$30 off During Our Annual Pro Sale. View Details »

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it. Learn how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers).

Thomas Vitale

October 13, 2022
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas
  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas
  3. Security thomasvitale.com @vitalethomas

  4. Access Control thomasvitale.com @vitalethomas

  5. Access Control Three Steps Identi fi cation ‣A user claims

    an identity ‣e.g. username Authentication ‣ Verifying the claimed identity ‣e.g. password, token Authorization ‣Verifying what the user is allowed to do ‣e.g. roles, permissions thomasvitale.com @vitalethomas
  6. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]
  7. Spring Security De-facto standard for securing Spring applications Authentication ‣Username/password

    ‣OIDC/OAuth2 ‣SAML 2 Authorization ‣Endpoint ‣Method ‣Object Protection against common attacks ‣Session fi xation ‣CSRF ‣Content injection thomasvitale.com @vitalethomas
  8. Authentication thomasvitale.com @vitalethomas

  9. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]
  10. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Auth Service Delegates authentication to Strategy ? Protocol? Data Format?
  11. OpenID Connect A protocol built on top of OAuth2 that

    enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas
  12. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token
  13. Delegated Access thomasvitale.com @vitalethomas

  14. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses Security context propagation ? Authorized access?
  15. OAuth2 An authorization framework that enables an application (Client) to

    obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas
  16. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses OAuth2 Resource Server OAuth2 Resource Server OAuth2 Resource Server { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token
  17. Token Relay Browser Edge Service Book Service Access Token Session

    Cookie Resource Server Access Token Resource Server Access Token Keeps mapping Session <---> Access Token OAuth2 thomasvitale.com @vitalethomas
  18. SPA thomasvitale.com @vitalethomas

  19. Authorization thomasvitale.com @vitalethomas

  20. thomasvitale.com @vitalethomas

  21. Discount codes Manning • 35% discount code, valid for all

    products in all format • ctwgotocph22 • manning.com thomasvitale.com @vitalethomas
  22. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security https://github.com/ThomasVitale/spring-security-examples