Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it. Learn how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers).

Thomas Vitale

October 13, 2022
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale
    Star of Java
    Oct 13th, 2022
    Securing Java apps
    with OAuth2, OIDC
    and Spring Security
    @vitalethomas

    View full-size slide

  2. Systematic
    • Software Architect at
    Systematic, Denmark.

    • Author of “Cloud Native Spring
    in Action” (Manning).

    • OSS contributor (Java, Spring,
    Cloud Native Technologies)
    Thomas Vitale
    thomasvitale.com @vitalethomas

    View full-size slide

  3. Security
    thomasvitale.com @vitalethomas

    View full-size slide

  4. Access Control
    thomasvitale.com @vitalethomas

    View full-size slide

  5. Access Control
    Three Steps
    Identi
    fi
    cation
    ‣A user claims an
    identity


    ‣e.g. username
    Authentication
    ‣ Verifying the claimed
    identity


    ‣e.g. password, token
    Authorization
    ‣Verifying what the user
    is allowed to do


    ‣e.g. roles, permissions
    thomasvitale.com @vitalethomas

    View full-size slide

  6. Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]

    View full-size slide

  7. Spring Security
    De-facto standard for securing Spring applications
    Authentication
    ‣Username/password


    ‣OIDC/OAuth2


    ‣SAML 2
    Authorization
    ‣Endpoint


    ‣Method


    ‣Object
    Protection against
    common attacks
    ‣Session
    fi
    xation


    ‣CSRF


    ‣Content injection
    thomasvitale.com @vitalethomas

    View full-size slide

  8. Authentication
    thomasvitale.com @vitalethomas

    View full-size slide

  9. Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]

    View full-size slide

  10. Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Auth Service
    Delegates authentication to
    Strategy ?
    Protocol?
    Data Format?

    View full-size slide

  11. OpenID Connect
    A protocol built on top of OAuth2 that enables

    an application (Client) to verify the identity of

    a user based on the authentication performed

    by a trusted party (Authorization Server).
    thomasvitale.com @vitalethomas

    View full-size slide

  12. Keycloak
    [Container: Wildfly]
    Provides identity and
    access management.
    Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Delegates authentication to
    OAuth2 Client
    OAuth2 Authorization Server
    Uses
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    ID Token
    ID Token

    View full-size slide

  13. Delegated Access
    thomasvitale.com @vitalethomas

    View full-size slide

  14. Keycloak
    [Container: Wildfly]
    Provides identity and
    access management.
    Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Delegates authentication to
    OAuth2 Client
    OAuth2 Authorization Server
    Uses
    Security context
    propagation ?
    Authorized access?

    View full-size slide

  15. OAuth2
    An authorization framework that enables an
    application (Client) to obtain limited access to a
    protected resource provided by another
    application (called Resource Server)

    on behalf of a user.
    thomasvitale.com @vitalethomas

    View full-size slide

  16. Keycloak
    [Container: Wildfly]
    Provides identity and
    access management.
    Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Delegates authentication to
    OAuth2 Client
    OAuth2 Authorization Server
    Uses
    OAuth2 Resource Server
    OAuth2 Resource Server
    OAuth2 Resource Server
    {

    "iss": “keycloak",

    "sub": "isabelle",

    "exp": 1626439022

    }
    Access Token
    Access Token

    View full-size slide

  17. Token Relay
    Browser Edge Service Book
    Service
    Access Token
    Session Cookie
    Resource
    Server
    Access Token
    Resource
    Server
    Access Token
    Keeps mapping
    Session <---> Access Token
    OAuth2
    thomasvitale.com @vitalethomas

    View full-size slide

  18. SPA
    thomasvitale.com @vitalethomas

    View full-size slide

  19. Authorization
    thomasvitale.com @vitalethomas

    View full-size slide

  20. thomasvitale.com @vitalethomas

    View full-size slide

  21. Discount codes
    Manning
    • 35% discount code, valid for
    all products in all format

    • ctwgotocph22


    • manning.com
    thomasvitale.com @vitalethomas

    View full-size slide

  22. Thomas Vitale
    Star of Java
    Oct 13th, 2022
    Securing Java apps
    with OAuth2, OIDC
    and Spring Security
    @vitalethomas
    https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security
    https://github.com/ThomasVitale/spring-security-examples

    View full-size slide