Spring Security 5: The New OAuth 2.0 Stuff

Transcript

1. Spring Security 5 The New OAuth 2.0 Stuff VEDRAN PAVIĆ

2. Agenda About me OAuth 2.0 in Spring Nextgen OAuth 2.0

   client Nextgen OAuth 2.0 resource server

3. About Me – Vedran Pavić Java Engineer at Infinum Check

   out what we do at https://infinum.co Spring user for over 9 years Contributor to Spring projects for 3 years Collaborator with Spring Security team – Spring Session committer for 2 years

4. OAuth 2.0 in Spring

5. Current State of OAuth 2.0 in Spring spring-projects/spring-security-oauth Legacy OAuth

   2.0 – Client, Resource Server, Authorization Server, JWT support spring-projects/spring-security Nextgen OAuth 2.0 – Client (since Spring Security 5.0), Resource Server (since Spring Security 5.1) spring-projects/spring-boot Auto-config for Legacy OAuth 2.0 & enhanced SSO support (in Spring Boot 1.x) Auto-config for Nextgen OAuth 2.0 (since Spring Boot 2.0) spring-projects/spring-security-oauth2-boot Auto-config for Legacy OAuth 2.0 & enhanced SSO support (for Spring Boot 2.0)

6. (yes, it is a bit complicated)

7. Nextgen OAuth 2.0 in Spring Unified OAuth 2.0 support in

   a single project spring-projects/spring-security OpenID Connect 1.0 support JOSE support – leverage 3rd party libraries Spring WebFlux support

8. Legacy OAuth 2.0 in Spring In maintenance mode Minor additions

   until nextgen feature parity Supported min. 1 year after nextgen feature parity

9. Nextgen OAuth 2.0 Client Login using authorization code grant WebClient

   integration

10. Client Demo

11. Nextgen OAuth 2.0 Resource Server Resource server with JWT bearer

    tokens

12. Resource Server Demo

13. OAuth 2.0 Beyond Spring Security Connect2id open-source security libraries https://connect2id.com/products

    Nimbus JOSE + JWT Nimbus OAuth 2.0 SDK with OpenID Connect ext.

14. Q&A

15. Thanks! @vedran_pavic github.com/vpavic speakerdeck.com/vpavic