Getting Started with Spring Authorization Server

VMware Tanzu
VMware TanzuVMware Tanzu
Getting Started with Spring Authorization Server Joe Grandja @joe_grandja Steve Riesenberg @sjohnr
Security Standards ● OAuth 2.1 Authorization Framework ● OAuth 2.0 Token Revocation ● OAuth 2.0 Token Introspection ● JSON Web Token (JWT) ● JSON Web Key (JWK) ● JSON Web Signature (JWS) ● OpenID Connect Core 1.0 ● OpenID Connect Discovery 1.0 ● OpenID Connect Dynamic Client Registration 1.0
Core Components / Default Configuration ● RegisteredClientRepository / RegisteredClient ● OAuth2AuthorizationService / OAuth2Authorization ● OAuth2AuthorizationConsentService / OAuth2AuthorizationConsent ● JWKSource<SecurityContext> (Nimbus API) ● ProviderSettings ● OAuth2AuthorizationServerConfiguration / OAuth2AuthorizationServerConfigurer
Customizing Authorization ● Authorization Endpoint ● Insufficient Redirect URI Validation ● Mix-Up ● Authorization Code Injection
Customizing Client Authentication ● Mutual-TLS Client Authentication ● Client Certificate-Bound Access Tokens ● Token Replay Prevention
PKI Hierarchy CN=spring-root-ca CN=spring-client CN=spring-authorization-server CN=spring-resource-server
Roadmap ● OpenID Connect Core 1.0 ● JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication ● OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens ● Resource Indicators for OAuth 2.0
Thank you! ● Spring Authorization Server ○ https://github.com/spring-projects/spring-authorization-server ● Sample branches ○ https://github.com/jgrandja/spring-authorization-server/tree/springone-2021 ○ https://github.com/sjohnr/spring-authorization-server/tree/springone-2021 Joe Grandja @joe_grandja Steve Riesenberg @sjohnr
1 of 8

Getting Started with Spring Authorization Server

Download to read offline
Software

SpringOne 2021 Title: Getting Started with Spring Authorization Server Speakers: Joe Grandja, Spring Security Engineer at VMware; Steve Riesenberg, Software Engineer at VMware

VMware Tanzu
VMware TanzuVMware Tanzu

Recommended

Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
8.1K views36 slides
Explain it to Me Like I’m 5: Oauth2 and OpenIDExplain it to Me Like I’m 5: Oauth2 and OpenID
Explain it to Me Like I’m 5: Oauth2 and OpenIDVMware Tanzu
3.4K views28 slides
Spring Security PatternsSpring Security Patterns
Spring Security PatternsVMware Tanzu
1.1K views6 slides
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your applicationVMware Tanzu
1.4K views68 slides
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
206 views14 slides
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
11.3K views31 slides

More Related Content

What's hot

Spring SecuritySpring Security
Spring SecurityKnoldus Inc.
597 views24 slides
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
6.2K views12 slides

What's hot(20)

OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv8.5K views
Spring SecuritySpring Security
Spring Security
Knoldus Inc.597 views
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal7.9K views
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie355 views
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.6.2K views
Spring Boot and REST APISpring Boot and REST API
Spring Boot and REST API
07.pallav630 views
Angular Data BindingAngular Data Binding
Angular Data Binding
Jennifer Estrada644 views
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou23.5K views
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal28.3K views
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
Karl McGuinness7.5K views
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson13.2K views
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy3K views
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
Knoldus Inc.270 views
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom861 views
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva18K views
PHP SecurityPHP Security
PHP Security
Mindfire Solutions2.3K views
Exception handlingException handling
Exception handling
Anna Pietras939 views
OAuth 2OAuth 2
OAuth 2
ChrisWood262359 views
Meetup angular http clientMeetup angular http client
Meetup angular http client
Gaurav Madaan276 views
Spring SecuritySpring Security
Spring Security
Sumit Gole1.1K views

Similar to Getting Started with Spring Authorization Server

Similar to Getting Started with Spring Authorization Server(20)

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk341 views
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva5K views
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
Anupam Gogoi1.1K views
OAuth 2.0 at the GlobiotsOAuth 2.0 at the Globiots
OAuth 2.0 at the Globiots
Tran Thanh Thi46 views
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
Jennifer Estrada100 views
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th
Nov Matake1K views
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal1.3K views
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
WSO2519 views
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
Sagara Gunathunga322 views
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
Dejan Glozic85 views
W3C Web Authentication - #idcon vol.24W3C Web Authentication - #idcon vol.24
W3C Web Authentication - #idcon vol.24
Nov Matake1.6K views
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov41 views
Using Postman to Test OAuth/OIDCUsing Postman to Test OAuth/OIDC
Using Postman to Test OAuth/OIDC
Postman18.9K views
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena4.6K views
[Webinar] WSO2 API Microgateway with Okta as Key Manager[Webinar] WSO2 API Microgateway with Okta as Key Manager
[Webinar] WSO2 API Microgateway with Okta as Key Manager
WSO2237 views
Angular auth with JWTAngular auth with JWT
Angular auth with JWT
MVP Microsoft145 views
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible225 views
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia5.4K views
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
WSO22.7K views
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
Sergey Podgornyy204 views

More from VMware Tanzu

More from VMware Tanzu(20)

What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu72 views
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu61 views
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu52 views
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
VMware Tanzu68 views
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu76 views
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
VMware Tanzu54 views
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
VMware Tanzu130 views
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu70 views
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu64 views
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu43 views
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu153 views
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu32 views
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
VMware Tanzu90 views
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
VMware Tanzu26 views
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
VMware Tanzu13 views
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu77 views
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu114 views
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
VMware Tanzu39 views
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu22 views
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
VMware Tanzu36 views

