Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

Thomas Vitale
October 13, 2022
Technology
0
190

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it. Learn how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers).

Thomas Vitale

October 13, 2022
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
110
Supercharge your Kubernetes Platform with Carvel
thomasvitale
0
12
Multitenant Mystery: Every Bean Has a Secret
thomasvitale
1
180
Securing the Supply Chain for Your Java Applications
thomasvitale
0
200
Supercharge Your Kubernetes Platform With Carvel (KCD Munich 2023)
thomasvitale
0
85
Serverless Java with Spring Boot (DevBcn 2023)
thomasvitale
1
240
Next-Generation Cloud Native Apps with Spring Boot 3
thomasvitale
0
210
Developer Experience with Spring Boot on Kubernetes
thomasvitale
0
430
Multitenant Mystery - Only Rockers in the Building
thomasvitale
1
870

Other Decks in Technology

See All in Technology
ユーザーストーリーのレビューを自動化したみたの
bun913
1
320
Signals Unleashed: The Full Guide
rainerhahnekamp
0
370
シン・Kafka / shin-kafka
oracle4engineer
PRO
7
2.7k
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
普段有償でサポート業務をしているCSAが技術知見を無料で公開する理由
07jp27
1
640
現代CSSフレームワークの内部実装とその仕組み
poteboy
0
350
Janus
bkuhlmann
1
490
[2024年3月版] Databricksのシステムアーキテクチャ
databricksjapan
8
1.9k
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
3
240
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.3k
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
330
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
220

Featured

See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Navigating Team Friction
lara
177
13k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Become a Pro
speakerdeck
PRO
10
4.5k
GraphQLとの向き合い方2022年版
quramy
31
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Web Components: a chance to create the future
zenorocha
305
41k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
The Illustrated Children's Guide to Kubernetes
chrisshort
29
46k
How GitHub Uses GitHub to Build GitHub
holman
468
290k

Transcript

  1. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas

  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

  3. Security thomasvitale.com @vitalethomas

  4. Access Control thomasvitale.com @vitalethomas

  5. Access Control Three Steps Identi fi cation ‣A user claims

    an identity ‣e.g. username Authentication ‣ Verifying the claimed identity ‣e.g. password, token Authorization ‣Verifying what the user is allowed to do ‣e.g. roles, permissions thomasvitale.com @vitalethomas

  6. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

  7. Spring Security De-facto standard for securing Spring applications Authentication ‣Username/password

    ‣OIDC/OAuth2 ‣SAML 2 Authorization ‣Endpoint ‣Method ‣Object Protection against common attacks ‣Session fi xation ‣CSRF ‣Content injection thomasvitale.com @vitalethomas

  8. Authentication thomasvitale.com @vitalethomas

  9. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

  10. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Auth Service Delegates authentication to Strategy ? Protocol? Data Format?

  11. OpenID Connect A protocol built on top of OAuth2 that

    enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas

  12. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token

  13. Delegated Access thomasvitale.com @vitalethomas

  14. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses Security context propagation ? Authorized access?

  15. OAuth2 An authorization framework that enables an application (Client) to

    obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas

  16. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses OAuth2 Resource Server OAuth2 Resource Server OAuth2 Resource Server { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token

  17. Token Relay Browser Edge Service Book Service Access Token Session

    Cookie Resource Server Access Token Resource Server Access Token Keeps mapping Session <---> Access Token OAuth2 thomasvitale.com @vitalethomas

  18. SPA thomasvitale.com @vitalethomas

  19. Authorization thomasvitale.com @vitalethomas

  20. thomasvitale.com @vitalethomas

  21. Discount codes Manning • 35% discount code, valid for all

    products in all format • ctwgotocph22 • manning.com thomasvitale.com @vitalethomas

  22. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security https://github.com/ThomasVitale/spring-security-examples