Matt Raible | @mraible December 1, 2020 JHipster and Photo by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw

@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible

No content

No content

No content

developer.okta.com

@mraible Today’s Agenda What the Heck is OAuth 2.0 and OIDC? JHipster’s OAuth Implementation 3 Quick Demos Keycloak Okta CLI Heroku

What the Heck is OAuth 2.0 and OIDC?

The Delegated Authorization Problem How can you let a website access your data (without giving it your password)?

Don’t do it this way!

Have you ever seen one of these?

© Okta and/or its affiliates. All rights reserved. Okta Confidential

Hotel Key Cards, but for Apps

Hotel Key Cards, but for Apps OAuth Authorization Server Resource (API) Access Token

Delegated Authorization with OAuth 2.0 I trust Gmail and I kind of trust Yelp. I want Yelp to have access to my contacts only. yelp.com Connect with Google

Delegated Authorization with OAuth 2.0 yelp.com Connect with Google accounts.google.com Email ********** accounts.google.com Allow Yelp to access your public profile and contacts? No Yes contacts.google yelp.com/callback

OAuth 2.0 Terminology Actors Clients Authorization Server Resource Server Access Tokens Redirect URI

Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token Resource Server (RS) Actors

Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token Resource Server (RS) Actors

Clients Public (Client Identification) Confidential (Client Authentication)

Client Registration

Authorization Server Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server Authorization Grant Refresh Token Access Token Introspection Endpoint (/oauth2/introspect) Revocation Endpoint (/oauth2/revoke)

Tokens • Short-lived token used by Client to access Resource Server (API) • Opaque to the Client • No client authentication required (Public Clients) • Optimized for scale and performance • Revocation is dependent on implementation Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can usually be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!

Access Token Types Self-encoded tokens Protected, time-limited data structure agreed upon between Authorization Server and Resource Server that contains metadata and claims about the identity of the user or client over the wire. Resource Server can validate the token locally by checking the signature, expected issuer name and expected audience or scope. Commonly implemented as a signed JSON Web Tokens (JWT) Reference tokens (aka opaque tokens) Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0 Authorization Server Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes

OAuth 2.0 Authorization Code Flow yelp.com Connect with Google accounts.google.com Allow Yelp to access your public profile and contacts? No Yes yelp.com/callback Resource owner clicks ^^ Back to redirect URI with authorization code contacts.google Talk to resource server with access token Exchange code for access token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Response type: code Authorization Server Client

OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication OAuth 2.0 is for authorization

OIDC Authorization Code Flow yelp.com/callback Back to redirect URI with authorization code Exchange code for access token and ID token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Scope: openid profile Authorization Server yelp.com Connect with Google Resource owner Client accounts.google.com Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner Hello Matt! accounts.google Get user info with access token /userinfo

@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

@mraible JHipster’s OAuth Implementation Leverages Spring Security’s OAuth and OIDC Support Creates an AuthorizationHeaderFilter for Zuul Supports Spring WebFlux and Spring Cloud Gateway Creates a LogoutResource that returns an ID Token and a Redirect URI Creates a Docker configuration and pre-configured users for Keycloak

@mraible SecurityConfiguration.java .and() .oauth2Login() .and() .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(authenticationConverter()) .and() .and() .oauth2Client();

@mraible OIDC Configuration in application.yml spring: security: oauth2: client: provider: oidc: issuer-uri: http:"//localhost:9080/auth/realms/jhipster registration: oidc: client-id: web_app client-secret: web_app

@mraible How to use another Identity Provider (IdP) Create a groups claim and add it to the ID token Add groups named ROLE_ADMIN and ROLE_USER Register an OIDC app at your IdP with JHipster’s Redirect URI Override the default settings with environment variables export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}" https://www.jhipster.tech/security/#oauth2

@mraible Demos!

mkdir blog-oauth2 cd blog-oauth2 jhipster jdl blog-oauth2 docker-compose -f src/main/docker/keycloak.yml up -d ./mvnw open http:"//localhost:8080 JHipster with Keycloak

take blog-oauth2 jhipster jdl blog-oauth2 # Install Okta CLI using cli.okta.com okta apps create # select Web > JHipster source .okta.env ./mvnw open http:"//localhost:8080 JHipster with Okta CLI

take blog-oauth2 jhipster jdl blog-oauth2 jhipster heroku # Yes, provision the Okta add-on open https:"// JHipster with Heroku + Okta

@mraible Better, Faster, Lighter Java with Java 12 and JHipster 6 Java Microservices with Spring Cloud Config and JHipster Mobile Development with Ionic, React Native, and JHipster Build a Secure Micronaut and Angular App with JHipster > https://developer.okta.com/blog/tags/jhipster JHipster Tutorials on developer.okta.com/blog

developer.okta.com/blog @oktadev

Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper developer.okta.com

developer.okta.com