Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Spring Boot Microservices with OAuth and...

Secure Spring Boot Microservices with OAuth and OIDC

Deepu K Sasidharan

May 09, 2024
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. @oktaDev | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Java

    Champion ➔ Creator of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Okta ➔ OSS aficionado, polyglot dev, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105 deepu05
  2. @oktaDev | @deepu105 | deepu.tech Agenda OAuth2 & OIDC crash

    course (15 mins) Workshop labs (60 mins) Bonus labs (15 mins)
  3. @oktaDev | @deepu105 | deepu.tech Authorization Process of determining whether

    a user has the necessary permissions to access a resource. OAuth 2.0 is the industry-standard protocol for delegated authorization.
  4. @oktaDev | @deepu105 | deepu.tech System Roles Resource Owner →End

    user Resource Server →API Server Client →System requesting access Authorization Server →Authenticate and issue tokens
  5. @oktaDev | @deepu105 | deepu.tech Tokens Access Token →Authorization to

    access a resource Authorization Code →Short lived token to get an access token Refresh Token →Long lived token to get new access tokens
  6. @oktaDev | @deepu105 | deepu.tech Claim →KV pair assertion with

    user info Scope →Group of claims or permission limiting access
  7. @oktaDev | @deepu105 | deepu.tech OAuth 2.0 Grants Authorization Code

    Grant →Exchange authorization code for access token (secure clients) Implicit Grant →Get access token directly (SPA, native apps) Client Credentials Grant →Access token without user interaction (confidential clients) Resource Owner Password Credentials Grant →Access token using user credentials (trusted clients)
  8. @oktaDev | @deepu105 | deepu.tech OAuth 2.1 Grants Authorization Code

    Grant with PKCE →Exchange authorization code for access token (secure clients, SPAs, native apps) Client Credentials Grant →Access token without user interaction (confidential clients)
  9. @oktaDev | @deepu105 | deepu.tech Other Grants Refresh Token Grant→Exchange

    refresh token for access token Extension Grants →Device Authorization Grant, Token Exchange Grant, etc.
  10. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow (Not

    recommended) Authorization request { client_id, response_type=code, redirect_uri=..., scope, state, etc } Token request { client_id, client_secret, authorization_code, grant_type=authorization_code, redirect_uri, etc }
  11. @oktaDev | @deepu105 | deepu.tech Authorization Code Grant Flow with

    PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }
  12. @oktaDev | @deepu105 | deepu.tech Implicit Grant Flow (Not recommended)

    Authorization request { client_id, response_type=token, redirect_uri=..., scope, state, etc } Token request NA
  13. @oktaDev | @deepu105 | deepu.tech Client Credentials Grant Flow Authorization

    request NA Token request { client_id, client_secret, grant_type=client_credentials }
  14. @oktaDev | @deepu105 | deepu.tech Resource Owner Password Credentials Grant

    Flow (Not recommended) Authorization request NA Token request { client_id, client_secret, username, password, grant_type=password }
  15. @oktaDev | @deepu105 | deepu.tech Refresh Token Grant Flow Authorization

    request NA Token request { client_id, client_secret, refresh_token, grant_type=refresh_token }
  16. @oktaDev | @deepu105 | deepu.tech Authentication Process of verifying the

    identity of a user. OAuth lacked a standard way to authenticate users. OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework
  17. @oktaDev | @deepu105 | deepu.tech OIDC using Authorization Code Grant

    Flow with PKCE Authorization request { client_id, response_type=code, redirect_uri=..., code_challenge, scope=’openid,..’, state, etc, } Token request { client_id, code_verifier, authorization_code, grant_type=authorization_code, redirect_uri, etc }
  18. @oktaDev | @deepu105 | deepu.tech • IntelliJ IDEA or Eclipse

    • Java 17+ (SDKMAN) • Docker and Docker Compose • Bash/ZSH or Powershell 5+
  19. @oktaDev | @deepu105 | deepu.tech Chapters Part 1: Create an

    API server secured with OAuth2 Part 2: Create a webapp secured with OIDC Part 3: Enable RBAC Part 4: Create a discovery service and complete the microservices
  20. @oktaDev | @deepu105 | deepu.tech Bonus Move beyond passwords with

    passkeys Using Keycloak with Okta starter
  21. @oktaDev | @deepu105 | deepu.tech Part 1: Create a car

    service secured with OAuth2 This will be the API resource server for the microservices
  22. @oktaDev | @deepu105 | deepu.tech Part 2: Create a web

    app secured with OIDC This will be the API gateway for the microservices
  23. @oktaDev | @deepu105 | deepu.tech Part 4: Create a discovery

    service and microservice arch With this we complete the simple microservice architecture
  24. @oktaDev | @deepu105 | deepu.tech Bonus 2: Use Keycloak Use

    Keycloak with Okta Spring Boot Starter for offline support
  25. Authorization Authentication Security Single Sign-On | Adaptive Multi-Factor Authentication |

    Universal Login | Passwordless | Bot Detection & Prevention | Security Center | Breached Password Detection | Brute Force Protection | FGA How we can help: Try Free Today: Free Plan (forever) $0 Up to 7,500 monthly active users. Unlimited user logins. Includes passkeys support*. No credit card required. Special Plans for Startups & Nonprofits Plans for Everyone B2C: your users are consumers B2B: your users are businesses or a mix of businesses and consumers Enterprise: Best for production applications that need to scale - Contact Us Make login our problem. Not yours. a0.to/plg_signup
  26. @oktaDev | @deepu105 | deepu.tech Thank You Subscribe to our

    newsletter a0.to/nl-signup/java Try our free Spring Boot + Passkeys workshop a0.to/spring-boot