SlideShare a Scribd company logo

OAuth 2.0 at the Globiots

Download as PPTX, PDF
Tran Thanh Thi
Tran Thanh Thi

OAuth 2.0 at the Globiots

Technology
1 of 24
OAuth 2.0 http://oauth.net/2/
Agenda ❖ Overview and History ❖ OAuth 2.0 Roles ❖ User cases and OAuth 2.0 Grant types ❖ OAuth 2.0 Tokens ❖ OAuth 2.0 Java Implementations ❖ Demo
OAuth 2.0 Overview OAuth 2.0 is an open authorization protocol specification defined by IETF OAuth WG (Working Group) which enables applications to access each other’s data. The prime focus of this protocol is to define a standard where an application, say gaming site, can access the user’s data maintained by another application like facebook, google or other resource server.
OAuth History ❖ OAuth started circa 2007 ❖ 2008 - IETF normalization started in 2008 ❖ 2010 - RFC 5849 defines OAuth 1.0 ❖ 2010 - WRAP (Web Resource Authorization Profiles) proposed by Microsoft, Yahoo! And Google ❖ 2010 - OAuth 2.0 work begins in IETF ❖ 2012 ➢ RFC 6749 - The OAuth 2.0 Authorization Framework ➢ RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
OAuth 2.0 Roles OAuth 2.0 defines the following roles of users and applications: ❖ Resource Owner: The user ❖ Resource Server: The API server ❖ Client Application: The third-party application ❖ Authorization Server: Often the same as the API server
User cases ❖ Web-server apps ❖ Browser-based apps ❖ Username & Password access ❖ Application access ❖ Mobile apps
User cases → Grant types ❖ Web-server apps → authorization_code ❖ Browser-based and Mobile apps → implicit ❖ Username & Password access → password ❖ Application access → client_credentials
authorization_code
implicit
password
client_credentials
OAuth 2.0 Tokens ❖ Types ➢ Bearer ■ Large random token ■ Need SSL to protect it in transit ■ Server needs to store it securely hashed like a user password ➢ MAC (OAuth 1.0 only supported) ❖ Access Token ➢ Short-lived token ❖ Refresh Token ➢ Long-lived token
OAuth 2.0 Pros & Cons ❖ Pros ➢ Integration of third-party apps to any sites ➢ Access can be granted for limited scope and duration ➢ No need for users to give on third-party site ❖ Cons ➢ Writing authorization is somewhat complex ➢ Interoperability issues ➢ Bad implementations can be security issues
OAuth 2.0 Java Implementations ❖ Some java implementation available ➢ Jersey ➢ Apache Oltu ➢ Spring Security OAuth 2.0 ➢ Others (CXF, Google OAuth2 API, etc) ❖ Not available as Java EE standard yet
Spring Security OAuth ❖ Provides OAuth (1a) and OAuth2 ❖ Implements 4 types for authorization grants ❖ Support the OAuth2 full features ➢ Authorization Server, Resources Server, Client ❖ Good integration with JAX-RS and Spring MVC ❖ Configuration using annotation support ❖ Integrates with the Spring ecosystem
Spring Authorization Server ❖ @EnableAuthorizationServer ➢ Annotation used to configure OAuth2 Authorization Server ➢ There is also XML configuration related <authorization-server/> ❖ ClientDetailsServiceConfigurer ➢ Defines the client details service ➢ In-memory or JDBC implement
Spring Authorization Server (cont) ❖ AuthorizationServerTokenServices ➢ Operations to manage OAuth2 tokens ➢ Token in-memory, JDBC or JSON Web Token (JWT) ❖ AuthorizationServerEndpointConfigurer ➢ Grant types supported by the server ➢ All grant types are supported except password types
Spring Resource Server ❖ Can be same as Authorization Server ➢ or deployed in a separate application ❖ Provides an authentication filter for web protection ❖ @EnableResourceServer ➢ Annotation used to configure OAuth2 resource server ➢ There is also XML configuration related <resource- server/>
Spring Resource Server (cont) ❖ Supports expression-based access control ➢ oauth2.clientHasRole ➢ oauth2.clientHasAnyRole ➢ oauth2.denyClient
Spring OAuth2 Client ❖ Creates a filter to store the current request and context ❖ Manages the redirection to and from the OAuth authentication URI ❖ @EnableOAuth2Client ➢ Annotation used to configure OAuth2 client ➢ There is also XML configuration related <client/> ❖ OAuthRestTemplate ➢ Wapper client object to access the resource
DEMO
References 1. http://projects.spring.io/spring-security-oauth/docs/oauth2.html 2. http://stackoverflow.com/questions/22764556/spring-security-oauth2- authorization-process 3. https://github.com/hcadavid/spring4-rest-oauth2 4. https://github.com/neel4software/SpringSecurityOAuth2/tree/master/Spri ngRestSecurityOauth
Q&A Tran Thanh Thi Sr. Software Developer | (+84) 93.739.5658 Dai Viet Controls & Instrumentation Company Ltd. No.11 Street 2G, Nam Hung Vuong Res., An Lac Ward, Binh Tan Dist., Ho Chi Minh City, Vietnam. Tel: +84-8-6268.2523/4 (ext.120) | Fax: +84-8-62682520 Email: info@daviteq.com | www.daviteq.com
Thank you!

Recommended

Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Mediacurrent
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0Clément OUDOT
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0Muktadiur Rahman
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Your Web Applications in ColdFusion
Securing Your Web Applications in ColdFusionSecuring Your Web Applications in ColdFusion
Securing Your Web Applications in ColdFusionDenard Springle IV
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 

Recommended

Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Mediacurrent
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0Clément OUDOT
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth2.0
OAuth2.0OAuth2.0
OAuth2.0Muktadiur Rahman
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Your Web Applications in ColdFusion
Securing Your Web Applications in ColdFusionSecuring Your Web Applications in ColdFusion
Securing Your Web Applications in ColdFusionDenard Springle IV
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015Denard Springle IV
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSecAnte Gulam
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10thNov Matake
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardtapidays
 
Oauth
OauthOauth
OauthAakanksha Bhardwaj
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 

More Related Content

What's hot

ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015Denard Springle IV
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSecAnte Gulam
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 

What's hot (6)

ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
ColdFusion_Code_Security_Best_Practices_NCDevCon_2015
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 

Similar to OAuth 2.0 at the Globiots

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10thNov Matake
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webFelix Arntz
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardtapidays
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE ArchitecturesFIWARE
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 

Similar to OAuth 2.0 at the Globiots (20)

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th#iiw 13th report at #idcon 10th
#iiw 13th report at #idcon 10th
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
Accessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) webAccessing APIs using OAuth on the federated (WordPress) web
Accessing APIs using OAuth on the federated (WordPress) web
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick HardtINTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
INTERFACE by apidays - TxAuth: the future of OAuth? by Dick Hardt
 
Oauth
OauthOauth
Oauth
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
OAuth2
OAuth2OAuth2
OAuth2
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
Securing FIWARE Architectures
Securing FIWARE ArchitecturesSecuring FIWARE Architectures
Securing FIWARE Architectures
 
Api security
Api security Api security
Api security
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

