Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth for Java Developers - IntelliJ IDEA Live Stream 2023

OAuth for Java Developers - IntelliJ IDEA Live Stream 2023

You can use OAuth to secure apps, APIs, and devices. OAuth has become increasingly popular, especially as developers are asked to knit together hundreds of apps and thousands of users in enterprise environments.

The Java ecosystem is vast, with over 10 million developers worldwide and an abundance of IDEs, build tools, libraries, and frameworks to make them more productive. In this session, I’ll provide you with a state of the OAuth ecosystem in Java. You’ll learn which frameworks support OAuth and which ones don’t. I’ll also offer some practical examples you can run in just a few minutes.

YouTube recording: https://www.youtube.com/watch?v=z2Bt971k1EE
Related blog post: https://developer.okta.com/blog/2022/06/16/oauth-java
Demo script: https://github.com/oktadev/auth0-java-oauth-examples/blob/main/demo.adoc

Matt Raible

March 30, 2023
Tweet

More Decks by Matt Raible

Other Decks in Programming

Transcript

  1. OAuth for Java Developers Matt Raible | @mraible March 30,

    2023 Photo by František Zelinka https://unsplash.com/photos/NYpiSHcGfbw
  2. Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web

    Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog Hi, I’m Matt Raible
  3. 01 02 03 04 What the Heck is OAuth? Java's

    OAuth 2.0 Support OAuth 2.0 in Action Java Security Frameworks 05 OAuth 2.0 Authorization Servers Agenda
  4. SAML 2.0 Assertion <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac" Version="2.0" IssueInstant="2004-12-05T09:22:05" <Issuer>https://example.okta.com</Issuer> <ds:Signature

    xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"> [email protected] </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> </SubjectConfirmation> </Subject> <Conditions NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05"> <AudienceRestriction> <saml:Audience>https://sp.example.com/saml2/sso</saml:Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2004-12-05T09:22:00" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement> <Attribute Name="displayName"> <AttributeValue>Matt Raible</AttributeValue> </Attribute> </AttributeStatement> </Assertion>
  5. An open standard for authorization; anyone can implement it Provides

    “secure delegated access” to client applications Works over HTTPS and authorizes: Devices APIs Servers Applications … with access tokens rather than credentials What is OAuth?
  6. Simple login — basic, forms, & cookies Single sign-on across

    sites — SAML Mobile app login — N/A Delegated authorization — N/A Identity Use Cases (circa 2006)
  7. The Delegated Authorization Problem How can you let a website

    access your data (without giving it your password)?
  8. Delegated Authorization with OAuth 2.0 I trust Gmail and I

    kind of trust Yelp. I want Yelp to have access to my contacts only. yelp.com Connect with Google
  9. Delegated Authorization with OAuth 2.0 yelp.com Connect with Google accounts.google.com

    Email ********** accounts.google.com 
 Allow Yelp to access your public profile and contacts? No Yes contacts.google yelp.com/callback
  10. Authorization Server Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server

    Authorization Grant Refresh Token Access Token Introspection Endpoint (/oauth2/introspect) Revocation Endpoint (/oauth2/revoke)
  11. Tokens • Short-lived token used by Client to access Resource

    Server (API) • Opaque to the Client • No client authentication required (Public Clients) • Optimized for scale and performance • Revocation is dependent on implementation Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can usually be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!
  12. Self-encoded tokens Protected, time-limited data structure agreed upon between Authorization

    Server and Resource Server that contains metadata and claims about the identity of the user or client over the wire. Resource Server can validate the token locally by checking the signature, expected issuer name and expected audience or scope. Commonly implemented as a signed JSON Web Tokens (JWT) Reference tokens (aka opaque tokens) Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0 Authorization Server Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes Access Token Types
  13. OAuth 2.0 Authorization Code Flow yelp.com Connect with Google accounts.google.com

