Secure Spring Boot Microservices with OAuth and OIDC

Transcript

1. Securing Spring Boot Microservices with OAuth and OpenID Connect Deepu

   K Sasidharan

2. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java

   Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05

3. @oktaDev | @deepu105 | deepu.tech Agenda OAuth2 & OIDC crash

   course (15 mins) Workshop labs (60 mins) Bonus labs (15 mins)

4. @oktaDev | @deepu105 | deepu.tech a0.to/spring-boot

5. @oktaDev | @deepu105 | deepu.tech OAuth2 and OpenID Connect A

   crash course

6. @oktaDev | @deepu105 | deepu.tech OAuth 2 crash course

7. @oktaDev | @deepu105 | deepu.tech Authorization Process of determining whether

   a user has the necessary permissions to access a resource. OAuth 2.0 is the industry-standard protocol for delegated authorization.

8. @oktaDev | @deepu105 | deepu.tech System Roles Resource Owner →End

   user Resource Server →API Server Client →System requesting access Authorization Server →Authenticate and issue tokens

9. @oktaDev | @deepu105 | deepu.tech Tokens Access Token →Authorization to

   access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens

10. @oktaDev | @deepu105 | deepu.tech Claim →KV pair assertion with

    user info Scope →Group of claims or permission limiting access

11. @oktaDev | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code

    Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

12. @oktaDev | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code

    Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)

13. @oktaDev | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange

    refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, etc.

14. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow (Not

    recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }

15. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow with

    PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

16. @oktaDev | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended)

    Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA

17. @oktaDev | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization

    request NA Token request { client_id, client_secret, grant_type=client_credentials }

18. @oktaDev | @deepu105 | deepu.tech Resource Owner Password Credentials Grant

    Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }

19. @oktaDev | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization

    request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }

20. @oktaDev | @deepu105 | deepu.tech OpenID Connect crash course

21. @oktaDev | @deepu105 | deepu.tech Authentication Process of verifying the

    identity of a user. OAuth lacked a standard way to authenticate users. OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework

22. @oktaDev | @deepu105 | deepu.tech OIDC using Authorization Code Grant

    Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

23. @oktaDev | @deepu105 | deepu.tech Pre-Requisites

24. @oktaDev | @deepu105 | deepu.tech • IntelliJ IDEA or Eclipse

    • Java 17+ (SDKMAN) • Docker and Docker Compose • Bash/ZSH or Powershell 5+

25. @oktaDev | @deepu105 | deepu.tech • Auth0 Account • Install

    Auth0 CLI

26. @oktaDev | @deepu105 | deepu.tech Chapters Part 1: Create an

    API server secured with OAuth2 Part 2: Create a webapp secured with OIDC Part 3: Enable RBAC Part 4: Create a discovery service and complete the microservices

27. @oktaDev | @deepu105 | deepu.tech Bonus Move beyond passwords with

    passkeys Using Keycloak with Okta starter

28. @oktaDev | @deepu105 | deepu.tech Part 1: Create a car

    service secured with OAuth2 This will be the API resource server for the microservices

29. @oktaDev | @deepu105 | deepu.tech Part 2: Create a web

    app secured with OIDC This will be the API gateway for the microservices

30. @oktaDev | @deepu105 | deepu.tech Part 3: Enable RBAC

31. @oktaDev | @deepu105 | deepu.tech Part 4: Create a discovery

    service and microservice arch With this we complete the simple microservice architecture

32. @oktaDev | @deepu105 | deepu.tech Bonus 1: Use passkeys Enable

    passkeys for logging in

33. @oktaDev | @deepu105 | deepu.tech Bonus 2: Use Keycloak Use

    Keycloak with Okta Spring Boot Starter for offline support

34. Authorization Authentication Security Single Sign-On | Adaptive Multi-Factor Authentication |

    Universal Login | Passwordless | Bot Detection & Prevention | Security Center | Breached Password Detection | Brute Force Protection | FGA How we can help: Try Free Today: Free Plan (forever) $0 Up to 7,500 monthly active users. Unlimited user logins. Includes passkeys support*. No credit card required. Special Plans for Startups & Nonprofits Plans for Everyone B2C: your users are consumers B2B: your users are businesses or a mix of businesses and consumers Enterprise: Best for production applications that need to scale - Contact Us Make login our problem. Not yours. a0.to/plg_signup

35. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot