Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
JavaCommunity
OAuth2 and Spring
Security
OREST IVASIV
8/14/2015 @halyph
JavaCommunity
OAuth2 Overview
Use Cases
◦ Service-to-service
◦ Client-to-Service
◦ Client-to-client (SSO)
Spring Security ...
JavaCommunity
Dark Age
Pre OAuth 1.0
◦ Flickr: “FlickrAuth”
◦ Google: “AuthSub”
◦ Facebook: request signed with MD5 hashes...
JavaCommunity
Authentication
Authorization
Federated Authentication
Delegated Authorization
8/14/2015 @halyph4
Terminology
JavaCommunity
Resource Owner - User
Resource Server – API
Client Application – 3d party application
Authorization Server –...
JavaCommunity
◦ Register with Authorization Server (get a client_id and maybe a client_secret)
◦ Do not collect user crede...
JavaCommunity
1. Extract token from request and decode it
2. Make access control decision
◦ Scope
◦ Audience
◦ User accoun...
JavaCommunity
1. Compute token content and grant tokens
2. Interface for users to confirm that they authorize the Client t...
JavaCommunity
Authorization code grant flow
◦ Web-server apps – authorization_code
Implicit grant flow
◦ Browser-based app...
JavaCommunity
8/14/2015 @halyph10
Authorization code grant flow
JavaCommunity
8/14/2015 @halyph11
Authorization code grant flow
JavaCommunity
◦ Create a “Log In” link
◦ Link to:
https://facebook.com/dialog/oauth?response_type=code&client_id=YOU
R_CLI...
JavaCommunity
◦ User visits the authorization page
https://facebook.com/dialog/oauth?response_type=code&client_id=28
65368...
JavaCommunity
◦ Server exchanges auth code for an access token
POST https://graph.facebook.com/oauth/access_token
Post Bod...
JavaCommunity
8/14/2015 @halyph15
Implicit grant flow
JavaCommunity
8/14/2015 @halyph16
Implicit grant flow
JavaCommunity
◦ Create a “Log In” link
◦ Link to:
https://facebook.com/dialog/oauth?response_type=token&client_id=CL
IENT_...
JavaCommunity
◦ User visits the authorization page
https://facebook.com/dialog/oauth?response_type=token&client_id=2
86536...
JavaCommunity
8/14/2015 @halyph19
Resource owner password credentials grant flow
JavaCommunity
8/14/2015 @halyph20
Resource owner password credentials grant flow
JavaCommunity
POST https://api.example.com/oauth/token
Post Body:
grant_type=password
&username=USERNAME
&password=PASSWOR...
JavaCommunity
8/14/2015 @halyph22
Client credentials grant flow
JavaCommunity
8/14/2015 @halyph23
Client credentials grant flow
JavaCommunity
POST https://api.example.com/1/oauth/token
Post Body:
grant_type=client_credentials
&client_id=YOUR_CLIENT_I...
JavaCommunity
authorization_code:
◦ Authorization code grant flow (Web-server apps)
◦ response_type=code
implicit:
◦ Impli...
JavaCommunity
GET https://api.example.com/me
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
Access token can be in an HTTP h...
JavaCommunity
POST https://api.example.com/oauth/token
grant_type=refresh_token
&reresh_token=e1qoXg7Ik2RRua48lXIV
&client...
JavaCommunity
POST https://api.example.com/oauth/token
grant_type=refresh_token
&reresh_token=e1qoXg7Ik2RRua48lXIV
&client...
JavaCommunity
1. Sample OAuth2 with password grant
2. Web App Client
8/14/2015 @halyph29
Sample Apps
JavaCommunity
OAuth
◦ The OAuth 2.0 Authorization Framwork
◦ http://oauth.net/2/
◦ OAuth Bible by @Nijikokun
◦ An Introduc...
JavaCommunity
Q&A
8/14/2015 @halyph31
Upcoming SlideShare
Loading in …5
×

OAuth2 and Spring Security

7,013 views

Published on

Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.

