SlideShare a Scribd company logo

Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin

Java User Group Latvia
Java User Group Latvia

Have you ever wondered how single-sign-on on sites like Google and Facebook works? Are you a fan of stateless application architectures? Do you want to learn how to put together a modern security approach for your next Spring Boot project? If the answer is yes, to anything above, then this session is for you. Dmitry will explain what is OAuth 2.0 and JWT, why are they popular, and how to integrate them in Java project.

Software
1 of 58
Download to read offline
MODERN SECURITY WITH OAUTH 2.0 AND JWT AND SPRING Dmitry Buzdin 03.11.2016
AGENDA ➤ Single-sign on ➤ OAuth 2.0 ➤ JSON Web Tokens ➤ Some Spring examples ➤ You will learn what is it and why you need that
OAUTH 2.0 Explained _________
SECURITY MATTERS ➤ Every app needs security ➤ Basic security knowledge is a must ➤ Developers are ignoring security sometimes ➤ Security is based on standards - do not invent stuff!
SINGLE SIGN-ON ➤ Accessing multiple systems with single id and password ➤ Centralised control of access rights ➤ Well known protocols ➤ LDAP ➤ Kerberos ➤ SAML 2.0 ➤ OpenID ➤ OAuth 2.0
WHY YOU NEED SSO? ➤ Internal applications with one corporate login ➤ Integration with platform as a service ➤ Web sites with business affiliates ➤ Partner sites ➤ Mobile apps ➤ Third-party plugins
OAUTH 2.0 ➤ OAuth is an open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords ➤ Standard published in October 2012 ➤ Open and cross-platform
WHO USES OAUTH 2.0 ➤ GitHub ➤ Google ➤ Facebook ➤ DigitalOcean ➤ etc.
HAVE YOU SEEN THESE PAGES?
OAUTH 2.0 OPEN STANDARD https://tools.ietf.org/html/rfc6749
OAUTH 2.0 COMPONENTS Resource Owner Resource Server Authorisation Server Client
RESOURCE OWNER ➤ Basically a user ➤ Could be technical user as well ➤ Owns resources on the resource server
CLIENT ➤ Third-party application ➤ Could be trusted or not-trusted ➤ Wants to access resources on Resource Server
AUTHORIZATION SERVER ➤ Centralised security gateway ➤ Issues access tokens ➤ Knows user credentials
RESOURCE SERVER ➤ Application expecting requests with authorised tokens ➤ There could be many resource servers
CLIENT REQUIRES ACCESS TOKEN TO RETRIEVE RESOURCES
AUTHORIZATION GRANT TYPES ➤ Access token is granted upon authorization ➤ There are following standard grant types: ➤ Authorization Code Grant ➤ Resource Owner Password Credentials ➤ Client Credentials ➤ Implicit Grant http://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/
AUTHORIZATION CODE GRANT ➤ User is not entering credentials in client app, but in auth server authorisation page ➤ Auth server redirects back to with auth code ➤ Auth code is exchanged for access token ➤ Auth code is short-lived ➤ Access token is used for requests to resource server
AUTHORISATION CODE GRANT HTTP GET /authorize?response_type=code &client_id=123 &scope=view_profile &redirect_uri=https://partner.com/oauth 302 REDIRECT https://partner.com/oauth &code=9srN6sqmjrvG5bWvNB42PCGju0TFVV POST /token?code=9srN6sqmjrvG5bWvNB42PCGju0TFVV &grant_type=authorization_code &client_id=123 &redirect_uri=https://partner.com/oauth
RESOURCE OWNER PASSWORD GRANT ➤ Trusted client, has access to resource owner credentials ➤ Less secure as there is a “middleman” ➤ Could be used for subdomains in one organization POST /authorize?grant_type=password &username=code &password=password &client_id=123 &client_secret=secret
CLIENT CREDENTIALS GRANT ➤ Client is sending its own password directly ➤ Used in a situation when the client is the resource owner ➤ Again, less secure option POST /authorize?grant_type=client_credentials &client_id=123 &client_secret=secret
IMPLICIT GRANT ➤ Used in JavaScript front-ends ➤ Does not allow the issuance of a refresh token ➤ Requires Cross-Origin Resource Sharing (CORS) ➤ Least secure, access token is available in the client ➤ Exposure to Cross-site Request Forgery (XSRF) attack
IMPLICIT GRANT HTTP 302 REDIRECT https://partner.com/ oauth#access_token=19437jhj2781FQd44AzqT3Zg &token_type=Bearer&expires_in=3600 GET /authorize?response_type=token &client_id=123 &redirect_uri=https://partner.com/oauth
AUTHORIZATION TOKEN ➤ What is a token? ➤ Anything you like, really… ➤ Its important that OAuth 2.0 server can validate the token
OPEN STANDARD https://tools.ietf.org/html/rfc6750
TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, “refresh_token”:”*****************” }
TOKEN INSIDE REQUEST GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer ***************
REFRESH TOKEN ➤ Tokens should be refreshed after they have expired ➤ Optional feature ➤ Allows easier implementation of OAuth 2.0 providers POST /token?grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
SPRING IMPLEMENTATION org.springframework.security.oauth:spring-security-oauth2 @EnableAuthorizationServer @EnableResourceServer Authorization and Resource servers could be same or separate applications
SPRING: AUTHORISATION SERVER @Configuration @EnableAuthorizationServer class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { 
 public void configure(ClientDetailsServiceConfigurer clients) {
 clients.inMemory()
 .withClient(“client-id")
 .authorizedGrantTypes("password", "refresh_token", "authorization_code")
 .authorities("USER")
 .scopes(“view_profile", “view_email")
 .resourceIds(“user_profile”)
 .secret("secret");
 } void configure(AuthorizationServerEndpointsConfigurer endpoints) {
 endpoints
 .tokenStore(tokenStore())
 .accessTokenConverter(accessTokenConverter())
 .authenticationManager(authenticationManager)
 .userDetailsService(userDetailsService);
 }
CLIENT CONFIGURATION Client configuration could be in memory, jdbc based or any other configuration User credentials configuration could be anywhere as well
SPRING: RESOURCE SERVER @Configuration @EnableResourceServer
 public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
 public void configure(ResourceServerSecurityConfigurer config) {
 config
 .resourceId(“user_profile)
 .tokenServices(tokenServices());
 } public void configure(HttpSecurity http) {
 http
 .authorizeRequests() .anyRequest().hasRole("USER")
 }
RESTRICTING FUNCTIONALITY BY SCOPE @Service public class SecureResourceServer { @PreAuthorize("#oauth2.hasScope('write')") public void create(Contact contact) { … } }
SPRING OAUTH 2.0 ENDPOINTS /oauth/authorize - requests for authorisation /oauth/token - requests for token contains default Spring MVC authentication page, which could be customised http://projects.spring.io/spring-security-oauth/docs/oauth2.html
TOKEN STORAGE ➤ Shared token service is required ➤ Could be in-memory or persisted Token Storage Authorization Server Resource Server
WHAT TOKENS TO USE? ➤ AtomicLong - predictable? ➤ Random numbers - clashes possible? ➤ Hash - from what? ➤ Is there any existing approach?
JSON WEB TOKEN Explained
JWT OPEN STANDARD https://tools.ietf.org/html/rfc7519
JSON WEB TOKENS ➤ Send stuff between client and server securely ➤ Signed content ➤ Cross-platform ➤ Token storage is not necessary https://jwt.io/
JWT TOKEN STRUCTURE HEADER PAYLOAD SIGNATURE
HEADER
PAYLOAD ➤ Reserved claims ➤ issuer ➤ expiration time ➤ subject ➤ Public claims (named according to registry) ➤ Private claims (custom) https://www.iana.org/assignments/jwt/jwt.xhtml
SIGNATURE ➤ JSON Web Token could be signed with ➤ Secure hash based on salt ➤ Public/private key using RSA
JWT EXAMPLE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRyd WV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ BASE64 Encoded Parts are separated by dots (.)
JWT SIMPLE FLOW
TOKEN INSIDE REQUEST GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer $JWT_TOKEN
JAVA IMPLEMENTATION io.jsonwebtoken:jjwt String token = Jwts.builder() .setSubject(user.getUsername()) .setClaims([“scope” -> “user profile”]) .setIssuedAt(new Date()) .setExpiration(from(now().plus(3600))) .setId(random(1000000)) .signWith(SignatureAlgorithm.HS512, secret) .compact();
JWT BENEFITS ➤ Standard approach ➤ Self-contained - no need for token/session storage ➤ Passed with each request to the server ➤ Plays nice with OAuth 2.0
SPRING OAUTH 2.0 INTEGRATION @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey(SIGNING_KEY); return converter; } @Bean @Primary public DefaultTokenServices tokenServices() { DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setTokenStore(tokenStore()); tokenServices.setSupportRefreshToken(true); return tokenServices; } org.springframework.security:spring-security-jwt
JWT AND OAUTH 2.0 ➤ JWT can be used as a token in OAuth 2.0 authorisation ➤ There is no need for token storage in this case ➤ Everything works out of the box
SUMMARY ➤ OAuth 2.0 is all about information flow ➤ Interpretation is possible ➤ Extensions are available (e.g. token revocation, additional grant types) ➤ Token could be arbitrary ➤ It is possible to use JWT tokens
REFERENCES ➤ https://oauth.net/2/ ➤ http://www.bubblecode.net/en/2016/01/22/understanding- oauth2/ ➤ http://docs.oracle.com/cd/E39820_01/doc.11121/ gateway_docs/content/oauth_flows.html ➤ https://www.digitalocean.com/community/tutorials/an- introduction-to-oauth-2

Recommended

Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
Deddy Setyadi
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Presentation swagger
Presentation swaggerPresentation swagger
Presentation swagger
François Robert
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 

Recommended

Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
Spring security
Spring securitySpring security
Spring security
Saurabh Sharma
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
Deddy Setyadi
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Presentation swagger
Presentation swaggerPresentation swagger
Presentation swagger
François Robert
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
Prashant Walke
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
VMware Tanzu
 
Build RESTful API Using Express JS
Build RESTful API Using Express JSBuild RESTful API Using Express JS
Build RESTful API Using Express JS
Cakra Danu Sedayu
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Ben Hayak
 
Project Lombok!
Project Lombok!Project Lombok!
Project Lombok!
Mehdi Haryani
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
VMware Tanzu
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 

More Related Content

What's hot

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
Prashant Walke
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
VMware Tanzu
 
Build RESTful API Using Express JS
Build RESTful API Using Express JSBuild RESTful API Using Express JS
Build RESTful API Using Express JS
Cakra Danu Sedayu
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
Ben Hayak
 
Project Lombok!
Project Lombok!Project Lombok!
Project Lombok!
Mehdi Haryani
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
VMware Tanzu
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 

What's hot (20)

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
 
Build RESTful API Using Express JS
Build RESTful API Using Express JSBuild RESTful API Using Express JS
Build RESTful API Using Express JS
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)Same Origin Method Execution (BlackHat EU2014)
Same Origin Method Execution (BlackHat EU2014)
 
Project Lombok!
Project Lombok!Project Lombok!
Project Lombok!
 
Spring Security Patterns
Spring Security PatternsSpring Security Patterns
Spring Security Patterns
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 

Similar to Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin

Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Jason Robert
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
MOnCloud
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
Stuart
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Mihir Shah
 
Session management
Session management Session management
Session management
Dhruv Aggarwal
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
Victor Rentea
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 

Similar to Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin (20)

Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Session management
Session management Session management
Session management
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Full stack security
Full stack securityFull stack security
Full stack security
 

Recently uploaded

SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 

Recently uploaded (20)

SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 

Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin

  • 1. MODERN SECURITY WITH OAUTH 2.0 AND JWT AND SPRING Dmitry Buzdin 03.11.2016
  • 2.
  • 3. AGENDA ➤ Single-sign on ➤ OAuth 2.0 ➤ JSON Web Tokens ➤ Some Spring examples ➤ You will learn what is it and why you need that
  • 5. SECURITY MATTERS ➤ Every app needs security ➤ Basic security knowledge is a must ➤ Developers are ignoring security sometimes ➤ Security is based on standards - do not invent stuff!
  • 6. SINGLE SIGN-ON ➤ Accessing multiple systems with single id and password ➤ Centralised control of access rights ➤ Well known protocols ➤ LDAP ➤ Kerberos ➤ SAML 2.0 ➤ OpenID ➤ OAuth 2.0
  • 7. WHY YOU NEED SSO? ➤ Internal applications with one corporate login ➤ Integration with platform as a service ➤ Web sites with business affiliates ➤ Partner sites ➤ Mobile apps ➤ Third-party plugins
  • 8. OAUTH 2.0 ➤ OAuth is an open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords ➤ Standard published in October 2012 ➤ Open and cross-platform
  • 9. WHO USES OAUTH 2.0 ➤ GitHub ➤ Google ➤ Facebook ➤ DigitalOcean ➤ etc.
  • 10. HAVE YOU SEEN THESE PAGES?
  • 11. OAUTH 2.0 OPEN STANDARD https://tools.ietf.org/html/rfc6749
  • 12. OAUTH 2.0 COMPONENTS Resource Owner Resource Server Authorisation Server Client
  • 13. RESOURCE OWNER ➤ Basically a user ➤ Could be technical user as well ➤ Owns resources on the resource server
  • 14. CLIENT ➤ Third-party application ➤ Could be trusted or not-trusted ➤ Wants to access resources on Resource Server
  • 15. AUTHORIZATION SERVER ➤ Centralised security gateway ➤ Issues access tokens ➤ Knows user credentials
  • 16. RESOURCE SERVER ➤ Application expecting requests with authorised tokens ➤ There could be many resource servers
  • 17. CLIENT REQUIRES ACCESS TOKEN TO RETRIEVE RESOURCES
  • 18. AUTHORIZATION GRANT TYPES ➤ Access token is granted upon authorization ➤ There are following standard grant types: ➤ Authorization Code Grant ➤ Resource Owner Password Credentials ➤ Client Credentials ➤ Implicit Grant http://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/
  • 19.
  • 20. AUTHORIZATION CODE GRANT ➤ User is not entering credentials in client app, but in auth server authorisation page ➤ Auth server redirects back to with auth code ➤ Auth code is exchanged for access token ➤ Auth code is short-lived ➤ Access token is used for requests to resource server
  • 21. AUTHORISATION CODE GRANT HTTP GET /authorize?response_type=code &client_id=123 &scope=view_profile &redirect_uri=https://partner.com/oauth 302 REDIRECT https://partner.com/oauth &code=9srN6sqmjrvG5bWvNB42PCGju0TFVV POST /token?code=9srN6sqmjrvG5bWvNB42PCGju0TFVV &grant_type=authorization_code &client_id=123 &redirect_uri=https://partner.com/oauth
  • 22.
  • 23. RESOURCE OWNER PASSWORD GRANT ➤ Trusted client, has access to resource owner credentials ➤ Less secure as there is a “middleman” ➤ Could be used for subdomains in one organization POST /authorize?grant_type=password &username=code &password=password &client_id=123 &client_secret=secret
  • 24.
  • 25. CLIENT CREDENTIALS GRANT ➤ Client is sending its own password directly ➤ Used in a situation when the client is the resource owner ➤ Again, less secure option POST /authorize?grant_type=client_credentials &client_id=123 &client_secret=secret
  • 26.
  • 27. IMPLICIT GRANT ➤ Used in JavaScript front-ends ➤ Does not allow the issuance of a refresh token ➤ Requires Cross-Origin Resource Sharing (CORS) ➤ Least secure, access token is available in the client ➤ Exposure to Cross-site Request Forgery (XSRF) attack
  • 28. IMPLICIT GRANT HTTP 302 REDIRECT https://partner.com/ oauth#access_token=19437jhj2781FQd44AzqT3Zg &token_type=Bearer&expires_in=3600 GET /authorize?response_type=token &client_id=123 &redirect_uri=https://partner.com/oauth
  • 29. AUTHORIZATION TOKEN ➤ What is a token? ➤ Anything you like, really… ➤ Its important that OAuth 2.0 server can validate the token
  • 31. TOKEN RESPONSE HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, “refresh_token”:”*****************” }
  • 32. TOKEN INSIDE REQUEST GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer ***************
  • 33. REFRESH TOKEN ➤ Tokens should be refreshed after they have expired ➤ Optional feature ➤ Allows easier implementation of OAuth 2.0 providers POST /token?grant_type=refresh_token &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
  • 35. SPRING: AUTHORISATION SERVER @Configuration @EnableAuthorizationServer class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { 
 public void configure(ClientDetailsServiceConfigurer clients) {
 clients.inMemory()
 .withClient(“client-id")
 .authorizedGrantTypes("password", "refresh_token", "authorization_code")
 .authorities("USER")
 .scopes(“view_profile", “view_email")
 .resourceIds(“user_profile”)
 .secret("secret");
 } void configure(AuthorizationServerEndpointsConfigurer endpoints) {
 endpoints
 .tokenStore(tokenStore())
 .accessTokenConverter(accessTokenConverter())
 .authenticationManager(authenticationManager)
 .userDetailsService(userDetailsService);
 }
  • 36. CLIENT CONFIGURATION Client configuration could be in memory, jdbc based or any other configuration User credentials configuration could be anywhere as well
  • 37. SPRING: RESOURCE SERVER @Configuration @EnableResourceServer
 public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
 public void configure(ResourceServerSecurityConfigurer config) {
 config
 .resourceId(“user_profile)
 .tokenServices(tokenServices());
 } public void configure(HttpSecurity http) {
 http
 .authorizeRequests() .anyRequest().hasRole("USER")
 }
  • 38. RESTRICTING FUNCTIONALITY BY SCOPE @Service public class SecureResourceServer { @PreAuthorize("#oauth2.hasScope('write')") public void create(Contact contact) { … } }
  • 39. SPRING OAUTH 2.0 ENDPOINTS /oauth/authorize - requests for authorisation /oauth/token - requests for token contains default Spring MVC authentication page, which could be customised http://projects.spring.io/spring-security-oauth/docs/oauth2.html
  • 40. TOKEN STORAGE ➤ Shared token service is required ➤ Could be in-memory or persisted Token Storage Authorization Server Resource Server
  • 41. WHAT TOKENS TO USE? ➤ AtomicLong - predictable? ➤ Random numbers - clashes possible? ➤ Hash - from what? ➤ Is there any existing approach?
  • 44. JSON WEB TOKENS ➤ Send stuff between client and server securely ➤ Signed content ➤ Cross-platform ➤ Token storage is not necessary https://jwt.io/
  • 47. PAYLOAD ➤ Reserved claims ➤ issuer ➤ expiration time ➤ subject ➤ Public claims (named according to registry) ➤ Private claims (custom) https://www.iana.org/assignments/jwt/jwt.xhtml
  • 48. SIGNATURE ➤ JSON Web Token could be signed with ➤ Secure hash based on salt ➤ Public/private key using RSA
  • 51. TOKEN INSIDE REQUEST GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer $JWT_TOKEN
  • 52. JAVA IMPLEMENTATION io.jsonwebtoken:jjwt String token = Jwts.builder() .setSubject(user.getUsername()) .setClaims([“scope” -> “user profile”]) .setIssuedAt(new Date()) .setExpiration(from(now().plus(3600))) .setId(random(1000000)) .signWith(SignatureAlgorithm.HS512, secret) .compact();
  • 53. JWT BENEFITS ➤ Standard approach ➤ Self-contained - no need for token/session storage ➤ Passed with each request to the server ➤ Plays nice with OAuth 2.0
  • 54. SPRING OAUTH 2.0 INTEGRATION @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey(SIGNING_KEY); return converter; } @Bean @Primary public DefaultTokenServices tokenServices() { DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setTokenStore(tokenStore()); tokenServices.setSupportRefreshToken(true); return tokenServices; } org.springframework.security:spring-security-jwt
  • 55. JWT AND OAUTH 2.0 ➤ JWT can be used as a token in OAuth 2.0 authorisation ➤ There is no need for token storage in this case ➤ Everything works out of the box
  • 56.
  • 57. SUMMARY ➤ OAuth 2.0 is all about information flow ➤ Interpretation is possible ➤ Extensions are available (e.g. token revocation, additional grant types) ➤ Token could be arbitrary ➤ It is possible to use JWT tokens
  • 58. REFERENCES ➤ https://oauth.net/2/ ➤ http://www.bubblecode.net/en/2016/01/22/understanding- oauth2/ ➤ http://docs.oracle.com/cd/E39820_01/doc.11121/ gateway_docs/content/oauth_flows.html ➤ https://www.digitalocean.com/community/tutorials/an- introduction-to-oauth-2