JHipster and Okta - JHipster Virtual Meetup December 2020

Transcript

1. Matt Raible | @mraible December 1, 2020 JHipster and Photo

   by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw

2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker,

   Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
3. None
4. None
5. None

6. developer.okta.com

7. @mraible Today’s Agenda What the Heck is OAuth 2.0 and

   OIDC? JHipster’s OAuth Implementation 3 Quick Demos Keycloak Okta CLI Heroku

8. What the Heck is OAuth 2.0 and OIDC?

9. The Delegated Authorization Problem How can you let a website

   access your data (without giving it your password)?

10. Don’t do it this way!

11. Have you ever seen one of these?

12. © Okta and/or its affiliates. All rights reserved. Okta Confidential

13. Hotel Key Cards, but for Apps

14. Hotel Key Cards, but for Apps OAuth Authorization Server Resource

    (API) Access Token

15. Delegated Authorization with OAuth 2.0 I trust Gmail and I

    kind of trust Yelp. I want Yelp to have access to my contacts only. yelp.com Connect with Google

16. Delegated Authorization with OAuth 2.0 yelp.com Connect with Google accounts.google.com

    Email ********** accounts.google.com Allow Yelp to access your public profile and contacts? No Yes contacts.google yelp.com/callback

17. OAuth 2.0 Terminology Actors Clients Authorization Server Resource Server Access

    Tokens Redirect URI

18. Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token

    Uses Token Resource Server (RS) Actors

19. Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token

    Uses Token Resource Server (RS) Actors

20. Clients Public (Client Identification) Confidential (Client Authentication)

21. Client Registration

22. Authorization Server Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server

    Authorization Grant Refresh Token Access Token Introspection Endpoint (/oauth2/introspect) Revocation Endpoint (/oauth2/revoke)

23. Tokens • Short-lived token used by Client to access Resource

    Server (API) • Opaque to the Client • No client authentication required (Public Clients) • Optimized for scale and performance • Revocation is dependent on implementation Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can usually be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!

24. Access Token Types Self-encoded tokens Protected, time-limited data structure agreed

    upon between Authorization Server and Resource Server that contains metadata and claims about the identity of the user or client over the wire. Resource Server can validate the token locally by checking the signature, expected issuer name and expected audience or scope. Commonly implemented as a signed JSON Web Tokens (JWT) Reference tokens (aka opaque tokens) Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0 Authorization Server Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes

25. OAuth 2.0 Authorization Code Flow yelp.com Connect with Google accounts.google.com

    Allow Yelp to access your public profile and contacts? No Yes yelp.com/callback Resource owner clicks ^^ Back to redirect URI with authorization code contacts.google Talk to resource server with access token Exchange code for access token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Response type: code Authorization Server Client

26. OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP

    OpenID Connect is for authentication OAuth 2.0 is for authorization

27. OIDC Authorization Code Flow yelp.com/callback Back to redirect URI with

    authorization code Exchange code for access token and ID token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Scope: openid profile Authorization Server yelp.com Connect with Google Resource owner Client accounts.google.com Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner Hello Matt! accounts.google Get user info with access token /userinfo

28. @mraible Does OAuth 2.0 feel like a maze of specs?

    https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

29. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required

    for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

30. @mraible JHipster’s OAuth Implementation Leverages Spring Security’s OAuth and OIDC

    Support Creates an AuthorizationHeaderFilter for Zuul Supports Spring WebFlux and Spring Cloud Gateway Creates a LogoutResource that returns an ID Token and a Redirect URI Creates a Docker configuration and pre-configured users for Keycloak

31. @mraible SecurityConfiguration.java .and() .oauth2Login() .and() .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(authenticationConverter()) .and() .and()

    .oauth2Client();

32. @mraible OIDC Configuration in application.yml spring: security: oauth2: client: provider:

    oidc: issuer-uri: http:"//localhost:9080/auth/realms/jhipster registration: oidc: client-id: web_app client-secret: web_app

33. @mraible How to use another Identity Provider (IdP) Create a

    groups claim and add it to the ID token Add groups named ROLE_ADMIN and ROLE_USER Register an OIDC app at your IdP with JHipster’s Redirect URI Override the default settings with environment variables export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}" https://www.jhipster.tech/security/#oauth2

34. @mraible Demos!

35. mkdir blog-oauth2 cd blog-oauth2 jhipster jdl blog-oauth2 docker-compose -f src/main/docker/keycloak.yml

    up -d ./mvnw open http:"//localhost:8080 JHipster with Keycloak

36. take blog-oauth2 jhipster jdl blog-oauth2 # Install Okta CLI using

    cli.okta.com okta apps create # select Web > JHipster source .okta.env ./mvnw open http:"//localhost:8080 JHipster with Okta CLI

37. take blog-oauth2 jhipster jdl blog-oauth2 jhipster heroku # Yes, provision

    the Okta add-on open https:"//<heroku-app-url> JHipster with Heroku + Okta

38. @mraible Better, Faster, Lighter Java with Java 12 and JHipster

    6 Java Microservices with Spring Cloud Config and JHipster Mobile Development with Ionic, React Native, and JHipster Build a Secure Micronaut and Angular App with JHipster > https://developer.okta.com/blog/tags/jhipster JHipster Tutorials on developer.okta.com/blog

39. developer.okta.com/blog @oktadev

40. Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper

    developer.okta.com

41. developer.okta.com