Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth for Java Developers - Garden State JUG 2023

OAuth for Java Developers - Garden State JUG 2023

You can use OAuth to secure apps, APIs, and devices. OAuth has become increasingly popular, especially as developers are asked to knit together hundreds of apps and thousands of users in enterprise environments.

The Java ecosystem is vast, with over 10 million developers worldwide and an abundance of IDEs, build tools, libraries, and frameworks to make them more productive. In this session, I’ll provide you with a state of the OAuth ecosystem in Java. You’ll learn which frameworks support OAuth and which ones don’t. I’ll also offer some practical examples you can run in just a few minutes.

YouTube recording: https://www.youtube.com/live/FEeOyUK5Pr8?si=pLNWHCoPH256CnUe
GitHub repo: https://github.com/oktadev/auth0-java-oauth-examples
Demo script: @oktadev/auth0-java-oauth-examples/blob/main/demo.adoc
Related blog post: https://developer.okta.com/blog/2022/06/16/oauth-java

Matt Raible

October 18, 2023
Tweet

More Decks by Matt Raible

Other Decks in Technology

Transcript

  1. OAuth for Java Developers
    Matt Raible | @mraible


    October 18, 2023 Photo by Omar


    https://flic.kr/p/9mLsHU

    View full-size slide

  2. Father, Husband, Skier, Mountain Biker,
    Whitewater Rafter


    Bus Lover


    Web Developer and Java Champion


    Developer Advocate Architect


    Blogger on raibledesigns.com and
    auth0.com/blog
    Hi, I’m Matt Raible

    View full-size slide

  3. developer.okta.com

    View full-size slide

  4. developer.auth0.com

    View full-size slide

  5. 01
    02
    03
    04
    What the Heck is OAuth?
    Java's OAuth 2.0 Support
    OAuth 2.0 in Action
    Java Security Frameworks
    05 OAuth 2.0 Authorization Servers
    Agenda

    View full-size slide

  6. What the Heck is OAuth?

    View full-size slide

  7. Web Authentication
    GET /index.html HTTP/1.1


    Host: www.example.com


    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    View full-size slide

  8. Federated Identity
    Identity Provider
    (IdP)
    Service Provider
    (SP)
    End User
    Trust
    Obtains Assertion Provides Assertion

    View full-size slide

  9. SAML 2.0
    Authentication Request
    Protocol
    Assertion

    View full-size slide

  10. SAML 2.0 Authentication Request Protocol

    View full-size slide

  11. SAML 2.0 Assertion
    IssueInstant="2004-12-05T09:22:05"
    https://example.okta.com
    ...


    [email protected]






    https://sp.example.com/saml2/sso





    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport





    Matt Raible



    View full-size slide

  12. SAML = Web SSO

    View full-size slide

  13. What’s
    Changed


    Since


    2005?

    View full-size slide

  14. An open standard for authorization; anyone can implement it


    Provides “secure delegated access” to client applications


    Works over HTTPS and authorizes:


    Devices


    APIs


    Servers


    Applications


    … with access tokens rather than credentials
    What is OAuth?

    View full-size slide

  15. Simple login — basic, forms, & cookies


    Single sign-on across sites — SAML


    Mobile app login — N/A


    Delegated authorization — N/A
    Identity Use Cases (circa 2006)

    View full-size slide

  16. The Delegated Authorization Problem
    How can you let a website access your data


    (without giving it your password)?

