2. Goals
・ Understand Oauth
・Grab the concept of OpenID Connect
・Integrate with OAuth2 Provider
・Implement spring security with OAuth2
3. OAuth2 Use Cases
• Login: OpenID connect
• Access REST API for Users
• Access REST API server-to-server
4. Build Your Own Authentication?
A Lot of Requirements
・Store user credentials safely
・Support LDAP//SSO integration?
・Develop a password reset process
・Develop MFA by your own
・User feel annoyed to each application
with a unique password.
5. OpenID Connect / OAuth2
・Delegate storing user credentials
・Manages user registration easily
・Manage password reset process
・Delegate MFA implementation
・User can login with multiple applications
with a single set of credentials
6. What is the Concept of OAuth2 ?
・Authentication vs. Authorization
・Tokens
・Scopes
・Client Credentials
・Authorization Code
8. Authorization Examples
If you are in AWS environment,
the access distribution would be...
Administrator Developer Biz
・Have all access
(Include billing access)
・Have access to create,
delete, edit resources
・Only have access to read
resources.
11. Scopes vs Authorities
Scopes in OAuth2 tells the application what user data it can
access.
• Personal data from the provider, like email
• Application specific scope names?
Can be (ab)used as Spring Security Authorities
12. Authorities in Spring Security
Roles
・Like, manager, chef, server, dish wash etc..
・A permitted authority or action
Permissions
・Permitted actions on specific data
・Like a manager for a specific division
・Or owner of a specific configuration
14. OpenID Connect is…..
Features
・Confidential, secure & browser based
・Not access a resource directly so that we get id
token instead of an access token.
・Hybrid flow with id tokens instead of access tokens.
15. OpenID's Metaphor
Theme Park (Resource)
Ticket
(Access
Token)
You (Client)
Wrist Band
(ID Token) You with wrist Band
(Client with ID token )
You are allowed
to enter !
Ticket gate
(Open ID)
16. OpenID Connect Flows
Client Credentials flow: for server-to-server calls
• Sends client id + client secret to OAuth2 Provider
• Receives access token directly
Authorization Code flow: for stateful applications
• Redirects users to OAuth2 Provider
• Receives authorization code
• Exchange for access token via backend-to-backend call
• Sends Session Cookie to frontend for subsequent calls
Authorization Code with PKCE: for single-page-application or mobile
• Application opens a separate browser for OAuth2 Provider login
• Receives authorization code from the browser in the Application
• Exchange for access token directly from the Application to the OAuth2 Provider
• Application sends access token to the Backend in every REST call
17. 2 Initialize the flow with the STS by redirecting the browser
4
5
3
I am Philippe with password FluffyDog17!
Request to the STS to initialize the flow
6
Who are you? Please authenticate to me!
Good. Now follow this redirect back to the application,
so it can extract the authorization code from the URL
7
1
Follow redirect to the application's callback endpoint
I want to authenticate (click the login button)
8
A server-to-server request to exchange
the authorization code from step 7
9 The identity token representing
the authenticated user
10 Use the identity token
to authenticate the user
THE AUTHORIZATION CODE FLOW FOR OIDC
18. The authorization request (a redirect to the STS)
1 https://sts.restograde.com/authorize
2 ?response_type=code
3 &scope=openid profile email
4 &client_id=FN983CEYgx4mdUg3NKNKHjwfNAL5Fb42
5 &redirect_uri=https://restograde.com/callback
Indicates the authorization code flow
We want an ID token with email/profile info
The client requesting authentication
Where the STS should send the code
2 3
19. The redirect back to the client application
1 https://restograde.com/callback
2 ?code=ySVyktqNkEKJyyIjOKCVwCurNlGoRDcaLYEbW2j5WxZY The temporary authorization code
6 7
20. The request to exchange the authorization code
1 POST /oauth/token
2
3 grant_type=authorization_code
4 &client_id=FN983CEYgx4mdUg3NKNKHjwfNAL5Fb42
5 &client_secret=6ODRv0g…OVOSWI
7 &redirect_uri=https://restograde.com/callback
8 &code=ySVyktqNkEKJyyIjOKCVwCurNlGoRDcaLYEbW2j5WxZY
8
Indicates the code exchange request
The client exchanging the code
The client needs to authenticate to the STS
The redirect URI used before
The code received in step 7
pdr.online
21. The response from the Security Token Service
1 {
2 "id_token": "eyJhbGciO...du6TY9w",
3 }
9
The identity token representing the authenticated user
The identity token contains a sub claim with the
user's unique identifier. The application can use
this claim to lookup the user in its database and
establish and authenticated session
pdr.online
22. Handle tokens according
to the use case at hand
4
3 Request to the STS to initialize the flow
I know you! Follow this redirect back to the application!
7
1
Follow redirect to the application's callback endpoint
Request that triggers the initialization of the flow
8
A server-to-server request to exchange
the authorization co
de from step 7
9 Relevant tokens for this
particular use case
10
Session Cookies
The STS uses cookies to keep track of the authenticated
user. Every subsequent request from the browser to the
STS will carry this cookie, enabling session re-use and SSO.
2 Initialize the flow with the STS by redirecting the browser
The backend can also use a
cookie to store session id’s
for authorized users.
23. 1 Initialize the flow with the STS
2 Initialize the flow
3 Redirect with authorization code
4 Follow redirect with authorization code
7
A server-to-server request to
exchange the authorization code
8 Relevant tokens associated
with the victim user
10 Associate tokens with
the attacker's account
AN AUTHORIZATION CODE INJECTION ATTACK
5 Steal the authorization code
6
Send request to
the callback with
the stolen code
24. 4 Initialize the flow and include the code challenge
6
7
5
I am Philippe with password FluffyDog17!
Request to the STS to initialize the flow
9
Who are you? Please authenticate to me!
Good. Now follow this redirect back to the application,
so it can extract the authorization code from the URL
10
1
Follow redirect to the application's callback endpoint
Request that triggers the initialization of the flow
11
Exchange the authorization code from step 10
and include the code verifier
13 Relevant tokens for this
particular use case
14 Handle tokens according
to the use case at hand
THE AUTHORIZATION CODE FLOW WITH PKCE
2
Generate a random value (code verifier) and
associate it with the user's session (e.g., keep in a cookie)
8
Store the code challenge
along with the
authorization code
Calculate the SHA256
hash of the code verifier
and compare to the
stored code challenge
3
Calculate the SHA256 hash
of the code verifier
(code challenge)
12
25. JWT Token
• In Authorization code flow, JWT Tokens are received by the backend
• JWT Tokens can also be used directly for REST API’s
• “Authorization: Bearer “+ jwtToken
27. Configure a Client application in an OIDC
Provider
Multiple OpenID Connect Providers
• Azure AD, AWS Cognito, Google Account, GitHub
• Okta, Auth0, OneLogin
• For development: JBoss KeyCloak
Need to register a client application
• Allows access to user information
• Client ID + Client Secret
• Authorized callback URL’s
• For spring: …/login/oauth2/code/{provider}
28. Register an OAuth2 Client
Github:
• Set up Homepage URL
• Authorization callback URL
Keycloak:
• Create Realm
• Create Client
• Configure callback URL
• Add users
29. Configure a Spring application for OIDC Login
• spring-boot-starter-oauth2-client will autoconfigure OIDC logins.
• spring-boot-starter-oauth2-resource-server will add support for REST API
• issuer-uri has a /.well-known/openid-configuration path.
31. Debugging & Resources
Debugging logging.level.org.springframework.securit=
ydebug
1. Add and debug=true
at your application.properties or application.yml
2. Add spring-boot-starter-actuator
at your pom.xml
3. Go to http://localhost:8080/actuator