Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Securing Java apps with OAuth2, OIDC and Spring...

Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it. Learn how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers).

Thomas Vitale

October 13, 2022
Tweet

More Decks by Thomas Vitale

Other Decks in Technology

Transcript

  1. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas
  2. Systematic • Software Architect at Systematic, Denmark. • Author of

    “Cloud Native Spring in Action” (Manning). • OSS contributor (Java, Spring, Cloud Native Technologies) Thomas Vitale thomasvitale.com @vitalethomas
  3. Access Control Three Steps Identi fi cation ‣A user claims

    an identity ‣e.g. username Authentication ‣ Verifying the claimed identity ‣e.g. password, token Authorization ‣Verifying what the user is allowed to do ‣e.g. roles, permissions thomasvitale.com @vitalethomas
  4. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]
  5. Spring Security De-facto standard for securing Spring applications Authentication ‣Username/password

    ‣OIDC/OAuth2 ‣SAML 2 Authorization ‣Endpoint ‣Method ‣Object Protection against common attacks ‣Session fi xation ‣CSRF ‣Content injection thomasvitale.com @vitalethomas
  6. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP]
  7. Inventory Service [Container: Spring Boot] Provides functionality for managing the

    bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Auth Service Delegates authentication to Strategy ? Protocol? Data Format?
  8. OpenID Connect A protocol built on top of OAuth2 that

    enables an application (Client) to verify the identity of a user based on the authentication performed by a trusted party (Authorization Server). thomasvitale.com @vitalethomas
  9. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } ID Token ID Token
  10. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses Security context propagation ? Authorized access?
  11. OAuth2 An authorization framework that enables an application (Client) to

    obtain limited access to a protected resource provided by another application (called Resource Server) on behalf of a user. thomasvitale.com @vitalethomas
  12. Keycloak [Container: Wildfly] Provides identity and access management. Inventory Service

    [Container: Spring Boot] Provides functionality for managing the bookshop inventory. Order Service [Container: Spring Boot] Provides functionality for managing book orders. Polar Bookshop [Software System] Uses [REST/HTTP] Uses [REST/HTTP] Edge Service [Container: Spring Boot] Provides API gateway and cross-cutting concerns. User [Person] An employee of the bookshop. Uses Book Service [Container: Spring Boot] Provides functionality for managing the library books. Uses [REST/HTTP] Delegates authentication to OAuth2 Client OAuth2 Authorization Server Uses OAuth2 Resource Server OAuth2 Resource Server OAuth2 Resource Server { "iss": “keycloak", "sub": "isabelle", "exp": 1626439022 } Access Token Access Token
  13. Token Relay Browser Edge Service Book Service Access Token Session

    Cookie Resource Server Access Token Resource Server Access Token Keeps mapping Session <---> Access Token OAuth2 thomasvitale.com @vitalethomas
  14. Discount codes Manning • 35% discount code, valid for all

    products in all format • ctwgotocph22 • manning.com thomasvitale.com @vitalethomas
  15. Thomas Vitale Star of Java Oct 13th, 2022 Securing Java

    apps with OAuth2, OIDC and Spring Security @vitalethomas https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security https://github.com/ThomasVitale/spring-security-examples