    
 Allow Yelp to access your public profile and contacts? No Yes yelp.com/callback Resource owner clicks ^^ Back to redirect URI with authorization code contacts.google Talk to resource server with access token Exchange code for access token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/callback Response type: code Authorization Server Client
  14. Scopes Scopes to Deny Scopes to Allow Additive bundles of

    permissions asked by client when requesting a token 
 Decouples authorization policy decisions from enforcement
 Who owns the data? End user or the target service
 Who gets to specify the authorization policy? End user or application owner
  15. OAuth 2.0 Authorization Code Flow yelp.com Connect with Google yelp.com/callback

    Resource owner clicks ^^ Back to redirect URI with authorization code contacts.google Talk to resource server with access token Exchange code for access token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/callback Scope: profile contacts Authorization Server Client accounts.google.com 
 Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner
  16. Flow Channels Resource
 Server (RS) Authorization
 Server (AS) Resource Owner

    (RO) Client Delegates Obtains Token Uses Token Front Channel Back Channel
  17. Authorization Request HTTP/1.1 302 Found
 Location: https://app.example.com/oauth2/callback?
 code=MsCeLvIaQm6bTrgtp7&
 state=af0ifjsldkj Request

    Response Note: Parameters are not URL-encoded for example purposes GET https://accounts.google.com/o/oauth2/auth?
 scope=gmail.insert gmail.send&
 redirect_uri=https://app.example.com/oauth2/callback&
 response_type=code&
 client_id=812741506391&
 state=af0ifjsldkj
  18. Token Request Note: Parameters are not URL-encoded for example purposes

    POST /oauth2/v3/token HTTP/1.1 Host: www.googleapis.com Content-Type: application/x-www-form-urlencoded code=MsCeLvIaQm6bTrgtp7& client_id=812741506391& client_secret={client_secret}& redirect_uri=https://app.example.com/oauth2/callback& grant_type=authorization_code
  19. Making Protected Resource Requests curl -H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA" \

    https://www.googleapis.com/gmail/v1/users/1444587525/messages
  20. OAuth 2.0 Authorization Code Flow yelp.com Connect with Google yelp.com/callback

    Resource owner clicks ^^ Back to redirect URI with authorization code (front channel) contacts.google Talk to resource server (back channel) Exchange code for access token (back channel) accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/callback (front channel) Authorization Server Client accounts.google.com 
 Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner
  21. OAuth 2.0 Grant Types (Flows) • Optimized for browser-only Public

    Clients • Access token returned directly from authorization request (Front-channel only) • Does not support refresh tokens • Assumes Resource Owner and Public Client are on the same device • Most vulnerable to security threats Implicit • Front channel flow used by Client to obtain authorization code grant • Back channel flow used by Client to exchange authorization code grant for access token and optionally refresh token • Assumes Resource Owner and Client are on separate devices • Most secure flow as tokens never passes through user- agent Authorization Code • Optimized for server-only Confidential Clients acting on behalf of itself or a user • Back-channel only flow to obtain an access token using the Client’s credentials • Supports shared secrets or assertions as Client credentials signed with either symmetric or asymmetric keys Client Credential
  22. OAuth 2.0 Grant Types (Flows) • Legacy grant type for

    native username/password apps such as desktop apps • Username/password is authorization grant to obtain access token from Authorization Server • Does not support refresh tokens • Assumes Resource Owner and Public Client or on the same device Resource Owner Password • Optimized for devices that do not have access to web- browsers • User code is returned from authorization request that must be redeemed by visiting a URL on a device with a browser to authorize • Back channel flow used by Client to poll for authorization approval for access token and optionally refresh token Device • Allows Authorization Server to trust authorization grants from third party such as SAML IdP (Federation) • Assertion is used to obtain access token with token request • Does not support refresh tokens Assertion
  23. Six different flows Necessary because of: How you get consent

    from client? Who is making consent? Adds a lot of complexity to OAuth OAuth Flows
  24. Not backward compatible with OAuth 1.0 Interoperability issues exists as

    its not a protocol but rather an authorization framework OAuth 2.0 is not an authentication protocol OAuth 2.0 alone says absolutely nothing about the user OAuth 2.0 Facts
  25. OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP

    OpenID Connect is for authentication
 
 OAuth 2.0 is for authorization
  26. Extends OAuth 2.0 with new signed id_token for the Client

    and UserInfo endpoint to fetch user attributes Provides a standard set of scopes and claims for identities profile email address phone Built-in registration, discovery & metadata for dynamic federations Bring Your Own Identity (BYOI) Supports high assurance levels and key SAML use cases (enterprise) OpenID Connect OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts)
  27. Authorization Request HTTP/1.1 302 Found
 Location: https://app.example.com/oauth2/callback?
 code=MsCeLvIaQm6bTrgtp7&
 state=af0ifjsldkj Request

    Response Note: Parameters are not URL-encoded for example purposes GET https://accounts.google.com/o/oauth2/auth?
 scope=openid email&
 redirect_uri=https://app.example.com/oauth2/callback&
 response_type=code&
 client_id=812741506391&
 state=af0ifjsldkj
  28. Token Request POST /oauth2/v3/token HTTP/1.1 Host: www.googleapis.com Content-Type: application/x-www-form-urlencoded code=MsCeLvIaQm6bTrgtp7&

    client_id=812741506391& client_secret={client_secret}& redirect_uri=https://app.example.com/oauth2/callback& grant_type=authorization_code
  29. Token Response { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "tGzv3JOkF0XG5Qx2TlKWIA", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ..." }
  30. Validate ID Token Token Endpoint Authorization Endpoint /.well-known/
 openid-configuration JWKS

    Endpoint UserInfo Endpoint OAuth 2.0 Authorization Server & OpenID Connect Provider (OP) OAuth 2.0 Resource Server Client (Relying Party) 1 3 2 5 4 1 Discover OpenID Provider Metadata 2 Perform OAuth flow to obtain a ID token and/or access token 3 Get JSON Web Key Set (JWKS) for signature keys 4 Validate ID token
 (JSON Web Token) 5 Get additional user attributes with access token from UserInfo endpoint OpenID Connect
  31. OIDC Authorization Code Flow yelp.com Connect with Google yelp.com/callback Resource

    owner clicks ^^ Back to redirect URI with authorization code accounts.google /userinfo Get user info 
 with access token Exchange code for access token and ID token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/callback Scope: openid profile Authorization Server Client accounts.google.com 
 Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner Hello Matt!
  32. JSON Web Token (JWT) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4Y W1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWV xdllsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXV OeEVqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE 0NDYzMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90a W1lIjoxNDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhb

    XBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.Xc NXs4C7DqpR22LLti777AMMVCxM7FjEPKZQnd- AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H- L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNw GyiZ9_YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHA OIhEQsgm8 { "alg": "RS256”
 "kid": "123456789" } { "iss": "https://example.okta.com", "sub": "00ugrenMeqvYla4HW0g3", "aud": "w255HEWiSU4AuNxEjeij", "iat": 1446305282, "exp": 1446308882, "amr": [ "pwd" ], "auth_time": 1446305282, "email": "[email protected]", "email_verified": true } Header Claims Signature Header Claims base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)
  33. No. A browser is required. Three options if a user

    is involved: 1. Web app: handle a redirect 2. CLI, TV, etc: use the Device Grant 3. Native app: use a custom URL handler Can you do OAuth without a browser?
  34. PKCE is required for all clients using the authorization code

    flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use OAuth 2.1 https://oauth.net/2.1/
  35. Java, the language, does not have OAuth support The JDK

    doesn't contain APIs to write a web app Building blocks are provided by Servlet API and Jakarta EE Jakarta Security 3.0 supports OpenID Connect! Java's OAuth 2.0 Support
  36. © Okta and/or its affiliates. All rights reserved. Confidential Information

    of Okta – For Recipient’s Internal Use Only. Thank you! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev