The document discusses OAuth 2.0, an open authorization protocol that allows users to grant external access to their data without sharing their passwords. It defines common roles like resource owners, clients, authorization servers and resource servers. OAuth 2.0 supports four grant types corresponding to different user cases: authorization code for web server apps, implicit for browser-based apps, password for username/password access, and client credentials for application access. It also covers OAuth 2.0 tokens like access tokens and refresh tokens. The document concludes with discussing some Java implementations of OAuth 2.0 including Spring Security OAuth.

1. OAuth 2.0
http://oauth.net/2/

2. Agenda
❖ Overview and History
❖ OAuth 2.0 Roles
❖ User cases and OAuth 2.0 Grant types
❖ OAuth 2.0 Tokens
❖ OAuth 2.0 Java Implementations
❖ Demo

3. OAuth 2.0 Overview
OAuth 2.0 is an open authorization protocol specification
defined by IETF OAuth WG (Working Group) which enables
applications to access each other’s data.
The prime focus of this protocol is to define a standard where
an application, say gaming site, can access the user’s data
maintained by another application like facebook, google or
other resource server.

4. OAuth History
❖ OAuth started circa 2007
❖ 2008 - IETF normalization started in 2008
❖ 2010 - RFC 5849 defines OAuth 1.0
❖ 2010 - WRAP (Web Resource Authorization Profiles) proposed by
Microsoft, Yahoo! And Google
❖ 2010 - OAuth 2.0 work begins in IETF
❖ 2012
➢ RFC 6749 - The OAuth 2.0 Authorization Framework
➢ RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer
Token Usage

5. OAuth 2.0 Roles
OAuth 2.0 defines the following roles of users and
applications:
❖ Resource Owner: The user
❖ Resource Server: The API server
❖ Client Application: The third-party application
❖ Authorization Server: Often the same as the API server

6. User cases
❖ Web-server apps
❖ Browser-based apps
❖ Username & Password access
❖ Application access
❖ Mobile apps

7. User cases → Grant types
❖ Web-server apps → authorization_code
❖ Browser-based and Mobile apps → implicit
❖ Username & Password access → password
❖ Application access → client_credentials

8. authorization_code

9. implicit

10. password

11. client_credentials

12. OAuth 2.0 Tokens
❖ Types
➢ Bearer
■ Large random token
■ Need SSL to protect it in transit
■ Server needs to store it securely hashed like a user password
➢ MAC (OAuth 1.0 only supported)
❖ Access Token
➢ Short-lived token
❖ Refresh Token
➢ Long-lived token

13. OAuth 2.0 Pros & Cons
❖ Pros
➢ Integration of third-party apps to any sites
➢ Access can be granted for limited scope and duration
➢ No need for users to give on third-party site
❖ Cons
➢ Writing authorization is somewhat complex
➢ Interoperability issues
➢ Bad implementations can be security issues

14. OAuth 2.0 Java Implementations
❖ Some java implementation available
➢ Jersey
➢ Apache Oltu
➢ Spring Security OAuth 2.0
➢ Others (CXF, Google OAuth2 API, etc)
❖ Not available as Java EE standard yet

15. Spring Security OAuth
❖ Provides OAuth (1a) and OAuth2
❖ Implements 4 types for authorization grants
❖ Support the OAuth2 full features
➢ Authorization Server, Resources Server, Client
❖ Good integration with JAX-RS and Spring MVC
❖ Configuration using annotation support
❖ Integrates with the Spring ecosystem

16. Spring Authorization Server
❖ @EnableAuthorizationServer
➢ Annotation used to configure OAuth2 Authorization
Server
➢ There is also XML configuration related
<authorization-server/>
❖ ClientDetailsServiceConfigurer
➢ Defines the client details service
➢ In-memory or JDBC implement

17. Spring Authorization Server (cont)
❖ AuthorizationServerTokenServices
➢ Operations to manage OAuth2 tokens
➢ Token in-memory, JDBC or JSON Web Token (JWT)
❖ AuthorizationServerEndpointConfigurer
➢ Grant types supported by the server
➢ All grant types are supported except password types

18. Spring Resource Server
❖ Can be same as Authorization Server
➢ or deployed in a separate application
❖ Provides an authentication filter for web protection
❖ @EnableResourceServer
➢ Annotation used to configure OAuth2 resource server
➢ There is also XML configuration related <resource-
server/>

19. Spring Resource Server (cont)
❖ Supports expression-based access control
➢ oauth2.clientHasRole
➢ oauth2.clientHasAnyRole
➢ oauth2.denyClient

20. Spring OAuth2 Client
❖ Creates a filter to store the current request and context
❖ Manages the redirection to and from the OAuth
authentication URI
❖ @EnableOAuth2Client
➢ Annotation used to configure OAuth2 client
➢ There is also XML configuration related <client/>
❖ OAuthRestTemplate
➢ Wapper client object to access the resource

21. DEMO

22. References
1. http://projects.spring.io/spring-security-oauth/docs/oauth2.html
2. http://stackoverflow.com/questions/22764556/spring-security-oauth2-
authorization-process
3. https://github.com/hcadavid/spring4-rest-oauth2
4. https://github.com/neel4software/SpringSecurityOAuth2/tree/master/Spri
ngRestSecurityOauth

23. Q&A
Tran Thanh Thi
Sr. Software Developer | (+84) 93.739.5658
Dai Viet Controls & Instrumentation Company Ltd.
No.11 Street 2G, Nam Hung Vuong Res., An Lac Ward, Binh Tan
Dist., Ho Chi Minh City, Vietnam.
Tel: +84-8-6268.2523/4 (ext.120) | Fax: +84-8-62682520 Email:
info@daviteq.com | www.daviteq.com

24. Thank you!