see video: https://www.youtube.com/watch?v=UPsVD-A7gP0

Published in: Technology
  • Be the first to comment

OAuth2 and Spring Security

  1. 1. JavaCommunity OAuth2 and Spring Security OREST IVASIV 8/14/2015 @halyph
  2. 2. JavaCommunity OAuth2 Overview Use Cases ◦ Service-to-service ◦ Client-to-Service ◦ Client-to-client (SSO) Spring Security OAuth2 Samples 8/14/2015 @halyph2 Agenda
  3. 3. JavaCommunity Dark Age Pre OAuth 1.0 ◦ Flickr: “FlickrAuth” ◦ Google: “AuthSub” ◦ Facebook: request signed with MD5 hashes ◦ Yahoo: BBAuth (“Browser-Based Auth”) OAuth 1.0 ◦ Uses signature (HMAC hash) Oauth 2.0 ◦ Relies on SSL/HTTPS 8/14/2015 @halyph3 OAuth2 History
  4. 4. JavaCommunity Authentication Authorization Federated Authentication Delegated Authorization 8/14/2015 @halyph4 Terminology
  5. 5. JavaCommunity Resource Owner - User Resource Server – API Client Application – 3d party application Authorization Server – Auth API (may be in scope of Resource Server) 8/14/2015 @halyph5 OAuth2 Roles
  6. 6. JavaCommunity ◦ Register with Authorization Server (get a client_id and maybe a client_secret) ◦ Do not collect user credentials ◦ Obtain a token (opaque) from Authorization Server ◦ On its own behalf - client_credentials ◦ On behalf of a user ◦ Use it to access Resource Server 8/14/2015 @halyph6 Role of Client Application
  7. 7. JavaCommunity 1. Extract token from request and decode it 2. Make access control decision ◦ Scope ◦ Audience ◦ User account information (id, roles etc.) ◦ Client information (id, roles etc.) 3. Send 403 (FORBIDDEN) if token not sufficient 8/14/2015 @halyph7 Role of Resource Server
  8. 8. JavaCommunity 1. Compute token content and grant tokens 2. Interface for users to confirm that they authorize the Client to act on their behalf 3. Authenticate users (/authorize) 4. Authenticate clients (/token) #1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons). 8/14/2015 @halyph8 Role of the Authorization Server
  9. 9. JavaCommunity Authorization code grant flow ◦ Web-server apps – authorization_code Implicit grant flow ◦ Browser-based apps – implicit ◦ Mobile apps – implicit Resource owner password credentials grant flow ◦ Username/password access – password Client credentials grant flow ◦ Application access – client_credentials 8/14/2015 @halyph9 OAuth 2.0 Grant Flows
  10. 10. JavaCommunity 8/14/2015 @halyph10 Authorization code grant flow
  11. 11. JavaCommunity 8/14/2015 @halyph11 Authorization code grant flow
  12. 12. JavaCommunity ◦ Create a “Log In” link ◦ Link to: https://facebook.com/dialog/oauth?response_type=code&client_id=YOU R_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email 8/14/2015 @halyph12 Authorization code grant flow (Cont)
  13. 13. JavaCommunity ◦ User visits the authorization page https://facebook.com/dialog/oauth?response_type=code&client_id=28 653682475872&redirect_uri=everydaycity.com&scope=email ◦ On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE ◦ On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied 8/14/2015 @halyph13 Authorization code grant flow (Cont)
  14. 14. JavaCommunity ◦ Server exchanges auth code for an access token POST https://graph.facebook.com/oauth/access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET ◦ Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" } 8/14/2015 @halyph14 Authorization code grant flow (Cont)
  15. 15. JavaCommunity 8/14/2015 @halyph15 Implicit grant flow
  16. 16. JavaCommunity 8/14/2015 @halyph16 Implicit grant flow
  17. 17. JavaCommunity ◦ Create a “Log In” link ◦ Link to: https://facebook.com/dialog/oauth?response_type=token&client_id=CL IENT_ID &redirect_uri=REDIRECT_URI&scope=email 8/14/2015 @halyph17 Implicit grant flow (Cont)
  18. 18. JavaCommunity ◦ User visits the authorization page https://facebook.com/dialog/oauth?response_type=token&client_id=2 865368247587&redirect_uri=everydaycity.com&scope=email ◦ On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN ◦ On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied 8/14/2015 @halyph18 Implicit grant flow (Cont)
  19. 19. JavaCommunity 8/14/2015 @halyph19 Resource owner password credentials grant flow
  20. 20. JavaCommunity 8/14/2015 @halyph20 Resource owner password credentials grant flow
  21. 21. JavaCommunity POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } 8/14/2015 @halyph21 Resource owner password credentials grant flow (Cont)
  22. 22. JavaCommunity 8/14/2015 @halyph22 Client credentials grant flow
  23. 23. JavaCommunity 8/14/2015 @halyph23 Client credentials grant flow
  24. 24. JavaCommunity POST https://api.example.com/1/oauth/token Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } 8/14/2015 @halyph24 Client credentials grant flow (Cont)
  25. 25. JavaCommunity authorization_code: ◦ Authorization code grant flow (Web-server apps) ◦ response_type=code implicit: ◦ Implicit grant flow (Mobile and browser-based apps) ◦ response_type=token password: ◦ Resource owner password credentials grant flow (Username/password access) client_credentials: ◦ Client credentials grant flow (Application access) 8/14/2015 @halyph25 Grant Types
  26. 26. JavaCommunity GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzRn430zqMLgV3Ia 8/14/2015 @halyph26 Accessing Resources
  27. 27. JavaCommunity POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" 8/14/2015 @halyph27 New access token via refresh token
  28. 28. JavaCommunity POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" 8/14/2015 @halyph28 New access token via refresh token
  29. 29. JavaCommunity 1. Sample OAuth2 with password grant 2. Web App Client 8/14/2015 @halyph29 Sample Apps
  30. 30. JavaCommunity OAuth ◦ The OAuth 2.0 Authorization Framwork ◦ http://oauth.net/2/ ◦ OAuth Bible by @Nijikokun ◦ An Introduction to OAuth 2 by Aaron Parecki ◦ Single-Page-Application & REST security by Igor Bossenko Videos ◦ O'Reilly Webcast: An Introduction to OAuth 2 by Aaron Parecki ◦ David Syer (lead of Spring Security OAuth) ◦ Security for Microservices with Spring and OAuth2 ◦ Webinar Replay: A Single-Page Application with Spring Security and Angular JS ◦ Data Modelling and Identity Management with OAuth2 ◦ Les Hazlewood (Stormpath founder and CTO, Apache Shiro) ◦ Token Authentication for Java Applications Sample Apps ◦ https://github.com/spring-projects/spring-security-oauth/tree/master/tests/ ◦ https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 ◦ https://github.com/dsyer/spring-security-angular/ OAuth and Spring ◦ https://speakerdeck.com/dsyer/security-for-microservices-with-spring 8/14/2015 @halyph30 References
  31. 31. JavaCommunity Q&A 8/14/2015 @halyph31

×