile(); values.setprovideruserid(long.tostring(profile.getid())); values.setdisplayname("@" + profile.getscreenname()); values.setprofileurl(profile.getprofileurl()); values.setimageurl(profile.getprofileimageurl()); } public UserProfile fetchuserprofile(twitter twitter) {... } public void updatestatus(twitter twitter, String message) {... } 48

56 API Adapter Maps provider s native API onto Spring Social s connection model public class TwitterAdapter implements ApiAdapter<Twitter> { } public boolean test(twitter twitter) {... } public void setconnectionvalues(twitter twitter, ConnectionValues values) {... } public UserProfile fetchuserprofile(twitter twitter) { TwitterProfile profile = twitter.useroperations().getuserprofile(); return new UserProfileBuilder().setName(profile.getName()).setUsername( profile.getscreenname()).build(); } public void updatestatus(twitter twitter, String message) {... } 49

57 API Adapter Maps provider s native API onto Spring Social s connection model public class TwitterAdapter implements ApiAdapter<Twitter> { } public boolean test(twitter twitter) {... } public void setconnectionvalues(twitter twitter, ConnectionValues values) {... } public UserProfile fetchuserprofile(twitter twitter) {... } public void updatestatus(twitter twitter, String message) { twitter.timelineoperations().updatestatus(message);! } 50

58 Connection Factory Brings together the Service Provider, API Binding, and API Adapter public class TwitterConnectionFactory extends OAuth1ConnectionFactory<Facebook> { public TwitterConnectionFactory(String consumerkey, String consumersecret) { super("twitter", new TwitterServiceProvider(consumerKey, consumersecret), new TwitterAdapter()); } Provider ID } Connection factory can be used on its own or configured into a connection factory locator 51

59 Community Contributions Spring Social Foursquare Spring Social Instagram Spring Social Yammer Spring Social Google Spring Social Dropbox 52

60 Community Contributions (continued) Spring Social Viadeo Spring Social Vkontakte (VK) Spring Social/Spring Security Module Spring Social Grails Plugin Spring Social??? 53

61 Q&A SpringOne 2GX All rights reserved. Do not distribute without permission.