Securing Spring Boot Microservices with OAuth and OpenID Connect Deepu K Sasidharan

@oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @deepu105@mastodon.social deepu.tech @deepu105 deepu05

@oktaDev | @deepu105 | deepu.tech Agenda OAuth2 & OIDC crash course (15 mins) Workshop labs (60 mins) Bonus labs (15 mins)

@oktaDev | @deepu105 | deepu.tech a0.to/spring-boot

@oktaDev | @deepu105 | deepu.tech OAuth2 and OpenID Connect A crash course

@oktaDev | @deepu105 | deepu.tech OAuth 2 crash course

@oktaDev | @deepu105 | deepu.tech Authorization Process of determining whether a user has the necessary permissions to access a resource. OAuth 2.0 is the industry-standard protocol for delegated authorization.

@oktaDev | @deepu105 | deepu.tech System Roles Resource Owner →End user Resource Server →API Server Client →System requesting access Authorization Server →Authenticate and issue tokens

@oktaDev | @deepu105 | deepu.tech Tokens Access Token →Authorization to access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens

@oktaDev | @deepu105 | deepu.tech Claim →KV pair assertion with user info Scope →Group of claims or permission limiting access

@oktaDev | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)

@oktaDev | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)

@oktaDev | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, etc.

@oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow (Not recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }

@oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

@oktaDev | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended) Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA

@oktaDev | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization request NA Token request { client_id, client_secret, grant_type=client_credentials }

@oktaDev | @deepu105 | deepu.tech Resource Owner Password Credentials Grant Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }

@oktaDev | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }

@oktaDev | @deepu105 | deepu.tech OpenID Connect crash course

@oktaDev | @deepu105 | deepu.tech Authentication Process of verifying the identity of a user. OAuth lacked a standard way to authenticate users. OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework

@oktaDev | @deepu105 | deepu.tech OIDC using Authorization Code Grant Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }

@oktaDev | @deepu105 | deepu.tech Pre-Requisites

@oktaDev | @deepu105 | deepu.tech ● IntelliJ IDEA or Eclipse ● Java 17+ (SDKMAN) ● Docker and Docker Compose ● Bash/ZSH or Powershell 5+

@oktaDev | @deepu105 | deepu.tech ● Auth0 Account ● Install Auth0 CLI

@oktaDev | @deepu105 | deepu.tech Chapters Part 1: Create an API server secured with OAuth2 Part 2: Create a webapp secured with OIDC Part 3: Enable RBAC Part 4: Create a discovery service and complete the microservices

@oktaDev | @deepu105 | deepu.tech Bonus Move beyond passwords with passkeys Using Keycloak with Okta starter

@oktaDev | @deepu105 | deepu.tech Part 1: Create a car service secured with OAuth2 This will be the API resource server for the microservices

@oktaDev | @deepu105 | deepu.tech Part 2: Create a web app secured with OIDC This will be the API gateway for the microservices

@oktaDev | @deepu105 | deepu.tech Part 3: Enable RBAC

@oktaDev | @deepu105 | deepu.tech Part 4: Create a discovery service and microservice arch With this we complete the simple microservice architecture

@oktaDev | @deepu105 | deepu.tech Bonus 1: Use passkeys Enable passkeys for logging in

@oktaDev | @deepu105 | deepu.tech Bonus 2: Use Keycloak Use Keycloak with Okta Spring Boot Starter for offline support

Authorization Authentication Security Single Sign-On | Adaptive Multi-Factor Authentication | Universal Login | Passwordless | Bot Detection & Prevention | Security Center | Breached Password Detection | Brute Force Protection | FGA How we can help: Try Free Today: Free Plan (forever) $0 Up to 7,500 monthly active users. Unlimited user logins. Includes passkeys support*. No credit card required. Special Plans for Startups & Nonprofits Plans for Everyone B2C: your users are consumers B2B: your users are businesses or a mix of businesses and consumers Enterprise: Best for production applications that need to scale - Contact Us Make login our problem. Not yours. a0.to/plg_signup

@oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot