This library is a single file which makes using OAuth 2.0 from Java very easy.
For simplicity, these examples set the client secret. Keep in mind that embedding the client secret has security implications, though it still makes sense for some scenarios.
Create the OAuth instance:
OAuthoauth = newOAuth("slack", "yourClientID", "yourRedirectURL", "https://slack.com/oauth/authorize", // authorize URL"https://slack.com/api/oauth.access", // access token URL"dnd:write", // scopes (for "do not disturb")4); // concurrent HTTP requestsoauth.setClientSecret("yourClientSecret"); // Note security implications below.Create/load and initialize a Token instance:
Tokentoken = ... // Load token from disk.if (oauth.authorize(token)){// Save token to disk. }Finally, use the access token to make requests:
// Slack access tokens never expire, so just use the access token.HttpGetrequest = newHttpGet("https://slack.com/api/dnd.setSnooze?num_minutes=60"); request.setHeader("Authorization", "Bearer " + token.accessToken); httpRequest(request);oauth = newOAuth("spotify", "yourClientID", "yourRedirectURL", "https://accounts.spotify.com/authorize", // authorize URL"https://accounts.spotify.com/api/token", // access token URL"user-modify-playback-state", // scopes4); // concurrent HTTP requestsoauth.setClientSecret("yourClientSecret"); // Note security implications below. ... Tokentoken = ... // Load token from disk.if (oauth.authorize(token)){// Save token to disk. } ... // Spotify access tokens expire, so call refreshAccessToken just before using the access token.privatebooleanrefreshToken (){returnswitch (oauth.refreshAccessToken(state.token)){casevalid -> true; // Hasn't expired yet.caserefreshed ->{// Save refreshed token to disk. yield true} caserevoked ->{// Need to authorize again.if (oauth.authorize(token)){// Save new token to disk. yield true} yield false} casefailed -> false}} if (refreshToken()){HttpPutrequest = newHttpPut("https://api.spotify.com/v1/me/player/play"); request.setHeader("Authorization", "Bearer " + accessToken); httpRequest(request)}oauth = newOAuth("google", "yourClientID", "urn:ietf:wg:oauth:2.0:oob", // redirect URL"https://accounts.google.com/o/oauth2/v2/auth", // authorize URL"https://www.googleapis.com/oauth2/v4/token", // access token URL"https://www.googleapis.com/auth/assistant-sdk-prototype", // scopes (for Google Assistant)4); // concurrent HTTP requestsoauth.setClientSecret("yourClientSecret"); // Note security implications below. ... Tokentoken = ... // Load token from disk.if (oauth.authorize(token)){// Save token to disk. } ... EmbeddedAssistantGrpc.EmbeddedAssistantStubclient; client = EmbeddedAssistantGrpc.newStub(ManagedChannelBuilder.forAddress("embeddedassistant.googleapis.com", 443).build()); if (refreshToken()){// From above.// Google's stuff to set the access token.OAuth2Credentialscredentials = newOAuth2Credentials(newAccessToken(accessToken, newDate(expirationTime))); client = client.withCallCredentials(MoreCallCredentials.from(credentials)); // Google's stuff to use the Google Assistant API.StreamObserver<ConverseResponse> observer = ... client.converse(observer)}The examples above embed the client secret in the application, which only makes sense if the application is used in a secure enviroment. For example, when the client secret is owned by the user running the application and the application containing the client secret is not distributed to others. Otherwise, the client secret can be extracted and used to impersonate the application.
If a client secret has been set, the default implementation opens the specified URL in a browser and prompts the user to paste the authorization code at the command line. Next the authorization code and client secret are used to obtain an access token, which is ready for the application to use.
If a client secret has not been set, then the obtainAuthorizationCode method must be overridden:
oauth = newOAuth("someService", "yourClientID", "yourRedirectURL", "serviceAuthorizeURL", "serviceAccessTokenURL", "serviceScopes", 4 ){protectedvoidobtainAuthorizationCode (StringauthorizationUrl) throwsIOException{// your code here } }The obtainAuthorizationCode method should have the user visit the specified url and allow access. Then the user is forwarded with a one-time use authorization code to yourRedirectURL, which is your web service that uses the authorization code to obtain an access token, refresh token, and expiration milliseconds. The application should retrieve those from your web service and set the corresponding 3 fields on the specified token. The web service should only give the access token to authenticated users.
The web service obtains the access token, refresh token, and expiration milliseconds by doing an HTTP POST to serviceAccessTokenURL with a POST body of:
code=usersAuthorizationCode&redirect_uri=yourRedirectURL&client_id=yourClientID&client_secret=yourClientSecret&grant_type=authorization_code Obtaining the access token requires your client secret which is only accessible to your web service, ensuring only your app can approve access. Your web service ensures the client secret is not leaked and only gives an access token to users it has authenticated.
JsonBeans is used by the OAuth class and makes it easy to save/load the Token instance:
Filefile = ... Jsonjson = newJson(); Tokentoken = file.exists() ? json.fromJson(Token.class, file) : newToken(); if (oauth.authorize(token)){json.toJson(token, newFileWriter(file))}Most of the examples above use Apache HttpClient, which the OAuth class depends on. Here is the httpRequest method:
intconnectionPoolSize = 4; PoolingHttpClientConnectionManagerconnectionManager = newPoolingHttpClientConnectionManager(); connectionManager.setMaxTotal(connectionPoolSize); connectionManager.setDefaultMaxPerRoute(connectionPoolSize); CloseableHttpClienthttpClient = HttpClients.custom().setConnectionManager(connectionManager).build(); ... publicStringhttpRequest (HttpUriRequestrequest) throwsIOException{HttpEntityentity = null; try (CloseableHttpResponseresponse = httpClient.execute(request)){Stringbody = ""; entity = response.getEntity(); if (entity != null){InputStreaminput = entity.getContent(); if (input != null){try (Scannerscanner = newScanner(input, "UTF-8").useDelimiter("\\A")){if (scanner.hasNext()) body = scanner.next().trim()} } } intstatus = response.getStatusLine().getStatusCode(); if (status < 200 || status >= 300) thrownewIOException(response.getStatusLine().toString() + (body.length() > 0 ? "\n" + body : "")); returnbody} finally{if (entity != null) EntityUtils.consumeQuietly(entity)} }If using HttpClient in your app like this, httpClient can be passed to the OAuth constructor to share the same instance.
MinLog is used for logging, which is easily disabled or redirected.