Securing Java apps with OAuth2, OIDC and Spring Security (Star of Java 2022)

Transcript

1. Thomas Vitale
   Star of Java
   Oct 13th, 2022
   Securing Java apps
   with OAuth2, OIDC
   and Spring Security
   @vitalethomas
   

   View Slide

2. Systematic
   • Software Architect at
   Systematic, Denmark.
   
   • Author of “Cloud Native Spring
   in Action” (Manning).
   
   • OSS contributor (Java, Spring,
   Cloud Native Technologies)
   Thomas Vitale
   thomasvitale.com @vitalethomas
   

   View Slide

3. Security
   thomasvitale.com @vitalethomas
   

   View Slide

4. Access Control
   thomasvitale.com @vitalethomas
   

   View Slide

5. Access Control
   Three Steps
   Identi
   fi
   cation
   ‣A user claims an
   identity
   
   
   ‣e.g. username
   Authentication
   ‣ Verifying the claimed
   identity
   
   
   ‣e.g. password, token
   Authorization
   ‣Verifying what the user
   is allowed to do
   
   
   ‣e.g. roles, permissions
   thomasvitale.com @vitalethomas
   

   View Slide

6. Inventory Service
   [Container: Spring Boot]
   Provides functionality for
   managing the bookshop
   inventory.
   Order Service
   [Container: Spring Boot]
   Provides functionality for
   managing book orders.
   Polar Bookshop
   [Software System]
   Uses
   [REST/HTTP]
   Uses
   [REST/HTTP]
   Edge Service
   [Container: Spring Boot]
   Provides API gateway and
   cross-cutting concerns.
   User
   [Person]
   An employee of the
   bookshop.
   Uses
   Book Service
   [Container: Spring Boot]
   Provides functionality for
   managing the library books.
   Uses
   [REST/HTTP]
   

   View Slide

7. Spring Security
   De-facto standard for securing Spring applications
   Authentication
   ‣Username/password
   
   
   ‣OIDC/OAuth2
   
   
   ‣SAML 2
   Authorization
   ‣Endpoint
   
   
   ‣Method
   
   
   ‣Object
   Protection against
   common attacks
   ‣Session
   fi
   xation
   
   
   ‣CSRF
   
   
   ‣Content injection
   thomasvitale.com @vitalethomas
   

   View Slide

8. Authentication
   thomasvitale.com @vitalethomas
   

   View Slide

9. Inventory Service
   [Container: Spring Boot]
   Provides functionality for
   managing the bookshop
   inventory.
   Order Service
   [Container: Spring Boot]
   Provides functionality for
   managing book orders.
   Polar Bookshop
   [Software System]
   Uses
   [REST/HTTP]
   Uses
   [REST/HTTP]
   Edge Service
   [Container: Spring Boot]
   Provides API gateway and
   cross-cutting concerns.
   User
   [Person]
   An employee of the
   bookshop.
   Uses
   Book Service
   [Container: Spring Boot]
   Provides functionality for
   managing the library books.
   Uses
   [REST/HTTP]
   

   View Slide

10. Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Auth Service
    Delegates authentication to
    Strategy ?
    Protocol?
    Data Format?
    

    View Slide

11. OpenID Connect
    A protocol built on top of OAuth2 that enables
    
    an application (Client) to verify the identity of
    
    a user based on the authentication performed
    
    by a trusted party (Authorization Server).
    thomasvitale.com @vitalethomas
    

    View Slide

12. Keycloak
    [Container: Wildfly]
    Provides identity and
    access management.
    Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Delegates authentication to
    OAuth2 Client
    OAuth2 Authorization Server
    Uses
    {
    
    "iss": “keycloak",
    
    "sub": "isabelle",
    
    "exp": 1626439022
    
    }
    ID Token
    ID Token
    

    View Slide

13. Delegated Access
    thomasvitale.com @vitalethomas
    

    View Slide

14. Keycloak
    [Container: Wildfly]
    Provides identity and
    access management.
    Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Delegates authentication to
    OAuth2 Client
    OAuth2 Authorization Server
    Uses
    Security context
    propagation ?
    Authorized access?
    

    View Slide

15. OAuth2
    An authorization framework that enables an
    application (Client) to obtain limited access to a
    protected resource provided by another
    application (called Resource Server)
    
    on behalf of a user.
    thomasvitale.com @vitalethomas
    

    View Slide

16. Keycloak
    [Container: Wildfly]
    Provides identity and
    access management.
    Inventory Service
    [Container: Spring Boot]
    Provides functionality for
    managing the bookshop
    inventory.
    Order Service
    [Container: Spring Boot]
    Provides functionality for
    managing book orders.
    Polar Bookshop
    [Software System]
    Uses
    [REST/HTTP]
    Uses
    [REST/HTTP]
    Edge Service
    [Container: Spring Boot]
    Provides API gateway and
    cross-cutting concerns.
    User
    [Person]
    An employee of the
    bookshop.
    Uses
    Book Service
    [Container: Spring Boot]
    Provides functionality for
    managing the library books.
    Uses
    [REST/HTTP]
    Delegates authentication to
    OAuth2 Client
    OAuth2 Authorization Server
    Uses
    OAuth2 Resource Server
    OAuth2 Resource Server
    OAuth2 Resource Server
    {
    
    "iss": “keycloak",
    
    "sub": "isabelle",
    
    "exp": 1626439022
    
    }
    Access Token
    Access Token
    

    View Slide

17. Token Relay
    Browser Edge Service Book
    Service
    Access Token
    Session Cookie
    Resource
    Server
    Access Token
    Resource
    Server
    Access Token
    Keeps mapping
    Session <---> Access Token
    OAuth2
    thomasvitale.com @vitalethomas
    

    View Slide

18. SPA
    thomasvitale.com @vitalethomas
    

    View Slide

19. Authorization
    thomasvitale.com @vitalethomas
    

    View Slide

20. thomasvitale.com @vitalethomas
    

    View Slide

21. Discount codes
    Manning
    • 35% discount code, valid for
    all products in all format
    
    • ctwgotocph22
    
    
    • manning.com
    thomasvitale.com @vitalethomas
    

    View Slide

22. Thomas Vitale
    Star of Java
    Oct 13th, 2022
    Securing Java apps
    with OAuth2, OIDC
    and Spring Security
    @vitalethomas
    https://github.com/ThomasVitale/securing-java-apps-oauth2-oidc-spring-security
    https://github.com/ThomasVitale/spring-security-examples
    

    View Slide