OAuth 2.0 at the Globiots

  • 2. Agenda ❖ Overview and History ❖ OAuth 2.0 Roles ❖ User cases and OAuth 2.0 Grant types ❖ OAuth 2.0 Tokens ❖ OAuth 2.0 Java Implementations ❖ Demo
  • 3. OAuth 2.0 Overview OAuth 2.0 is an open authorization protocol specification defined by IETF OAuth WG (Working Group) which enables applications to access each other’s data. The prime focus of this protocol is to define a standard where an application, say gaming site, can access the user’s data maintained by another application like facebook, google or other resource server.
  • 4. OAuth History ❖ OAuth started circa 2007 ❖ 2008 - IETF normalization started in 2008 ❖ 2010 - RFC 5849 defines OAuth 1.0 ❖ 2010 - WRAP (Web Resource Authorization Profiles) proposed by Microsoft, Yahoo! And Google ❖ 2010 - OAuth 2.0 work begins in IETF ❖ 2012 ➢ RFC 6749 - The OAuth 2.0 Authorization Framework ➢ RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
  • 5. OAuth 2.0 Roles OAuth 2.0 defines the following roles of users and applications: ❖ Resource Owner: The user ❖ Resource Server: The API server ❖ Client Application: The third-party application ❖ Authorization Server: Often the same as the API server
  • 6. User cases ❖ Web-server apps ❖ Browser-based apps ❖ Username & Password access ❖ Application access ❖ Mobile apps
  • 7. User cases → Grant types ❖ Web-server apps → authorization_code ❖ Browser-based and Mobile apps → implicit ❖ Username & Password access → password ❖ Application access → client_credentials
  • 12. OAuth 2.0 Tokens ❖ Types ➢ Bearer ■ Large random token ■ Need SSL to protect it in transit ■ Server needs to store it securely hashed like a user password ➢ MAC (OAuth 1.0 only supported) ❖ Access Token ➢ Short-lived token ❖ Refresh Token ➢ Long-lived token
  • 13. OAuth 2.0 Pros & Cons ❖ Pros ➢ Integration of third-party apps to any sites ➢ Access can be granted for limited scope and duration ➢ No need for users to give on third-party site ❖ Cons ➢ Writing authorization is somewhat complex ➢ Interoperability issues ➢ Bad implementations can be security issues
  • 14. OAuth 2.0 Java Implementations ❖ Some java implementation available ➢ Jersey ➢ Apache Oltu ➢ Spring Security OAuth 2.0 ➢ Others (CXF, Google OAuth2 API, etc) ❖ Not available as Java EE standard yet
  • 15. Spring Security OAuth ❖ Provides OAuth (1a) and OAuth2 ❖ Implements 4 types for authorization grants ❖ Support the OAuth2 full features ➢ Authorization Server, Resources Server, Client ❖ Good integration with JAX-RS and Spring MVC ❖ Configuration using annotation support ❖ Integrates with the Spring ecosystem
  • 16. Spring Authorization Server ❖ @EnableAuthorizationServer ➢ Annotation used to configure OAuth2 Authorization Server ➢ There is also XML configuration related <authorization-server/> ❖ ClientDetailsServiceConfigurer ➢ Defines the client details service ➢ In-memory or JDBC implement
  • 17. Spring Authorization Server (cont) ❖ AuthorizationServerTokenServices ➢ Operations to manage OAuth2 tokens ➢ Token in-memory, JDBC or JSON Web Token (JWT) ❖ AuthorizationServerEndpointConfigurer ➢ Grant types supported by the server ➢ All grant types are supported except password types
  • 18. Spring Resource Server ❖ Can be same as Authorization Server ➢ or deployed in a separate application ❖ Provides an authentication filter for web protection ❖ @EnableResourceServer ➢ Annotation used to configure OAuth2 resource server ➢ There is also XML configuration related <resource- server/>
  • 19. Spring Resource Server (cont) ❖ Supports expression-based access control ➢ oauth2.clientHasRole ➢ oauth2.clientHasAnyRole ➢ oauth2.denyClient
  • 20. Spring OAuth2 Client ❖ Creates a filter to store the current request and context ❖ Manages the redirection to and from the OAuth authentication URI ❖ @EnableOAuth2Client ➢ Annotation used to configure OAuth2 client ➢ There is also XML configuration related <client/> ❖ OAuthRestTemplate ➢ Wapper client object to access the resource
  • 21. DEMO
  • 22. References 1. http://projects.spring.io/spring-security-oauth/docs/oauth2.html 2. http://stackoverflow.com/questions/22764556/spring-security-oauth2- authorization-process 3. https://github.com/hcadavid/spring4-rest-oauth2 4. https://github.com/neel4software/SpringSecurityOAuth2/tree/master/Spri ngRestSecurityOauth
  • 23. Q&A Tran Thanh Thi Sr. Software Developer | (+84) 93.739.5658 Dai Viet Controls & Instrumentation Company Ltd. No.11 Street 2G, Nam Hung Vuong Res., An Lac Ward, Binh Tan Dist., Ho Chi Minh City, Vietnam. Tel: +84-8-6268.2523/4 (ext.120) | Fax: +84-8-62682520 Email: info@daviteq.com | www.daviteq.com