Save 37% off PRO during our Black Friday Sale! »

JHipster and Okta - JHipster Virtual Meetup December 2020

JHipster and Okta - JHipster Virtual Meetup December 2020

YouTube video: https://www.youtube.com/watch?v=ym-OPn4e_nQ

When I first started working at Okta, I refactored JHipster's OAuth support to move from authentication on the client to the server, leveraging Spring Security. This allowed for easier client integration since we didn't need to worry about finding an OIDC client for each frontend framework.

Fast forward four years and JHipster's OAuth 2.0 and OIDC support is first-class! It uses Keycloak in a Docker container by default, but it's easy to switch to another identity provider (IdP) thanks to Spring Boot. Other blueprints like Micronaut, Quarkus, Node.js, and .NET support OAuth and OIDC too!

This presentation explains what OAuth 2.0 and OIDC is, gives an overview of JHipster’s OAuth implementation, and provides three quick demos with Keycloak, the Okta CLI, and Heroku.

See https://developer.okta.com/blog/tags/jhipster for Okta + JHipster tutorials and screencasts! 🤓

You also might enjoy my What the Heck is OAuth blog post.

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible
PRO

December 01, 2020
Tweet

Transcript

  1. Matt Raible | @mraible December 1, 2020 JHipster and Photo

    by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw
  2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker,

    Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  3. None
  4. None
  5. None
  6. developer.okta.com

  7. @mraible Today’s Agenda What the Heck is OAuth 2.0 and

    OIDC? JHipster’s OAuth Implementation 3 Quick Demos Keycloak Okta CLI Heroku
  8. What the Heck is OAuth 2.0 and OIDC?

  9. The Delegated Authorization Problem How can you let a website

    access your data (without giving it your password)?
  10. Don’t do it this way!

  11. Have you ever seen one of these?

  12. © Okta and/or its affiliates. All rights reserved. Okta Confidential

  13. Hotel Key Cards, but for Apps

  14. Hotel Key Cards, but for Apps OAuth Authorization Server Resource

    (API) Access Token
  15. Delegated Authorization with OAuth 2.0 I trust Gmail and I

    kind of trust Yelp. I want Yelp to have access to my contacts only. yelp.com Connect with Google
  16. Delegated Authorization with OAuth 2.0 yelp.com Connect with Google accounts.google.com

    Email ********** accounts.google.com Allow Yelp to access your public profile and contacts? No Yes contacts.google yelp.com/callback
  17. OAuth 2.0 Terminology Actors Clients Authorization Server Resource Server Access

    Tokens Redirect URI
  18. Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token

    Uses Token Resource Server (RS) Actors
  19. Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token

    Uses Token Resource Server (RS) Actors
  20. Clients Public (Client Identification) Confidential (Client Authentication)

  21. Client Registration

  22. Authorization Server Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server

    Authorization Grant Refresh Token Access Token Introspection Endpoint (/oauth2/introspect) Revocation Endpoint (/oauth2/revoke)
  23. Tokens • Short-lived token used by Client to access Resource

    Server (API) • Opaque to the Client • No client authentication required (Public Clients) • Optimized for scale and performance • Revocation is dependent on implementation Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can usually be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!
  24. Access Token Types Self-encoded tokens Protected, time-limited data structure agreed

    upon between Authorization Server and Resource Server that contains metadata and claims about the identity of the user or client over the wire. Resource Server can validate the token locally by checking the signature, expected issuer name and expected audience or scope. Commonly implemented as a signed JSON Web Tokens (JWT) Reference tokens (aka opaque tokens) Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0 Authorization Server Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes
  25. OAuth 2.0 Authorization Code Flow yelp.com Connect with Google accounts.google.com

    Allow Yelp to access your public profile and contacts? No Yes yelp.com/callback Resource owner clicks ^^ Back to redirect URI with authorization code contacts.google Talk to resource server with access token Exchange code for access token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Response type: code Authorization Server Client
  26. OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP

    OpenID Connect is for authentication OAuth 2.0 is for authorization
  27. OIDC Authorization Code Flow yelp.com/callback Back to redirect URI with

    authorization code Exchange code for access token and ID token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Scope: openid profile Authorization Server yelp.com Connect with Google Resource owner Client accounts.google.com Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner Hello Matt! accounts.google Get user info with access token /userinfo
  28. @mraible Does OAuth 2.0 feel like a maze of specs?

    https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
  29. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required

    for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
  30. @mraible JHipster’s OAuth Implementation Leverages Spring Security’s OAuth and OIDC

    Support Creates an AuthorizationHeaderFilter for Zuul Supports Spring WebFlux and Spring Cloud Gateway Creates a LogoutResource that returns an ID Token and a Redirect URI Creates a Docker configuration and pre-configured users for Keycloak
  31. @mraible SecurityConfiguration.java .and() .oauth2Login() .and() .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(authenticationConverter()) .and() .and()

    .oauth2Client();
  32. @mraible OIDC Configuration in application.yml spring: security: oauth2: client: provider:

    oidc: issuer-uri: http:"//localhost:9080/auth/realms/jhipster registration: oidc: client-id: web_app client-secret: web_app
  33. @mraible How to use another Identity Provider (IdP) Create a

    groups claim and add it to the ID token Add groups named ROLE_ADMIN and ROLE_USER Register an OIDC app at your IdP with JHipster’s Redirect URI Override the default settings with environment variables export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}" https://www.jhipster.tech/security/#oauth2
  34. @mraible Demos!

  35. mkdir blog-oauth2 cd blog-oauth2 jhipster jdl blog-oauth2 docker-compose -f src/main/docker/keycloak.yml

    up -d ./mvnw open http:"//localhost:8080 JHipster with Keycloak
  36. take blog-oauth2 jhipster jdl blog-oauth2 # Install Okta CLI using

    cli.okta.com okta apps create # select Web > JHipster source .okta.env ./mvnw open http:"//localhost:8080 JHipster with Okta CLI
  37. take blog-oauth2 jhipster jdl blog-oauth2 jhipster heroku # Yes, provision

    the Okta add-on open https:"//<heroku-app-url> JHipster with Heroku + Okta
  38. @mraible Better, Faster, Lighter Java with Java 12 and JHipster

    6 Java Microservices with Spring Cloud Config and JHipster Mobile Development with Ionic, React Native, and JHipster Build a Secure Micronaut and Angular App with JHipster > https://developer.okta.com/blog/tags/jhipster JHipster Tutorials on developer.okta.com/blog
  39. developer.okta.com/blog @oktadev

  40. Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper

    developer.okta.com
  41. developer.okta.com