Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing applications with OAuth2 and OpenID Connect using Spring Security

Thomas Vitale
November 20, 2021

Securing applications with OAuth2 and OpenID Connect using Spring Security

Managing authentication and authorization is a critical task in every well-designed web application or service. OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it.

In this session, I'll present how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers). I'll cover different patterns for authentication and authorization in a microservices architecture, highlighting the differences when using SPAs like Angular or backend template engines like Thymeleaf. As the authorization server I'll use Keycloak, and I'll show you how to integrate with Spring Boot.

Thomas Vitale

November 20, 2021
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale
    Devoxx Ukraine
    Nov 20th, 2021
    Securing applications
    with OAuth2 and OIDC
    using Spring Security
    @vitalethomas

    View full-size slide

  2. Thomas Vitale
    • Senior Software Engineer at
    Systematic, Denmark.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • Spring Security and Spring
    Cloud contributor.
    About Me
    thomasvitale.com

    View full-size slide

  3. Security
    thomasvitale.com @vitalethomas

    View full-size slide

  4. Access Control
    thomasvitale.com @vitalethomas

    View full-size slide

  5. Access Control
    thomasvitale.com @vitalethomas
    Three Steps
    Identi
    fi
    cation
    ‣A user claims an
    identity


    ‣e.g. username
    Authentication
    ‣ Verifying the claimed
    identity


    ‣e.g. password, token
    Authorization
    ‣Verifying what the user
    is allowed to do


    ‣e.g. roles, permissions

    View full-size slide

  6. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\VWHP@
    8VHV
    >5(67+773@
    8VHV
    >5(67+773@
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >3HUVRQ@
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5(67+773@

    View full-size slide

  7. Spring Security
    thomasvitale.com @vitalethomas
    De-facto standard for securing Spring applications
    Authentication
    ‣Username/password


    ‣OIDC/OAuth2


    ‣SAML 2
    Authorization
    ‣Endpoint


    ‣Method


    ‣Object
    Protection against
    common attacks
    ‣Session
    fi
    xation


    ‣CSRF


    ‣Content injection

    View full-size slide

  8. Authentication
    thomasvitale.com @vitalethomas

    View full-size slide

  9. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\VWHP@
    8VHV
    >5(67+773@
    8VHV
    >5(67+773@
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >3HUVRQ@
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5(67+773@

    View full-size slide

  10. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\VWHP@
    8VHV
    >5(67+773@
    8VHV
    >5(67+773@
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >3HUVRQ@
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5(67+773@
    $XWK6HUYLFH
    'HOHJDWHVDXWKHQWLFDWLRQWR
    Strategy ?
    Protocol?
    Data Format?

    View full-size slide

  11. OpenID Connect
    A protocol built on top of OAuth2 that enables

    an application (Client) to verify the identity of

    a user based on the authentication performed

    by a trusted party (Authorization Server).
    thomasvitale.com @vitalethomas

    View full-size slide

  12. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\VWHP@
    8VHV
    >5(67+773@
    8VHV
    >5(67+773@
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >3HUVRQ@
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5(67+773@
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    ID Token
    ID Token

    View full-size slide

  13. Delegated Access
    thomasvitale.com @vitalethomas

    View full-size slide

  14. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\VWHP@
    8VHV
    >5(67+773@
    8VHV
    >5(67+773@
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >3HUVRQ@
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5(67+773@
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    Security context
    propagation ?
    Authorized access?

    View full-size slide

  15. OAuth2
    An authorization framework that enables an
    application (Client) to obtain limited access to a
    protected resource provided by another
    application (called Resource Server)

    on behalf of a user.
    thomasvitale.com @vitalethomas

    View full-size slide

  16. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\VWHP@
    8VHV
    >5(67+773@
    8VHV
    >5(67+773@
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >3HUVRQ@
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%RRW@
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5(67+773@
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    2$XWK5HVRXUFH6HUYHU
    2$XWK5HVRXUFH6HUYHU
    2$XWK5HVRXUFH6HUYHU
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    Access Token
    Access Token

    View full-size slide

  17. Token Relay
    thomasvitale.com @vitalethomas
    %URZVHU (GJH6HUYLFH %RRN
    6HUYLFH
    $FFHVV7RNHQ
    6HVVLRQ&RRNLH
    5HVRXUFH
    6HUYHU
    $FFHVV7RNHQ
    5HVRXUFH
    6HUYHU
    $FFHVV7RNHQ
    .HHSVPDSSLQJ
    6HVVLRQ!$FFHVV7RNHQ
    OAuth2

    View full-size slide

  18. SPA
    thomasvitale.com @vitalethomas

    View full-size slide

  19. Authorization
    thomasvitale.com @vitalethomas

    View full-size slide

  20. thomasvitale.com @vitalethomas

    View full-size slide

  21. Securing applications
    with OAuth2 and OIDC
    using Spring Security
    https://github.com/ThomasVitale/securing-apps-oauth2-oidc-spring-security-devoxx-ua-2021
    https://github.com/ThomasVitale/spring-security-examples
    thomasvitale.com @vitalethomas

    View full-size slide