Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Java apps with OAuth2, OIDC and Spring...

Thomas Vitale
October 13, 2022
Technology
0
250

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it. Learn how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers).

Thomas Vitale

October 13, 2022
Tweet

More Decks by Thomas Vitale

See All by Thomas Vitale
Concerto for Java and AI - Building Production-Ready LLM Applications
thomasvitale
0
56
Developer Experience on Kubernetes
thomasvitale
1
100
Unlocking New Platform Experiences With Open Interfaces
thomasvitale
0
80
Concerto for Java and AI - Building Production-Ready LLM Applications
thomasvitale
1
270
Dapr and Spring Boot - Solving the Challenges of Distributed Systems
thomasvitale
1
150
Securing the Supply Chain for Your Java Applications
thomasvitale
0
180
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
390
Supercharge your Kubernetes Platform with Carvel
thomasvitale
0
50
Multitenant Mystery: Every Bean Has a Secret
thomasvitale
1
260

Other Decks in Technology

See All in Technology
Platform Engineering for Software Developers and Architects
syntasso
1
520
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
610
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
480
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
590
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.1k
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
370
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
Lambdaと地方とコミュニティ
miu_crescent
2
370

Featured

See All Featured
A designer walks into a library…
pauljervisheath
204
24k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Scaling GitHub
holman
458
140k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Gamification - CAS2011
davidbonilla
80
5k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
How to train your dragon (web standard)
notwaldorf
88
5.7k

Transcript

  1. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas

  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas

  3. Security thomasvitale.com @vitalethomas

  4. Access Control thomasvitale.com @vitalethomas

  5. Access Control Three Steps Identi fi cation ‣A user claims

    an identity ‣e.g. username Authentication ‣ Verifying the claimed identity ‣e.g. password, token Authorization ‣Verifying what the user is allowed to do ‣e.g. roles, permissions thomasvitale.com @vitalethomas

  6. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

  7. Spring Security De-facto standard for securing Spring applications Authentication ‣Username/password

    ‣OIDC/OAuth2 ‣SAML 2 Authorization ‣Endpoint ‣Method ‣Object Protection against common attacks ‣Session fi xation ‣CSRF ‣Content injection thomasvitale.com @vitalethomas

  8. Authentication thomasvitale.com @vitalethomas

  9. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]

  10. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Auth Service Delegates authentication to Strategy ? Protocol? Data Format?

  11. OpenID Connect A protocol built on top of OAuth2 that

    enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas

  12. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token

  13. Delegated Access thomasvitale.com @vitalethomas

  14. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses Security context propagation ? Authorized access?

  15. OAuth2 An authorization framework that enables an application (Client) to

    obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas

  16. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses OAuth2 Resource Server OAuth2 Resource Server OAuth2 Resource Server { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token

  17. Token Relay Browser Edge Service Book Service Access Token Session

    Cookie Resource Server Access Token Resource Server Access Token Keeps mapping Session <---> Access Token OAuth2 thomasvitale.com @vitalethomas

  18. SPA thomasvitale.com @vitalethomas

  19. Authorization thomasvitale.com @vitalethomas

  20. thomasvitale.com @vitalethomas

  21. Discount codes Manning • 35% discount code, valid for all

    products in all format • ctwgotocph22 • manning.com thomasvitale.com @vitalethomas

  22. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security https://github.com/ThomasVitale/spring-security-examples