Slide 1

Slide 1 text

Thomas Vitale Devoxx Ukraine Nov 20th, 2021 Securing applications with OAuth2 and OIDC using Spring Security @vitalethomas

Slide 2

Slide 2 text

Thomas Vitale • Senior Software Engineer at Systematic, Denmark. • Author of “Cloud Native Spring in Action” (Manning). • Spring Security and Spring Cloud contributor. About Me thomasvitale.com

Slide 3

Slide 3 text

Security thomasvitale.com @vitalethomas

Slide 4

Slide 4 text

Access Control thomasvitale.com @vitalethomas

Slide 5

Slide 5 text

Access Control thomasvitale.com @vitalethomas Three Steps Identi fi cation ‣A user claims an identity ‣e.g. username Authentication ‣ Verifying the claimed identity ‣e.g. password, token Authorization ‣Verifying what the user is allowed to do ‣e.g. roles, permissions

Slide 6

Slide 6 text

,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@

Slide 7

Slide 7 text

Spring Security thomasvitale.com @vitalethomas De-facto standard for securing Spring applications Authentication ‣Username/password ‣OIDC/OAuth2 ‣SAML 2 Authorization ‣Endpoint ‣Method ‣Object Protection against common attacks ‣Session fi xation ‣CSRF ‣Content injection

Slide 8

Slide 8 text

Authentication thomasvitale.com @vitalethomas

Slide 9

Slide 9 text

,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@

Slide 10

Slide 10 text

,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ $XWK6HUYLFH 'HOHJDWHVDXWKHQWLFDWLRQWR Strategy ? Protocol? Data Format?

Slide 11

Slide 11 text

OpenID Connect A protocol built on top of OAuth2 that enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas

Slide 12

Slide 12 text

.H\FORDN >&RQWDLQHU:LOGIO\@ 3URYLGHVLGHQWLW\DQG DFFHVVPDQDJHPHQW ,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ 'HOHJDWHVDXWKHQWLFDWLRQWR 2$XWK&OLHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token

Slide 13

Slide 13 text

Delegated Access thomasvitale.com @vitalethomas

Slide 14

Slide 14 text

.H\FORDN >&RQWDLQHU:LOGIO\@ 3URYLGHVLGHQWLW\DQG DFFHVVPDQDJHPHQW ,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ 'HOHJDWHVDXWKHQWLFDWLRQWR 2$XWK&OLHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV Security context propagation ? Authorized access?

Slide 15

Slide 15 text

OAuth2 An authorization framework that enables an application (Client) to obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas

Slide 16

Slide 16 text

.H\FORDN >&RQWDLQHU:LOGIO\@ 3URYLGHVLGHQWLW\DQG DFFHVVPDQDJHPHQW ,QYHQWRU\6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHERRNVKRS LQYHQWRU\ 2UGHU6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJERRNRUGHUV 3RODU%RRNVKRS >6RIWZDUH6\VWHP@ 8VHV >5(67+773@ 8VHV >5(67+773@ (GJH6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHV$3,JDWHZD\DQG FURVVFXWWLQJFRQFHUQV 8VHU >3HUVRQ@ $QHPSOR\HHRIWKH ERRNVKRS 8VHV %RRN6HUYLFH >&RQWDLQHU6SULQJ%RRW@ 3URYLGHVIXQFWLRQDOLW\IRU PDQDJLQJWKHOLEUDU\ERRNV 8VHV >5(67+773@ 'HOHJDWHVDXWKHQWLFDWLRQWR 2$XWK&OLHQW 2$XWK$XWKRUL]DWLRQ6HUYHU 8VHV 2$XWK5HVRXUFH6HUYHU 2$XWK5HVRXUFH6HUYHU 2$XWK5HVRXUFH6HUYHU { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token

Slide 17

Slide 17 text

Token Relay thomasvitale.com @vitalethomas %URZVHU (GJH6HUYLFH %RRN 6HUYLFH $FFHVV7RNHQ 6HVVLRQ&RRNLH 5HVRXUFH 6HUYHU $FFHVV7RNHQ 5HVRXUFH 6HUYHU $FFHVV7RNHQ .HHSVPDSSLQJ 6HVVLRQ!$FFHVV7RNHQ OAuth2

Slide 18

Slide 18 text

SPA thomasvitale.com @vitalethomas

Slide 19

Slide 19 text

Authorization thomasvitale.com @vitalethomas

Slide 20

Slide 20 text

thomasvitale.com @vitalethomas

Slide 21

Slide 21 text

Securing applications with OAuth2 and OIDC using Spring Security https://github.com/ThomasVitale/securing-apps-oauth2-oidc-spring-security-devoxx-ua-2021 https://github.com/ThomasVitale/spring-security-examples thomasvitale.com @vitalethomas