2. Agenda
❖ Overview and History
❖ OAuth 2.0 Roles
❖ User cases and OAuth 2.0 Grant types
❖ OAuth 2.0 Tokens
❖ OAuth 2.0 Java Implementations
❖ Demo
3. OAuth 2.0 Overview
OAuth 2.0 is an open authorization protocol specification
defined by IETF OAuth WG (Working Group) which enables
applications to access each other’s data.
The prime focus of this protocol is to define a standard where
an application, say gaming site, can access the user’s data
maintained by another application like facebook, google or
other resource server.
4. OAuth History
❖ OAuth started circa 2007
❖ 2008 - IETF normalization started in 2008
❖ 2010 - RFC 5849 defines OAuth 1.0
❖ 2010 - WRAP (Web Resource Authorization Profiles) proposed by
Microsoft, Yahoo! And Google
❖ 2010 - OAuth 2.0 work begins in IETF
❖ 2012
➢ RFC 6749 - The OAuth 2.0 Authorization Framework
➢ RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer
Token Usage
5. OAuth 2.0 Roles
OAuth 2.0 defines the following roles of users and
applications:
❖ Resource Owner: The user
❖ Resource Server: The API server
❖ Client Application: The third-party application
❖ Authorization Server: Often the same as the API server
6. User cases
❖ Web-server apps
❖ Browser-based apps
❖ Username & Password access
❖ Application access
❖ Mobile apps
7. User cases → Grant types
❖ Web-server apps → authorization_code
❖ Browser-based and Mobile apps → implicit
❖ Username & Password access → password
❖ Application access → client_credentials
12. OAuth 2.0 Tokens
❖ Types
➢ Bearer
■ Large random token
■ Need SSL to protect it in transit
■ Server needs to store it securely hashed like a user password
➢ MAC (OAuth 1.0 only supported)
❖ Access Token
➢ Short-lived token
❖ Refresh Token
➢ Long-lived token
13. OAuth 2.0 Pros & Cons
❖ Pros
➢ Integration of third-party apps to any sites
➢ Access can be granted for limited scope and duration
➢ No need for users to give on third-party site
❖ Cons
➢ Writing authorization is somewhat complex
➢ Interoperability issues
➢ Bad implementations can be security issues
14. OAuth 2.0 Java Implementations
❖ Some java implementation available
➢ Jersey
➢ Apache Oltu
➢ Spring Security OAuth 2.0
➢ Others (CXF, Google OAuth2 API, etc)
❖ Not available as Java EE standard yet
15. Spring Security OAuth
❖ Provides OAuth (1a) and OAuth2
❖ Implements 4 types for authorization grants
❖ Support the OAuth2 full features
➢ Authorization Server, Resources Server, Client
❖ Good integration with JAX-RS and Spring MVC
❖ Configuration using annotation support
❖ Integrates with the Spring ecosystem
16. Spring Authorization Server
❖ @EnableAuthorizationServer
➢ Annotation used to configure OAuth2 Authorization
Server
➢ There is also XML configuration related
<authorization-server/>
❖ ClientDetailsServiceConfigurer
➢ Defines the client details service
➢ In-memory or JDBC implement
17. Spring Authorization Server (cont)
❖ AuthorizationServerTokenServices
➢ Operations to manage OAuth2 tokens
➢ Token in-memory, JDBC or JSON Web Token (JWT)
❖ AuthorizationServerEndpointConfigurer
➢ Grant types supported by the server
➢ All grant types are supported except password types
18. Spring Resource Server
❖ Can be same as Authorization Server
➢ or deployed in a separate application
❖ Provides an authentication filter for web protection
❖ @EnableResourceServer
➢ Annotation used to configure OAuth2 resource server
➢ There is also XML configuration related <resource-
server/>
19. Spring Resource Server (cont)
❖ Supports expression-based access control
➢ oauth2.clientHasRole
➢ oauth2.clientHasAnyRole
➢ oauth2.denyClient
20. Spring OAuth2 Client
❖ Creates a filter to store the current request and context
❖ Manages the redirection to and from the OAuth
authentication URI
❖ @EnableOAuth2Client
➢ Annotation used to configure OAuth2 client
➢ There is also XML configuration related <client/>
❖ OAuthRestTemplate
➢ Wapper client object to access the resource