Slide 1

Slide 1 text

How to Supercharge AppSec with Spring Security, OpenID Connect, & OAuth2 Mark Heckler Professional Problem Solver, Spring Developer & Advocate www.thehecklers.com [email protected] [email protected] @mkheck

Slide 2

Slide 2 text

@mkheck www.thehecklers.com Who am I? • Author • Architect & Developer • Java Champion, Rockstar • Professional Problem Solver • Spring Developer & Advocate • Creador y curador de

Slide 3

Slide 3 text

@mkheck www.thehecklers.com New book! But you can’t buy it yet… DISCLAIMER: artist’s rendition only, not the real cover

Slide 4

Slide 4 text

@mkheck www.thehecklers.com New book! But you can’t buy it yet… DISCLAIMER: artist’s rendition only, not the real cover

Slide 5

Slide 5 text

@mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE

Slide 6

Slide 6 text

@mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE

Slide 7

Slide 7 text

@mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE

Slide 8

Slide 8 text

@mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter HttpFirewall SecurityFilterChain Request headers

Slide 9

Slide 9 text

@mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter HttpFirewall SecurityFilterChain Request headers Of course, there is more…

Slide 10

Slide 10 text

@mkheck www.thehecklers.com Spring Security request filtering (simplified) DelegatingFilterProxy SecurityFilterChain Filter 1 Filter 2 Filter 3 Filter n … FilterChainProxy … SecurityFilterChain n User Servlet

Slide 11

Slide 11 text

@mkheck www.thehecklers.com About those headers… HTTP/1.1 200 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 20 Content-Type: text/plain;charset=UTF-8 Date: Wed, 26 Feb 2020 20:13:58 GMT Expires: 0 Pragma: no-cache Set-Cookie: JSESSIONID=EB199990E5ABA3EA0E1A0B4430EF8E5C; Path=/; HttpOnly X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

Slide 12

Slide 12 text

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access?

Slide 13

Slide 13 text

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication)

Slide 14

Slide 14 text

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication) (Authorization)

Slide 15

Slide 15 text

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication) (Authorization) OIDC OAuth2

Slide 16

Slide 16 text

@mkheck www.thehecklers.com Why OpenID Connect & OAuth2? In traditional authentication, the client requests an access-restricted resource on the server by authenticating with the server using the resource owner’s credentials To provide third-party applications (3PAs) access, the resource owner shares credentials with the 3P. This creates several problems: 3PAs store the resource owner’s credentials for future use, typically a password in clear-text Servers must support password authentication, despite the security weaknesses inherent in passwords 3PAs gain overly broad access to the resource owner’s protected resources, removing any ability to restrict duration or access to a limited subset of resources Resource owners cannot revoke access to an individual 3P without revoking access to all third parties, and must do so by changing the 3P’s password Compromise of any 3PA results in compromise of the end-user’s password and all data protected by that password From IETF rfc6749, The OAuth2 Authorization Framework

Slide 17

Slide 17 text

@mkheck www.thehecklers.com User Agent Authorization code grant Client Resource Owner Authorization Server Email/UID ********************* Resource Server Redirect URI: mysite.com/callback return to mysite.com/callback with authorization code Exchange authorization code for ID token & access token Provide access token with resource request and receive requested resources Client ID: abc123 User authenticates Response type: code

Slide 18

Slide 18 text

@mkheck www.thehecklers.com Let’s code!

Slide 19

Slide 19 text

@mkheck www.thehecklers.com Let’s code!

Slide 20

Slide 20 text

@mkheck www.thehecklers.com

Slide 21

Slide 21 text

@mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-oidc-oauth2 https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security

Slide 22

Slide 22 text

@mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-oidc-oauth2 https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security Thanks for coming, stay in touch (& secure)!