Thomas Vitale
Star of Java
Oct 13th, 2022
Securing Java apps
with OAuth2, OIDC
and Spring Security
@vitalethomas
Slide 2
Slide 2 text
Systematic
• Software Architect at
Systematic, Denmark.
• Author of “Cloud Native Spring
in Action” (Manning).
• OSS contributor (Java, Spring,
Cloud Native Technologies)
Thomas Vitale
thomasvitale.com @vitalethomas
Slide 3
Slide 3 text
Security
thomasvitale.com @vitalethomas
Slide 4
Slide 4 text
Access Control
thomasvitale.com @vitalethomas
Slide 5
Slide 5 text
Access Control
Three Steps
Identi
fi
cation
‣A user claims an
identity
‣e.g. username
Authentication
‣ Verifying the claimed
identity
‣e.g. password, token
Authorization
‣Verifying what the user
is allowed to do
‣e.g. roles, permissions
thomasvitale.com @vitalethomas
Slide 6
Slide 6 text
Inventory Service
[Container: Spring Boot]
Provides functionality for
managing the bookshop
inventory.
Order Service
[Container: Spring Boot]
Provides functionality for
managing book orders.
Polar Bookshop
[Software System]
Uses
[REST/HTTP]
Uses
[REST/HTTP]
Edge Service
[Container: Spring Boot]
Provides API gateway and
cross-cutting concerns.
User
[Person]
An employee of the
bookshop.
Uses
Book Service
[Container: Spring Boot]
Provides functionality for
managing the library books.
Uses
[REST/HTTP]
Slide 7
Slide 7 text
Spring Security
De-facto standard for securing Spring applications
Authentication
‣Username/password
‣OIDC/OAuth2
‣SAML 2
Authorization
‣Endpoint
‣Method
‣Object
Protection against
common attacks
‣Session
fi
xation
‣CSRF
‣Content injection
thomasvitale.com @vitalethomas
Slide 8
Slide 8 text
Authentication
thomasvitale.com @vitalethomas
Slide 9
Slide 9 text
Inventory Service
[Container: Spring Boot]
Provides functionality for
managing the bookshop
inventory.
Order Service
[Container: Spring Boot]
Provides functionality for
managing book orders.
Polar Bookshop
[Software System]
Uses
[REST/HTTP]
Uses
[REST/HTTP]
Edge Service
[Container: Spring Boot]
Provides API gateway and
cross-cutting concerns.
User
[Person]
An employee of the
bookshop.
Uses
Book Service
[Container: Spring Boot]
Provides functionality for
managing the library books.
Uses
[REST/HTTP]
Slide 10
Slide 10 text
Inventory Service
[Container: Spring Boot]
Provides functionality for
managing the bookshop
inventory.
Order Service
[Container: Spring Boot]
Provides functionality for
managing book orders.
Polar Bookshop
[Software System]
Uses
[REST/HTTP]
Uses
[REST/HTTP]
Edge Service
[Container: Spring Boot]
Provides API gateway and
cross-cutting concerns.
User
[Person]
An employee of the
bookshop.
Uses
Book Service
[Container: Spring Boot]
Provides functionality for
managing the library books.
Uses
[REST/HTTP]
Auth Service
Delegates authentication to
Strategy ?
Protocol?
Data Format?
Slide 11
Slide 11 text
OpenID Connect
A protocol built on top of OAuth2 that enables
an application (Client) to verify the identity of
a user based on the authentication performed
by a trusted party (Authorization Server).
thomasvitale.com @vitalethomas
Slide 12
Slide 12 text
Keycloak
[Container: Wildfly]
Provides identity and
access management.
Inventory Service
[Container: Spring Boot]
Provides functionality for
managing the bookshop
inventory.
Order Service
[Container: Spring Boot]
Provides functionality for
managing book orders.
Polar Bookshop
[Software System]
Uses
[REST/HTTP]
Uses
[REST/HTTP]
Edge Service
[Container: Spring Boot]
Provides API gateway and
cross-cutting concerns.
User
[Person]
An employee of the
bookshop.
Uses
Book Service
[Container: Spring Boot]
Provides functionality for
managing the library books.
Uses
[REST/HTTP]
Delegates authentication to
OAuth2 Client
OAuth2 Authorization Server
Uses
{
"iss": “keycloak",
"sub": "isabelle",
"exp": 1626439022
}
ID Token
ID Token
Slide 13
Slide 13 text
Delegated Access
thomasvitale.com @vitalethomas
Slide 14
Slide 14 text
Keycloak
[Container: Wildfly]
Provides identity and
access management.
Inventory Service
[Container: Spring Boot]
Provides functionality for
managing the bookshop
inventory.
Order Service
[Container: Spring Boot]
Provides functionality for
managing book orders.
Polar Bookshop
[Software System]
Uses
[REST/HTTP]
Uses
[REST/HTTP]
Edge Service
[Container: Spring Boot]
Provides API gateway and
cross-cutting concerns.
User
[Person]
An employee of the
bookshop.
Uses
Book Service
[Container: Spring Boot]
Provides functionality for
managing the library books.
Uses
[REST/HTTP]
Delegates authentication to
OAuth2 Client
OAuth2 Authorization Server
Uses
Security context
propagation ?
Authorized access?
Slide 15
Slide 15 text
OAuth2
An authorization framework that enables an
application (Client) to obtain limited access to a
protected resource provided by another
application (called Resource Server)
on behalf of a user.
thomasvitale.com @vitalethomas
Slide 16
Slide 16 text
Keycloak
[Container: Wildfly]
Provides identity and
access management.
Inventory Service
[Container: Spring Boot]
Provides functionality for
managing the bookshop
inventory.
Order Service
[Container: Spring Boot]
Provides functionality for
managing book orders.
Polar Bookshop
[Software System]
Uses
[REST/HTTP]
Uses
[REST/HTTP]
Edge Service
[Container: Spring Boot]
Provides API gateway and
cross-cutting concerns.
User
[Person]
An employee of the
bookshop.
Uses
Book Service
[Container: Spring Boot]
Provides functionality for
managing the library books.
Uses
[REST/HTTP]
Delegates authentication to
OAuth2 Client
OAuth2 Authorization Server
Uses
OAuth2 Resource Server
OAuth2 Resource Server
OAuth2 Resource Server
{
"iss": “keycloak",
"sub": "isabelle",
"exp": 1626439022
}
Access Token
Access Token
Slide 17
Slide 17 text
Token Relay
Browser Edge Service Book
Service
Access Token
Session Cookie
Resource
Server
Access Token
Resource
Server
Access Token
Keeps mapping
Session <---> Access Token
OAuth2
thomasvitale.com @vitalethomas
Slide 18
Slide 18 text
SPA
thomasvitale.com @vitalethomas
Slide 19
Slide 19 text
Authorization
thomasvitale.com @vitalethomas
Slide 20
Slide 20 text
thomasvitale.com @vitalethomas
Slide 21
Slide 21 text
Discount codes
Manning
• 35% discount code, valid for
all products in all format
• ctwgotocph22
• manning.com
thomasvitale.com @vitalethomas
Slide 22
Slide 22 text
Thomas Vitale
Star of Java
Oct 13th, 2022
Securing Java apps
with OAuth2, OIDC
and Spring Security
@vitalethomas
https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security
https://github.com/ThomasVitale/spring-security-examples