Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing applications with OAuth2 and OpenID Connect using Spring Security

Thomas Vitale
November 20, 2021
Technology
0
260

Securing applications with OAuth2 and OpenID Connect using Spring Security

Managing authentication and authorization is a critical task in every well-designed web application or service. OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it.

In this session, I'll present how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers). I'll cover different patterns for authentication and authorization in a microservices architecture, highlighting the differences when using SPAs like Angular or backend template engines like Thymeleaf. As the authorization server I'll use Keycloak, and I'll show you how to integrate with Spring Boot.

Thomas Vitale

November 20, 2021
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Next-Generation Cloud Native Apps with Spring Boot 3
thomasvitale
0
100
Developer Experience with Spring Boot on Kubernetes
thomasvitale
0
26
Multitenant Mystery - Only Rockers in the Building
thomasvitale
1
110
Developer Experience with Java on Kubernetes
thomasvitale
0
23
Observability and Efficiency with Spring Boot 3
thomasvitale
0
63
Paved Paths to Production – There and Back Again
thomasvitale
1
73
A Paved Path to Production on Kubernetes
thomasvitale
1
84
Spring Cloud Gateway: Resilience, Security, and Observability (Golden Path to SpringOne 2023)
thomasvitale
0
99
Kustomize
thomasvitale
0
19

Other Decks in Technology

See All in Technology
Spotify API を使ったアイマス楽曲の楽しみ方
takemikami
0
110
フルComposeでTVアプリを作った話
sasakitomohiro
0
280
時系列データをChatGPTで読み解いてみる【IoT-Tech Meetup】
soracom
PRO
0
750
Por que testes de unidade não são suficientes para seus microsserviços
rponte
1
1.2k
ABEMAのRenderScript Intrinsics Replacement Toolkit 導入事例
takahana
0
270
Антихрупкость в IT или как полюбить изменения
alexanderbyndyu
0
400
2023.06.01_LangChain/Llamaindex/Whisperを使ったアプリケーション開発のまとめと展望
pharma_x_tech
0
640
How to Write Robust Python Code
hayaosuzuki
5
1.1k
WOFFの紹介
mmclsntr
0
120
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
140
組織一丸となってカスタマーサクセスを実現するための取り組みと悩み
zakiyama
0
140
ChatGPTをどう使うか?(JJUGナイトセミナー5/23)
shin_higuchi
0
790

Featured

See All Featured
A Philosophy of Restraint
colly
195
15k
Become a Pro
speakerdeck
PRO
7
3.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
13
1.4k
Web development in the modern age
philhawksworth
197
9.7k
Agile that works and the tools we love
rasmusluckow
322
20k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
The Pragmatic Product Professional
lauravandoore
22
3.8k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.3k
[RailsConf 2023] Rails as a piece of cake
palkan
7
1.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.7k
Three Pipe Problems
jasonvnalue
89
9.1k

Transcript

  1. Thomas Vitale
    Devoxx Ukraine
    Nov 20th, 2021
    Securing applications
    with OAuth2 and OIDC
    using Spring Security
    @vitalethomas

    View Slide

  2. Thomas Vitale
    • Senior Software Engineer at
    Systematic, Denmark.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • Spring Security and Spring
    Cloud contributor.
    About Me
    thomasvitale.com

    View Slide

  3. Security
    thomasvitale.com @vitalethomas

    View Slide

  4. Access Control
    thomasvitale.com @vitalethomas

    View Slide

  5. Access Control
    thomasvitale.com @vitalethomas
    Three Steps
    Identi
    fi
    cation
    ‣A user claims an
    identity


    ‣e.g. username
    Authentication
    ‣ Verifying the claimed
    identity


    ‣e.g. password, token
    Authorization
    ‣Verifying what the user
    is allowed to do


    ‣e.g. roles, permissions

    View Slide

  6. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]

    View Slide

  7. Spring Security
    thomasvitale.com @vitalethomas
    De-facto standard for securing Spring applications
    Authentication
    ‣Username/password


    ‣OIDC/OAuth2


    ‣SAML 2
    Authorization
    ‣Endpoint


    ‣Method


    ‣Object
    Protection against
    common attacks
    ‣Session
    fi
    xation


    ‣CSRF


    ‣Content injection

    View Slide

  8. Authentication
    thomasvitale.com @vitalethomas

    View Slide

  9. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]

    View Slide

  10. ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    $XWK6HUYLFH
    'HOHJDWHVDXWKHQWLFDWLRQWR
    Strategy ?
    Protocol?
    Data Format?

    View Slide

  11. OpenID Connect
    A protocol built on top of OAuth2 that enables

    an application (Client) to verify the identity of

    a user based on the authentication performed

    by a trusted party (Authorization Server).
    thomasvitale.com @vitalethomas

    View Slide

  12. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    ID Token
    ID Token

    View Slide

  13. Delegated Access
    thomasvitale.com @vitalethomas

    View Slide

  14. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    Security context
    propagation ?
    Authorized access?

    View Slide

  15. OAuth2
    An authorization framework that enables an
    application (Client) to obtain limited access to a
    protected resource provided by another
    application (called Resource Server)

    on behalf of a user.
    thomasvitale.com @vitalethomas

    View Slide

  16. .H\FORDN
    >&RQWDLQHU:LOGIO\@
    3URYLGHVLGHQWLW\DQG
    DFFHVVPDQDJHPHQW
    ,QYHQWRU\6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHERRNVKRS
    LQYHQWRU\
    2UGHU6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJERRNRUGHUV
    3RODU%RRNVKRS
    >6RIWZDUH6\[email protected]
    8VHV
    >5([email protected]
    8VHV
    >5([email protected]
    (GJH6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHV$3,JDWHZD\DQG
    FURVVFXWWLQJFRQFHUQV
    8VHU
    >[email protected]
    $QHPSOR\HHRIWKH
    ERRNVKRS
    8VHV
    %RRN6HUYLFH
    >&RQWDLQHU6SULQJ%[email protected]
    3URYLGHVIXQFWLRQDOLW\IRU
    PDQDJLQJWKHOLEUDU\ERRNV
    8VHV
    >5([email protected]
    'HOHJDWHVDXWKHQWLFDWLRQWR
    2$XWK&OLHQW
    2$XWK$XWKRUL]DWLRQ6HUYHU
    8VHV
    2$XWK5HVRXUFH6HUYHU
    2$XWK5HVRXUFH6HUYHU
    2$XWK5HVRXUFH6HUYHU
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    Access Token
    Access Token

    View Slide

  17. Token Relay
    thomasvitale.com @vitalethomas
    %URZVHU (GJH6HUYLFH %RRN
    6HUYLFH
    $FFHVV7RNHQ
    6HVVLRQ&RRNLH
    5HVRXUFH
    6HUYHU
    $FFHVV7RNHQ
    5HVRXUFH
    6HUYHU
    $FFHVV7RNHQ
    .HHSVPDSSLQJ
    6HVVLRQ!$FFHVV7RNHQ
    OAuth2

    View Slide

  18. SPA
    thomasvitale.com @vitalethomas

    View Slide

  19. Authorization
    thomasvitale.com @vitalethomas

    View Slide

  20. thomasvitale.com @vitalethomas

    View Slide

  21. Securing applications
    with OAuth2 and OIDC
    using Spring Security
    https://github.com/ThomasVitale/securing-apps-oauth2-oidc-spring-security-devoxx-ua-2021
    https://github.com/ThomasVitale/spring-security-examples
    thomasvitale.com @vitalethomas

    View Slide