I’m new to Vaadin (but so far loving it). I’m using Vaadin 12, but am confused as to “best way” to implement a standard login screen using the “big main” external login systems, namely:
- login with Google
- login with MS Azure
- login with LinkedIn
- login with Box
(I do NOT intend to support a custom registration/login page to ask users their names & email etc – it’s a waste of time since users can pick from at least the above 4 supported systems, and this way I delegate the whole username/password management system to a far far bigger system etc.)
However, something as simple as a stable/tested login system using the “big” external providers (eg one of the above list) doesn’t seem to be pre-built in Vaadin 12. (Nor were there any examples that I could emulate). The best I found was https://vaadin.com/directory/component/oauth2-popup-add-on/overview, but that seems to only work for Vaadin 7 (and maybe 8). And from past questions, my understanding is that Vaadin 8 components are not compatible with Vaadin 10/12/14 etc. So, how can one safely (and easily) implement a secure, simple login system with external provides (eg MS Azure) using Vaadin 12?
(Note: I did find https://vaadin.com/directory/component/google-sign-in-component/overview which appears to be for Vaadin 10+, but it only seems to work for Google; does that mean we need to custom-build similar components for MS Azure/LinkedIn etc by finding if someone has built a polymer web component for those systems and then integrating it into Vaadin? Even if the answer is “yes”, it seems like the example from https://vaadin.com/directory/component/google-sign-in-component/overview is “dangerous” (and btw, my web-knowledge and security knowledge is close to zero), since it seems to imply that one can simply use the “event” class to retrieve the user’s name/email etc, but technically, shouldn’t that info NOT come from the front-end (since any decent hacker could then directly call the Vaadin back-end servlet and simply “supply” a username/email etc), but instead ONLY the access token (or maybe it’s called something else – I’m fuzzy on the terms right now) and then the back-end code (and only the back-end code) would re-call the external provider (eg google) using this access token to then (and only then) finally determine the username/email etc. (And, since the back-end is java, I think the “best” such library to use is scribe: https://github.com/scribejava/scribejava/) (And presumably, once the username/email is finally determined, it can then be saved as a session variable in Vaadin somehow so that subsequent calls have the needed info?) (Note: As an additional constraint, I’m trying hard to avoid Spring – I’ve used it in the past, and it complicates my code ten fold and makes debugging and integrating with non-Spring sample code a mild nightmare…I’m open, though, to use Java EE (ie javax libraries) if I must / if it’s highly recommended to do so…)