SlideShare a Scribd company logo

OAuth2 and OpenID with Spring Boot

Download as PPTX, PDF
Geert Pante
Geert Pante

Technical explanation of OAuth2 and OpenID flows, with examples using KeyCloak and Spring Boot.

Software
1 of 32
Oauth2 and OpenID
Goals ・ Understand Oauth ・Grab the concept of OpenID Connect ・Integrate with OAuth2 Provider ・Implement spring security with OAuth2
OAuth2 Use Cases • Login: OpenID connect • Access REST API for Users • Access REST API server-to-server
Build Your Own Authentication? A Lot of Requirements ・Store user credentials safely ・Support LDAP//SSO integration? ・Develop a password reset process ・Develop MFA by your own ・User feel annoyed to each application with a unique password.
OpenID Connect / OAuth2 ・Delegate storing user credentials ・Manages user registration easily ・Manage password reset process ・Delegate MFA implementation ・User can login with multiple applications with a single set of credentials
What is the Concept of OAuth2 ? ・Authentication vs. Authorization ・Tokens ・Scopes ・Client Credentials ・Authorization Code
Authentication vs. Authorization Authorization Authentication ・Identify who you are ・Must Prove your identity ・What are you allowed to do ・What API resources can you access
Authorization Examples If you are in AWS environment, the access distribution would be... Administrator Developer Biz ・Have all access (Include billing access) ・Have access to create, delete, edit resources ・Only have access to read resources.
Tokens Access Token Refresh Token ・To refresh the condition ・Bearer Tokens ・JWT Token ・Opaque Token
Tokens' Metaphor Access Token Refresh Token Possession Used to buy more ticket
Scopes vs Authorities Scopes in OAuth2 tells the application what user data it can access. • Personal data from the provider, like email • Application specific scope names? Can be (ab)used as Spring Security Authorities
Authorities in Spring Security Roles ・Like, manager, chef, server, dish wash etc.. ・A permitted authority or action Permissions ・Permitted actions on specific data ・Like a manager for a specific division ・Or owner of a specific configuration
What is OpenID Connect ?
OpenID Connect is….. Features ・Confidential, secure & browser based ・Not access a resource directly so that we get id token instead of an access token. ・Hybrid flow with id tokens instead of access tokens.
OpenID's Metaphor Theme Park (Resource) Ticket (Access Token) You (Client) Wrist Band (ID Token) You with wrist Band (Client with ID token ) You are allowed to enter ! Ticket gate (Open ID)
OpenID Connect Flows Client Credentials flow: for server-to-server calls • Sends client id + client secret to OAuth2 Provider • Receives access token directly Authorization Code flow: for stateful applications • Redirects users to OAuth2 Provider • Receives authorization code • Exchange for access token via backend-to-backend call • Sends Session Cookie to frontend for subsequent calls Authorization Code with PKCE: for single-page-application or mobile • Application opens a separate browser for OAuth2 Provider login • Receives authorization code from the browser in the Application • Exchange for access token directly from the Application to the OAuth2 Provider • Application sends access token to the Backend in every REST call
2 Initialize the flow with the STS by redirecting the browser 4 5 3 I am Philippe with password FluffyDog17! Request to the STS to initialize the flow 6 Who are you? Please authenticate to me! Good. Now follow this redirect back to the application, so it can extract the authorization code from the URL 7 1 Follow redirect to the application's callback endpoint I want to authenticate (click the login button) 8 A server-to-server request to exchange the authorization code from step 7 9 The identity token representing the authenticated user 10 Use the identity token to authenticate the user THE AUTHORIZATION CODE FLOW FOR OIDC
The authorization request (a redirect to the STS) 1 https://sts.restograde.com/authorize 2 ?response_type=code 3 &scope=openid profile email 4 &client_id=FN983CEYgx4mdUg3NKNKHjwfNAL5Fb42 5 &redirect_uri=https://restograde.com/callback Indicates the authorization code flow We want an ID token with email/profile info The client requesting authentication Where the STS should send the code 2 3
The redirect back to the client application 1 https://restograde.com/callback 2 ?code=ySVyktqNkEKJyyIjOKCVwCurNlGoRDcaLYEbW2j5WxZY The temporary authorization code 6 7
The request to exchange the authorization code 1 POST /oauth/token 2 3 grant_type=authorization_code 4 &client_id=FN983CEYgx4mdUg3NKNKHjwfNAL5Fb42 5 &client_secret=6ODRv0g…OVOSWI 7 &redirect_uri=https://restograde.com/callback 8 &code=ySVyktqNkEKJyyIjOKCVwCurNlGoRDcaLYEbW2j5WxZY 8 Indicates the code exchange request The client exchanging the code The client needs to authenticate to the STS The redirect URI used before The code received in step 7 pdr.online
The response from the Security Token Service 1 { 2 "id_token": "eyJhbGciO...du6TY9w", 3 } 9 The identity token representing the authenticated user The identity token contains a sub claim with the user's unique identifier. The application can use this claim to lookup the user in its database and establish and authenticated session pdr.online
Handle tokens according to the use case at hand 4 3 Request to the STS to initialize the flow I know you! Follow this redirect back to the application! 7 1 Follow redirect to the application's callback endpoint Request that triggers the initialization of the flow 8 A server-to-server request to exchange the authorization co de from step 7 9 Relevant tokens for this particular use case 10 Session Cookies The STS uses cookies to keep track of the authenticated user. Every subsequent request from the browser to the STS will carry this cookie, enabling session re-use and SSO. 2 Initialize the flow with the STS by redirecting the browser The backend can also use a cookie to store session id’s for authorized users.
1 Initialize the flow with the STS 2 Initialize the flow 3 Redirect with authorization code 4 Follow redirect with authorization code 7 A server-to-server request to exchange the authorization code 8 Relevant tokens associated with the victim user 10 Associate tokens with the attacker's account AN AUTHORIZATION CODE INJECTION ATTACK 5 Steal the authorization code 6 Send request to the callback with the stolen code
4 Initialize the flow and include the code challenge 6 7 5 I am Philippe with password FluffyDog17! Request to the STS to initialize the flow 9 Who are you? Please authenticate to me! Good. Now follow this redirect back to the application, so it can extract the authorization code from the URL 10 1 Follow redirect to the application's callback endpoint Request that triggers the initialization of the flow 11 Exchange the authorization code from step 10 and include the code verifier 13 Relevant tokens for this particular use case 14 Handle tokens according to the use case at hand THE AUTHORIZATION CODE FLOW WITH PKCE 2 Generate a random value (code verifier) and associate it with the user's session (e.g., keep in a cookie) 8 Store the code challenge along with the authorization code Calculate the SHA256 hash of the code verifier and compare to the stored code challenge 3 Calculate the SHA256 hash of the code verifier (code challenge) 12
JWT Token • In Authorization code flow, JWT Tokens are received by the backend • JWT Tokens can also be used directly for REST API’s • “Authorization: Bearer “+ jwtToken
Spring Security and OpenID Connect
Configure a Client application in an OIDC Provider Multiple OpenID Connect Providers • Azure AD, AWS Cognito, Google Account, GitHub • Okta, Auth0, OneLogin • For development: JBoss KeyCloak Need to register a client application • Allows access to user information • Client ID + Client Secret • Authorized callback URL’s • For spring: …/login/oauth2/code/{provider}
Register an OAuth2 Client Github: • Set up Homepage URL • Authorization callback URL Keycloak: • Create Realm • Create Client • Configure callback URL • Add users
Configure a Spring application for OIDC Login • spring-boot-starter-oauth2-client will autoconfigure OIDC logins. • spring-boot-starter-oauth2-resource-server will add support for REST API • issuer-uri has a /.well-known/openid-configuration path.
Configure WebSecurity Authentication Default Authorities • Each logged in user has OIDC_USER • All OIDC scopes will be translated to SCOPE_name
Debugging & Resources Debugging logging.level.org.springframework.securit= ydebug 1. Add and debug=true at your application.properties or application.yml 2. Add spring-boot-starter-actuator at your pom.xml 3. Go to http://localhost:8080/actuator
Thank you for Listening!

Recommended

Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 

Recommended

Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecturejessepollak
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 aSelectedPresentations
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 
Kafka Introduction.pptx
Kafka Introduction.pptxKafka Introduction.pptx
Kafka Introduction.pptxGeert Pante
 
Kubernetes and Amazon ECS
Kubernetes and Amazon ECSKubernetes and Amazon ECS
Kubernetes and Amazon ECSGeert Pante
 

More Related Content

Similar to OAuth2 and OpenID with Spring Boot

Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecturejessepollak
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations Torsten Lodderstedt
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 

Similar to OAuth2 and OpenID with Spring Boot (20)

Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Clef security architecture
Clef security architectureClef security architecture
Clef security architecture
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 

More from Geert Pante

Kafka Introduction.pptx
Kafka Introduction.pptxKafka Introduction.pptx
Kafka Introduction.pptxGeert Pante
 
Kubernetes and Amazon ECS
Kubernetes and Amazon ECSKubernetes and Amazon ECS
Kubernetes and Amazon ECSGeert Pante
 
Docker in practice
Docker in practiceDocker in practice
Docker in practiceGeert Pante
 
Spring JMS and ActiveMQ
Spring JMS and ActiveMQSpring JMS and ActiveMQ
Spring JMS and ActiveMQGeert Pante
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELKGeert Pante
 
Spring 4 en spring data
Spring 4 en spring dataSpring 4 en spring data
Spring 4 en spring dataGeert Pante
 
Spring and SOA (2006)
Spring and SOA (2006)Spring and SOA (2006)
Spring and SOA (2006)Geert Pante
 
Maven plugins, properties en profiles: Advanced concepts in Maven
Maven plugins, properties en profiles: Advanced concepts in MavenMaven plugins, properties en profiles: Advanced concepts in Maven
Maven plugins, properties en profiles: Advanced concepts in MavenGeert Pante
 
The glory of REST in Java: Spring HATEOAS, RAML, Temenos IRIS
The glory of REST in Java: Spring HATEOAS, RAML, Temenos IRISThe glory of REST in Java: Spring HATEOAS, RAML, Temenos IRIS
The glory of REST in Java: Spring HATEOAS, RAML, Temenos IRISGeert Pante
 
Version Management in Maven
Version Management in MavenVersion Management in Maven
Version Management in MavenGeert Pante
 

More from Geert Pante (11)

Kafka Introduction.pptx
Kafka Introduction.pptxKafka Introduction.pptx
Kafka Introduction.pptx
 
Kubernetes and Amazon ECS
Kubernetes and Amazon ECSKubernetes and Amazon ECS
Kubernetes and Amazon ECS
 
Docker in practice
Docker in practiceDocker in practice
Docker in practice
 
Spring JMS and ActiveMQ
Spring JMS and ActiveMQSpring JMS and ActiveMQ
Spring JMS and ActiveMQ
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELK
 
Java EE 6
Java EE 6Java EE 6
Java EE 6
 
Spring 4 en spring data
Spring 4 en spring dataSpring 4 en spring data
Spring 4 en spring data
 
Spring and SOA (2006)
Spring and SOA (2006)Spring and SOA (2006)
Spring and SOA (2006)
 
Maven plugins, properties en profiles: Advanced concepts in Maven
Maven plugins, properties en profiles: Advanced concepts in MavenMaven plugins, properties en profiles: Advanced concepts in Maven
Maven plugins, properties en profiles: Advanced concepts in Maven
 
The glory of REST in Java: Spring HATEOAS, RAML, Temenos IRIS
The glory of REST in Java: Spring HATEOAS, RAML, Temenos IRISThe glory of REST in Java: Spring HATEOAS, RAML, Temenos IRIS
The glory of REST in Java: Spring HATEOAS, RAML, Temenos IRIS
 
Version Management in Maven
Version Management in MavenVersion Management in Maven
Version Management in Maven
 

Recently uploaded

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

Recently uploaded (20)

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 

OAuth2 and OpenID with Spring Boot

  • 2. Goals ・ Understand Oauth ・Grab the concept of OpenID Connect ・Integrate with OAuth2 Provider ・Implement spring security with OAuth2
  • 3. OAuth2 Use Cases • Login: OpenID connect • Access REST API for Users • Access REST API server-to-server
  • 4. Build Your Own Authentication? A Lot of Requirements ・Store user credentials safely ・Support LDAP//SSO integration? ・Develop a password reset process ・Develop MFA by your own ・User feel annoyed to each application with a unique password.
  • 5. OpenID Connect / OAuth2 ・Delegate storing user credentials ・Manages user registration easily ・Manage password reset process ・Delegate MFA implementation ・User can login with multiple applications with a single set of credentials
  • 6. What is the Concept of OAuth2 ? ・Authentication vs. Authorization ・Tokens ・Scopes ・Client Credentials ・Authorization Code
  • 7. Authentication vs. Authorization Authorization Authentication ・Identify who you are ・Must Prove your identity ・What are you allowed to do ・What API resources can you access
  • 8. Authorization Examples If you are in AWS environment, the access distribution would be... Administrator Developer Biz ・Have all access (Include billing access) ・Have access to create, delete, edit resources ・Only have access to read resources.
  • 9. Tokens Access Token Refresh Token ・To refresh the condition ・Bearer Tokens ・JWT Token ・Opaque Token
  • 10. Tokens' Metaphor Access Token Refresh Token Possession Used to buy more ticket
  • 11. Scopes vs Authorities Scopes in OAuth2 tells the application what user data it can access. • Personal data from the provider, like email • Application specific scope names? Can be (ab)used as Spring Security Authorities
  • 12. Authorities in Spring Security Roles ・Like, manager, chef, server, dish wash etc.. ・A permitted authority or action Permissions ・Permitted actions on specific data ・Like a manager for a specific division ・Or owner of a specific configuration
  • 13. What is OpenID Connect ?
  • 14. OpenID Connect is….. Features ・Confidential, secure & browser based ・Not access a resource directly so that we get id token instead of an access token. ・Hybrid flow with id tokens instead of access tokens.
  • 15. OpenID's Metaphor Theme Park (Resource) Ticket (Access Token) You (Client) Wrist Band (ID Token) You with wrist Band (Client with ID token ) You are allowed to enter ! Ticket gate (Open ID)
  • 16. OpenID Connect Flows Client Credentials flow: for server-to-server calls • Sends client id + client secret to OAuth2 Provider • Receives access token directly Authorization Code flow: for stateful applications • Redirects users to OAuth2 Provider • Receives authorization code • Exchange for access token via backend-to-backend call • Sends Session Cookie to frontend for subsequent calls Authorization Code with PKCE: for single-page-application or mobile • Application opens a separate browser for OAuth2 Provider login • Receives authorization code from the browser in the Application • Exchange for access token directly from the Application to the OAuth2 Provider • Application sends access token to the Backend in every REST call
  • 17. 2 Initialize the flow with the STS by redirecting the browser 4 5 3 I am Philippe with password FluffyDog17! Request to the STS to initialize the flow 6 Who are you? Please authenticate to me! Good. Now follow this redirect back to the application, so it can extract the authorization code from the URL 7 1 Follow redirect to the application's callback endpoint I want to authenticate (click the login button) 8 A server-to-server request to exchange the authorization code from step 7 9 The identity token representing the authenticated user 10 Use the identity token to authenticate the user THE AUTHORIZATION CODE FLOW FOR OIDC
  • 18. The authorization request (a redirect to the STS) 1 https://sts.restograde.com/authorize 2 ?response_type=code 3 &scope=openid profile email 4 &client_id=FN983CEYgx4mdUg3NKNKHjwfNAL5Fb42 5 &redirect_uri=https://restograde.com/callback Indicates the authorization code flow We want an ID token with email/profile info The client requesting authentication Where the STS should send the code 2 3
  • 19. The redirect back to the client application 1 https://restograde.com/callback 2 ?code=ySVyktqNkEKJyyIjOKCVwCurNlGoRDcaLYEbW2j5WxZY The temporary authorization code 6 7
  • 20. The request to exchange the authorization code 1 POST /oauth/token 2 3 grant_type=authorization_code 4 &client_id=FN983CEYgx4mdUg3NKNKHjwfNAL5Fb42 5 &client_secret=6ODRv0g…OVOSWI 7 &redirect_uri=https://restograde.com/callback 8 &code=ySVyktqNkEKJyyIjOKCVwCurNlGoRDcaLYEbW2j5WxZY 8 Indicates the code exchange request The client exchanging the code The client needs to authenticate to the STS The redirect URI used before The code received in step 7 pdr.online
  • 21. The response from the Security Token Service 1 { 2 "id_token": "eyJhbGciO...du6TY9w", 3 } 9 The identity token representing the authenticated user The identity token contains a sub claim with the user's unique identifier. The application can use this claim to lookup the user in its database and establish and authenticated session pdr.online
  • 22. Handle tokens according to the use case at hand 4 3 Request to the STS to initialize the flow I know you! Follow this redirect back to the application! 7 1 Follow redirect to the application's callback endpoint Request that triggers the initialization of the flow 8 A server-to-server request to exchange the authorization co de from step 7 9 Relevant tokens for this particular use case 10 Session Cookies The STS uses cookies to keep track of the authenticated user. Every subsequent request from the browser to the STS will carry this cookie, enabling session re-use and SSO. 2 Initialize the flow with the STS by redirecting the browser The backend can also use a cookie to store session id’s for authorized users.
  • 23. 1 Initialize the flow with the STS 2 Initialize the flow 3 Redirect with authorization code 4 Follow redirect with authorization code 7 A server-to-server request to exchange the authorization code 8 Relevant tokens associated with the victim user 10 Associate tokens with the attacker's account AN AUTHORIZATION CODE INJECTION ATTACK 5 Steal the authorization code 6 Send request to the callback with the stolen code
  • 24. 4 Initialize the flow and include the code challenge 6 7 5 I am Philippe with password FluffyDog17! Request to the STS to initialize the flow 9 Who are you? Please authenticate to me! Good. Now follow this redirect back to the application, so it can extract the authorization code from the URL 10 1 Follow redirect to the application's callback endpoint Request that triggers the initialization of the flow 11 Exchange the authorization code from step 10 and include the code verifier 13 Relevant tokens for this particular use case 14 Handle tokens according to the use case at hand THE AUTHORIZATION CODE FLOW WITH PKCE 2 Generate a random value (code verifier) and associate it with the user's session (e.g., keep in a cookie) 8 Store the code challenge along with the authorization code Calculate the SHA256 hash of the code verifier and compare to the stored code challenge 3 Calculate the SHA256 hash of the code verifier (code challenge) 12
  • 25. JWT Token • In Authorization code flow, JWT Tokens are received by the backend • JWT Tokens can also be used directly for REST API’s • “Authorization: Bearer “+ jwtToken
  • 27. Configure a Client application in an OIDC Provider Multiple OpenID Connect Providers • Azure AD, AWS Cognito, Google Account, GitHub • Okta, Auth0, OneLogin • For development: JBoss KeyCloak Need to register a client application • Allows access to user information • Client ID + Client Secret • Authorized callback URL’s • For spring: …/login/oauth2/code/{provider}
  • 28. Register an OAuth2 Client Github: • Set up Homepage URL • Authorization callback URL Keycloak: • Create Realm • Create Client • Configure callback URL • Add users
  • 29. Configure a Spring application for OIDC Login • spring-boot-starter-oauth2-client will autoconfigure OIDC logins. • spring-boot-starter-oauth2-resource-server will add support for REST API • issuer-uri has a /.well-known/openid-configuration path.
  • 30. Configure WebSecurity Authentication Default Authorities • Each logged in user has OIDC_USER • All OIDC scopes will be translated to SCOPE_name
  • 31. Debugging & Resources Debugging logging.level.org.springframework.securit= ydebug 1. Add and debug=true at your application.properties or application.yml 2. Add spring-boot-starter-actuator at your pom.xml 3. Go to http://localhost:8080/actuator
  • 32. Thank you for Listening!