Recently uploaded

Recently uploaded(20)

AutoMailX PremiumAutoMailX Premium
AutoMailX Premium
GhouseMohiddin1614 views
Citi Tech Talk: Event Driven Kafka MicroservicesCiti Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka Microservices
confluent15 views
New Groundbreaking AI App.pdfNew Groundbreaking AI App.pdf
New Groundbreaking AI App.pdf
Anwar78Talukder7 views
Building Intelligent Workplace Limits and Challenges RIGA COMM 2023 Building Intelligent Workplace Limits and Challenges RIGA COMM 2023
Building Intelligent Workplace Limits and Challenges RIGA COMM 2023
Muntis Rudzitis35 views
Build and Modernize Intelligent Apps​Build and Modernize Intelligent Apps​
Build and Modernize Intelligent Apps​
Lorenzo Barbieri39 views
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
An Experience Report on the Design and Implementation of an Ad-hoc Blockchain...
CREST @ University of Adelaide5 views
Loading your Life into a Vector DatabaseLoading your Life into a Vector Database
Loading your Life into a Vector Database
Ben Church15 views
Alluxio Monthly Webinar | Why NFS/NAS on Object Storage May Not Solve Your AI...Alluxio Monthly Webinar | Why NFS/NAS on Object Storage May Not Solve Your AI...
Alluxio Monthly Webinar | Why NFS/NAS on Object Storage May Not Solve Your AI...
Alluxio, Inc.7 views
HTMX: Web 1.0 with the benefits of Web 2.0 without the grift of Web 3.0HTMX: Web 1.0 with the benefits of Web 2.0 without the grift of Web 3.0
HTMX: Web 1.0 with the benefits of Web 2.0 without the grift of Web 3.0
Martijn Dashorst1.1K views
www.hyperdo.app to do app for adhd.pptxwww.hyperdo.app to do app for adhd.pptx
www.hyperdo.app to do app for adhd.pptx
Audrius Janulis14 views
Unleashing the Power of Generative AI.pdfUnleashing the Power of Generative AI.pdf
Unleashing the Power of Generative AI.pdf
TomHalpin927 views
Newsletter Linchpin AI Review ✍️ (Bonus Worth $997).pdfNewsletter Linchpin AI Review ✍️ (Bonus Worth $997).pdf
Newsletter Linchpin AI Review ✍️ (Bonus Worth $997).pdf
LouisaHall27 views
Green Cloud - Measure cloud emissionsGreen Cloud - Measure cloud emissions
Green Cloud - Measure cloud emissions
Green Software Development28 views
Technical documentation support in PharoTechnical documentation support in Pharo
Technical documentation support in Pharo
ESUG8 views
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Mesh
confluent36 views
New ThousandEyes Product Features and Release Highlights: November 2023New ThousandEyes Product Features and Release Highlights: November 2023
New ThousandEyes Product Features and Release Highlights: November 2023
ThousandEyes25 views
The Power of AI Transcription in Audio to Text ConversionThe Power of AI Transcription in Audio to Text Conversion
The Power of AI Transcription in Audio to Text Conversion
Ecango10 views
Omni AIOmni AI
Omni AI
mdrahman2004008 views
Java-ML-lego-j-fallJava-ML-lego-j-fall
Java-ML-lego-j-fall
Jago de Vreede46 views
Live Streaming Challenges & SolutionsLive Streaming Challenges & Solutions
Live Streaming Challenges & Solutions
ontheflystream5 views

Getting Started with Spring Authorization Server

  • 1. Getting Started with Spring Authorization Server Joe Grandja @joe_grandja Steve Riesenberg @sjohnr
  • 2. Security Standards ● OAuth 2.1 Authorization Framework ● OAuth 2.0 Token Revocation ● OAuth 2.0 Token Introspection ● JSON Web Token (JWT) ● JSON Web Key (JWK) ● JSON Web Signature (JWS) ● OpenID Connect Core 1.0 ● OpenID Connect Discovery 1.0 ● OpenID Connect Dynamic Client Registration 1.0
  • 3. Core Components / Default Configuration ● RegisteredClientRepository / RegisteredClient ● OAuth2AuthorizationService / OAuth2Authorization ● OAuth2AuthorizationConsentService / OAuth2AuthorizationConsent ● JWKSource<SecurityContext> (Nimbus API) ● ProviderSettings ● OAuth2AuthorizationServerConfiguration / OAuth2AuthorizationServerConfigurer
  • 4. Customizing Authorization ● Authorization Endpoint ● Insufficient Redirect URI Validation ● Mix-Up ● Authorization Code Injection
  • 5. Customizing Client Authentication ● Mutual-TLS Client Authentication ● Client Certificate-Bound Access Tokens ● Token Replay Prevention
  • 6. PKI Hierarchy CN=spring-root-ca CN=spring-client CN=spring-authorization-server CN=spring-resource-server
  • 7. Roadmap ● OpenID Connect Core 1.0 ● JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication ● OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens ● Resource Indicators for OAuth 2.0
  • 8. Thank you! ● Spring Authorization Server ○ https://github.com/spring-projects/spring-authorization-server ● Sample branches ○ https://github.com/jgrandja/spring-authorization-server/tree/springone-2021 ○ https://github.com/sjohnr/spring-authorization-server/tree/springone-2021 Joe Grandja @joe_grandja Steve Riesenberg @sjohnr