How to Supercharge AppSec with Spring Security, OpenID Connect, & OAuth2 Mark Heckler Professional Problem Solver, Spring Developer & Advocate www.thehecklers.com [email protected] [email protected] @mkheck

@mkheck www.thehecklers.com Who am I? • Author • Architect & Developer • Java Champion, Rockstar • Professional Problem Solver • Spring Developer & Advocate • Creador y curador de

@mkheck www.thehecklers.com New book! But you can’t buy it yet… DISCLAIMER: artist’s rendition only, not the real cover

@mkheck www.thehecklers.com New book! But you can’t buy it yet… DISCLAIMER: artist’s rendition only, not the real cover

@mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE

@mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE

@mkheck www.thehecklers.com Takeaways Foundational security concepts review using Spring Security OSS Authentication & Authorization: who’s who in the zoo OpenID Connect & OAuth2: what they do & what’s the value The roles The grants SHOW ME THE CODE

@mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter HttpFirewall SecurityFilterChain Request headers

@mkheck www.thehecklers.com 3000 meter view Filter Filter Filter Filter Filter HttpFirewall SecurityFilterChain Request headers Of course, there is more…

@mkheck www.thehecklers.com Spring Security request filtering (simplified) DelegatingFilterProxy SecurityFilterChain Filter 1 Filter 2 Filter 3 Filter n … FilterChainProxy … SecurityFilterChain n User Servlet

@mkheck www.thehecklers.com About those headers… HTTP/1.1 200 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 20 Content-Type: text/plain;charset=UTF-8 Date: Wed, 26 Feb 2020 20:13:58 GMT Expires: 0 Pragma: no-cache Set-Cookie: JSESSIONID=EB199990E5ABA3EA0E1A0B4430EF8E5C; Path=/; HttpOnly X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access?

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication)

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication) (Authorization)

@mkheck www.thehecklers.com Authentication vs. Authorization Who are you? What can you (legitimately) access? (Authentication) (Authorization) OIDC OAuth2

@mkheck www.thehecklers.com Why OpenID Connect & OAuth2? In traditional authentication, the client requests an access-restricted resource on the server by authenticating with the server using the resource owner’s credentials To provide third-party applications (3PAs) access, the resource owner shares credentials with the 3P. This creates several problems: 3PAs store the resource owner’s credentials for future use, typically a password in clear-text Servers must support password authentication, despite the security weaknesses inherent in passwords 3PAs gain overly broad access to the resource owner’s protected resources, removing any ability to restrict duration or access to a limited subset of resources Resource owners cannot revoke access to an individual 3P without revoking access to all third parties, and must do so by changing the 3P’s password Compromise of any 3PA results in compromise of the end-user’s password and all data protected by that password From IETF rfc6749, The OAuth2 Authorization Framework

@mkheck www.thehecklers.com User Agent Authorization code grant Client Resource Owner Authorization Server Email/UID ********************* Resource Server Redirect URI: mysite.com/callback return to mysite.com/callback with authorization code Exchange authorization code for ID token & access token Provide access token with resource request and receive requested resources Client ID: abc123 User authenticates Response type: code

@mkheck www.thehecklers.com Let’s code!

@mkheck www.thehecklers.com Let’s code!

@mkheck www.thehecklers.com

@mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-oidc-oauth2 https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security

@mkheck www.thehecklers.com Resources https://github.com/mkheck/spring-security-oidc-oauth2 https://github.com/jgrandja/oauth2-protocol-patterns https://spring.io/projects/spring-security Thanks for coming, stay in touch (& secure)!