The document discusses OAuth 2.0 and OpenID Connect (OIDC), highlighting their roles in secure delegated authorization and authentication. It explores JHipster's implementation of OAuth, including integration with Keycloak and Okta, offering examples and best practices for configuring identity providers. The content further delves into technical aspects such as token types, flows, and configurations for setting up secure applications using JHipster.

1. Matt Raible | @mraible
December 1, 2020
JHipster and
Photo by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw

2. @mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter
Bus Lover
Web Developer and Java Champion
Okta Developer Advocate
Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible

6. developer.okta.com

7. @mraible
Today’s Agenda
What the Heck is OAuth 2.0 and OIDC?
JHipster’s OAuth Implementation
3 Quick Demos
Keycloak
Okta CLI
Heroku

8. What the Heck is OAuth 2.0 and OIDC?

9. The Delegated Authorization Problem
How can you let a website access your data
(without giving it your password)?

10. Don’t do it this way!

11. Have you ever seen one of these?

12. © Okta and/or its affiliates. All rights reserved. Okta Confidential

13. Hotel Key Cards, but for Apps

14. Hotel Key Cards, but for Apps
OAuth Authorization Server Resource (API)Access Token

15. Delegated Authorization with OAuth 2.0
I trust Gmail and I kind of trust
Yelp. I want Yelp to have
access to my contacts only.
yelp.com
Connect with Google

16. Delegated Authorization with OAuth 2.0
yelp.com
Connect with Google
accounts.google.com
Email
**********
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
contacts.google
yelp.com/callback

17. OAuth 2.0 Terminology
Actors
Clients
Authorization Server
Resource Server
Access Tokens
Redirect URI

18. Authorization
Server (AS)
Resource
Owner (RO) Client
Delegates
Obtains Token
Uses Token
Resource
Server (RS)
Actors

19. Authorization
Server (AS)
Resource
Owner (RO) Client
Delegates
Obtains Token
Uses Token
Resource
Server (RS)
Actors

20. Clients
Public
(Client Identification)
Confidential
(Client Authentication)

21. Client Registration

22. Authorization Server
Authorize Endpoint
(/oauth2/authorize)
Token Endpoint
(/oauth2/token)
Authorization Server
Authorization Grant
Refresh Token
Access Token
Introspection Endpoint
(/oauth2/introspect)
Revocation Endpoint
(/oauth2/revoke)

23. Tokens
• Short-lived token used by
Client to access Resource
Server (API)
• Opaque to the Client
• No client authentication
required (Public Clients)
• Optimized for scale and
performance
• Revocation is dependent on
implementation
Access Token (Required)
• Long-lived token that is used
by Client to obtain new
access tokens from
Authorization Server
• Usually requires
Confidential Clients with
authentication
• Forces client to rotate
secrets
• Can usually be revoked
Refresh Token (Optional)
OAuth doesn’t define the format of a token!

24. Access Token Types
Self-encoded tokens
Protected, time-limited data structure agreed upon between Authorization Server and
Resource Server that contains metadata and claims about the identity of the user or
client over the wire.
Resource Server can validate the token locally by checking the signature, expected
issuer name and expected audience or scope.
Commonly implemented as a signed JSON Web Tokens (JWT)
Reference tokens (aka opaque tokens)
Infeasible-to-guess (secure-random) identifier for a token issued and stored by the
OAuth 2.0 Authorization Server
Resource Server must send the identifier via back-channel to the OAuth 2.0
Authorization Server’s token introspection endpoint to determine if the token is valid
and obtain claims/scopes

25. OAuth 2.0 Authorization Code Flow
yelp.com
Connect with Google
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
yelp.com/callback
Resource owner clicks ^^
Back to redirect URI
with authorization code
contacts.google
Talk to resource server
with access token
Exchange code for
access token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Response type: code
Authorization ServerClient

26. OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
OpenID Connect is for authentication
OAuth 2.0 is for authorization

27. OIDC Authorization Code Flow
yelp.com/callback
Back to redirect URI
with authorization code
Exchange code for
access token and ID token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Scope: openid profile
Authorization Server
yelp.com
Connect with Google
Resource owner
Client
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
Request consent
from resource owner
Hello Matt!
accounts.google
Get user info
with access token
/userinfo

28. @mraible
Does OAuth 2.0 feel like a maze of specs?
https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

29. @mraible
OAuth 2.1 to the rescue!
https://oauth.net/2.1
PKCE is required for all clients using the authorization code flow
Redirect URIs must be compared using exact string matching
The Implicit grant is omitted from this specification
The Resource Owner Password Credentials grant is omitted from this specification
Bearer token usage omits the use of bearer tokens in the query string of URIs
Refresh tokens for public clients must either be sender-constrained or one-time use

30. @mraible
JHipster’s OAuth Implementation
Leverages Spring Security’s OAuth and OIDC Support
Creates an AuthorizationHeaderFilter for Zuul
Supports Spring WebFlux and Spring Cloud Gateway
Creates a LogoutResource that returns an ID Token and a Redirect URI
Creates a Docker configuration and pre-configured users for Keycloak

31. @mraible
SecurityConfiguration.java
.and()
.oauth2Login()
.and()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(authenticationConverter())
.and()
.and()
.oauth2Client();

32. @mraible
OIDC Configuration in application.yml
spring:
security:
oauth2:
client:
provider:
oidc:
issuer-uri: http:"//localhost:9080/auth/realms/jhipster
registration:
oidc:
client-id: web_app
client-secret: web_app

33. @mraible
How to use another Identity Provider (IdP)
Create a groups claim and add it to the ID token
Add groups named ROLE_ADMIN and ROLE_USER
Register an OIDC app at your IdP with JHipster’s Redirect URI
Override the default settings with environment variables
export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}"
https://www.jhipster.tech/security/#oauth2

34. @mraible
Demos!

35. mkdir blog-oauth2
cd blog-oauth2
jhipster jdl blog-oauth2
docker-compose -f src/main/docker/keycloak.yml up -d
./mvnw
open http:"//localhost:8080
JHipster with Keycloak

36. take blog-oauth2
jhipster jdl blog-oauth2
# Install Okta CLI using cli.okta.com
okta apps create # select Web > JHipster
source .okta.env
./mvnw
open http:"//localhost:8080
JHipster with Okta CLI

37. take blog-oauth2
jhipster jdl blog-oauth2
jhipster heroku # Yes, provision the Okta add-on
open https:"//<heroku-app-url>
JHipster with Heroku + Okta

38. @mraible
Better, Faster, Lighter Java with Java 12 and JHipster 6
Java Microservices with Spring Cloud Config and JHipster
Mobile Development with Ionic, React Native, and JHipster
Build a Secure Micronaut and Angular App with JHipster
> https://developer.okta.com/blog/tags/jhipster
JHipster Tutorials on developer.okta.com/blog

39. developer.okta.com/blog
@oktadev

40. Thanks!
Keep in Touch
raibledesigns.com
@mraible
Presentations
speakerdeck.com/mraible
Code
github.com/oktadeveloper
developer.okta.com

41. developer.okta.com