OAuth2 & OpenID Connect with Spring Security

Transcript

1. Explain it to Me Like I'm 5: Oauth2 and OpenID

   Digest for SpringOne Sep 2 – 4, 2020 Presenter, Shuto Uwai

2. Who am I ? ・Tagbangers Intern ・Backend | Cloud Developer

   ・New Spring Developer https://speakerdeck.com/uwaas/oauth2-and-openid-connect-with-spring-security

3. Video Resource https://springone.io/post-event/sessions/explain-it-to-me-like-im-5-oauth2-and-openid

4. Target ・Spring Absolute Beginner ・Oauth2 Absolute Beginner ・Spring Junior Developer

5. Goals ・ Understand OAuth2 deeply ・Implement spring security with OAuth2

   ・Integrate with OAuth2 Provider After this presentation, you will be able to ・Grab the concept of OpenID Connect

6. Table Of Content 1. When & Why we use Oauth2

   ? 2. What is the Concept of Oauth2 ? 3. How to Protect Your Apps with Spring Security and 4. Demonstration OpenID Connect ?

7. 1. When & Why we use Oauth2 ?

8. When Use Oauth2 as much as possible, as long as

   you would like to make applications secure , and maintainable !

9. Build Your Own Cons ・Store user credentials safely ・Support LDAP//SAM

   integration ・Develop a password reset process ・Develop MFA by your own ・User feel annoyed to each application Pros with a unique password. ・Maybe .. customizable ??

10. OpenID Connect / OAuth2 Pros Cons ・Maybe .. learning cost

    ? ・Store user credentials easily and safely ・Manages user registration easily ・Manage password reset process ・Implement MFA easily ・User can login with multiple applications with a single set of credentials

11. 2. What is the Concept of OAuth2 ? ・Authentication vs.

    Authorization ・Roles ・Tokens ・Scopes ・Client Credentials ・Authorization Code

12. Authentication vs. Authorization Authorization Authentication ・Identify who you are ・Must

    Prove your identity ・What are you allowed to do ・What API resources can you access

13. Authorization Examples If you are in AWS environment, the access

    distribution would be... Administrator Developer Biz ・Have all access (Include billing access) ・Have access to create, delete, edit resources ・Only have access to read resources.

14. Roles OAuth2 Role Regard Target Resource Owner / Resource I

    am / Jacket Resource Server Locker Authorization Server Lock Client / Application Your friend Locker (Resource Server) Lock (Authorization Server) Jacket (Resource) Would you mind letting me use your Jacket, bro ? Friend (Client)

15. Tokens Access Token Refresh Token ・Bearer Tokens ・To refresh the

    condition ・JWT Token ・Opaque Token

16. Tokens' Metaphor Access Token Refresh Token Possession Used to buy

    more ticket

17. Scopes ・A scope Similar with a Spring Security role or

    a permission To make more specific ..

18. Dive into Scopes A Job Role ・Like, manager, chef, server,

    dish wash etc.. ・A permitted authority or action ・Often dot separated: eat.cookies ・Google calendar URLs: https://www.googleapis.com/auth/calendar.readonly

19. 3. How to Protect Your Apps with Spring Security and

    OpenID Connect ? Before going deeply …..

20. What is OpenID Connect ?

21. OpenID Connect is….. Features ・Confidential, secure & browser based ・Not

    access a resource directly so that we get id ・Hybrid flow with id tokens instead of access tokens. token instead of an access token.

22. OpenID's Metaphor Theme Park (Resource) Ticket (Access Token) You (Client)

    Wrist Band (ID Token) You with wrist Band (Client with ID token ) You are allow to enter ! Ticket gate (Open ID)

23. OpenID Connect With Spring Security Spring Security's OAuth Support Spring

    Security OAuth There are mainly two types of modules.. ・This module is deprecated since this module is End-of-Life. More Detail: Link Support three integrations below ・Login ・Client ・Resource Server

24. 4. Demonstration

25. Stack GitHub OAuth2 + Spring Security

26. Demo Step By Step Guide vol.1 Step 1: Create Spring

    Boot App with Spring Security, OAuth2 Client & Spring Web Starters from here. Step 2: Create an OAuth2 client with GitHub For configuration, please set up Homepage URL and Authorization callback URL like right sample.

27. Demo Step By Step Guide vol.2 Step 3: Configure application.properties

    or application.yml like below Step 4: Add a Controller & Endpoint: Create HomeController.java and code like this Step 5: Start application with: ./mvnw spring-boot:run

28. Debugging & Resources Debugging 1. Add logging.level.org.springframework.security =debug and debug=true

    at your application.properties or application.yml 2. Add spring-boot-starter-actuator at your pom.xml 3. When you hit http://localhost:8080/actuator, you see like this

29. External & Demo Resources Official Spring Security x OAuth2 Sample:

    See More Demo GitHub repository: https://github.com/shutogeorgio/oauth2-spring-security Demo App Preview: https://arcane-mesa-77496.herokuapp.com/

30. Conclusion ・OpenID & OAuth2 are awesome ! ・Try OAuth2 yourself

    ! ・ Please be aware of your app's security with OAuth2

31. Thank you for Listening!