Thomas Vitale Star of Java Oct 13th, 2022 Securing Java apps with OAuth2, OIDC and Spring Security @vitalethomas

Systematic • Software Architect at Systematic, Denmark. • Author of “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

Security thomasvitale.com @vitalethomas

Access Control thomasvitale.com @vitalethomas

Access Control Three Steps Identi fi cation ‣A user claims an identity ‣e.g. username Authentication ‣ Verifying the claimed identity ‣e.g. password, token Authorization ‣Verifying what the user is allowed to do ‣e.g. roles, permissions thomasvitale.com @vitalethomas

Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

Spring Security De-facto standard for securing Spring applications Authentication ‣Username/password ‣OIDC/OAuth2 ‣SAML 2 Authorization ‣Endpoint ‣Method ‣Object Protection against common attacks ‣Session fi xation ‣CSRF ‣Content injection thomasvitale.com @vitalethomas

Authentication thomasvitale.com @vitalethomas

Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Auth Service Delegates authentication to Strategy ? Protocol? Data Format?

OpenID Connect A protocol built on top of OAuth2 that enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas

Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token

Delegated Access thomasvitale.com @vitalethomas

Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses Security context propagation ? Authorized access?

OAuth2 An authorization framework that enables an application (Client) to obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas

Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses OAuth2 Resource Server OAuth2 Resource Server OAuth2 Resource Server { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token

Token Relay Browser Edge Service Book Service Access Token Session Cookie Resource Server Access Token Resource Server Access Token Keeps mapping Session <---> Access Token OAuth2 thomasvitale.com @vitalethomas

SPA thomasvitale.com @vitalethomas

Authorization thomasvitale.com @vitalethomas

thomasvitale.com @vitalethomas

Discount codes Manning • 35% discount code, valid for all products in all format • ctwgotocph22 • manning.com thomasvitale.com @vitalethomas

Thomas Vitale Star of Java Oct 13th, 2022 Securing Java apps with OAuth2, OIDC and Spring Security @vitalethomas https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security https://github.com/ThomasVitale/spring-security-examples