Callback Handlers

Explore how to implement OAuth2 callback handlers in JakartaEE applications. Learn to validate CSRF tokens, exchange authorization codes for access tokens, and manage user sessions. Discover how to integrate CDI beans to retrieve user data like Google Calendar events through secured requests. Gain practical knowledge by creating servlets, JSF pages, and configuring web filters essential for OAuth2 workflows.

We'll cover the following...

Create a callback handler
Create Bean to retrieve data
Create web pages
Configure JSF
Test
- Explanation

Java

package be.rubus.security.workshop.oauth2;
import com.github.scribejava.core.model.OAuth2AccessToken;
import com.github.scribejava.core.oauth.OAuth20Service;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
@WebServlet(Constants.CALLBACK_SERVLET_PATH)
public class CallbackServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession();
        String originalCsrfToken = session.getAttribute(Constants.CSRF_TOKEN).toString();
        String csrfToken = request.getParameter("state");
        if (!originalCsrfToken.equals(csrfToken)) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN, "CSRF token doesn't match");
        }
        String code = request.getParameter("code"); // The Authentication code
        OAuth20Service authService = AuthenticationFilter.getOAuthService();
        try {
            OAuth2AccessToken token = authService.getAccessToken(code);
            session.setAttribute(Constants.USER_TOKEN, token);
            String originalURL = session.getAttribute(Constants.ORIGINAL_URL).toString();
            // Redirect to original Page.
            response.sendRedirect(originalURL);
        } catch (InterruptedException | ExecutionException e) {
            response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
        }
    }
}

1.Before We Begin

2.Introduction

3.Concepts

4.Window Shopping

5.Authentication Methods

6.Standards

7.Authentication Data Stores

8.Secure Data Transfer

Callback Handlers

Create a callback handler

Create Bean to retrieve data