    View full-size slide

  17. Don’t do it this way!

    View full-size slide

  18. Have you ever seen one of these?

    View full-size slide

  19. Hotel Key Cards, but for Apps

    View full-size slide

  20. Hotel Key Cards, but for Apps
    OAuth Authorization Server Resource (API)
    Access Token

    View full-size slide

  21. Delegated Authorization with OAuth 2.0
    I trust Gmail and I kind of
    trust Yelp. I want Yelp to have
    access to my contacts only.
    yelp.com
    Connect with Google

    View full-size slide

  22. Delegated Authorization with OAuth 2.0
    yelp.com
    Connect with Google
    accounts.google.com
    Email
    **********
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    contacts.google
    yelp.com/callback

    View full-size slide

  23. Actors


    Clients


    Authorization Server


    Resource Server


    Access Tokens


    Redirect URIs
    OAuth 2.0 Terminology

    View full-size slide

  24. Authorization

    Server (AS)
    Resource
    Owner (RO) Client
    Delegates
    Obtains Token
    Uses Token
    Resource

    Server (RS)
    Actors

    View full-size slide

  25. Authorization

    Server (AS)
    Resource
    Owner (RO) Client
    Delegates
    Obtains Token
    Uses Token
    Resource

    Server (RS)
    Actors

    View full-size slide

  26. Clients
    Public


    (Client Identification)
    Confidential

    (Client Authentication)

    View full-size slide

  27. Clients

    Client Registration is the DMV of OAuth

    View full-size slide

  28. Authorization Server
    Authorize Endpoint


    (/oauth2/authorize)
    Token Endpoint


    (/oauth2/token)
    Authorization Server
    Authorization Grant
    Refresh Token
    Access Token
    Introspection Endpoint


    (/oauth2/introspect)
    Revocation Endpoint


    (/oauth2/revoke)

    View full-size slide

  29. Tokens
    • Short-lived token used by
    Client to access Resource
    Server (API)


    • Opaque to the Client


    • No client authentication
    required (Public Clients)


    • Optimized for scale and
    performance


    • Revocation is dependent on
    implementation
    Access Token (Required)
    • Long-lived token that is used
    by Client to obtain new
    access tokens from
    Authorization Server


    • Usually requires
    Confidential Clients with
    authentication


    • Forces client to rotate
    secrets


    • Can usually be revoked
    Refresh Token (Optional)
    OAuth doesn’t define the format of a token!

    View full-size slide

  30. Self-encoded tokens


    Protected, time-limited data structure agreed upon between Authorization Server and Resource
    Server that contains metadata and claims about the identity of the user or client over the wire.


    Resource Server can validate the token locally by checking the signature, expected issuer name
    and expected audience or scope.


    Commonly implemented as a signed JSON Web Tokens (JWT)


    Reference tokens (aka opaque tokens)


    Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0
    Authorization Server


    Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization
    Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes
    Access Token Types

    View full-size slide

  31. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code
    contacts.google
    Talk to resource server


    with access token
    Exchange code for


    access token
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/callback


    Response type: code
    Authorization Server
    Client

    View full-size slide

  32. Scopes


    Consent


    Grants
    More OAuth 2.0 Terminology

    View full-size slide

  33. Scopes
    Scopes to Deny
    Scopes to Allow
    Additive bundles of permissions asked by client
    when requesting a token



    Decouples authorization policy decisions from
    enforcement

    Who owns the data? End user or the target
    service

    Who gets to specify the authorization policy?
    End user or application owner

    View full-size slide

  34. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code
    contacts.google
    Talk to resource server


    with access token
    Exchange code for


    access token
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/callback


    Scope: profile contacts
    Authorization Server
    Client
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent


    from resource owner

    View full-size slide

  35. Flow Channels
    Resource

    Server (RS)
    Authorization

    Server (AS)
    Resource
    Owner (RO)
    Client
    Delegates
    Obtains Token
    Uses Token
    Front


    Channel
    Back
    Channel

    View full-size slide

  36. Authorization Request
    HTTP/1.1 302 Found

    Location: https://app.example.com/oauth2/callback?

    code=MsCeLvIaQm6bTrgtp7&

    state=af0ifjsldkj
    Request
    Response
    Note: Parameters are not URL-encoded for example purposes
    GET https://accounts.google.com/o/oauth2/auth?

    scope=gmail.insert gmail.send&

    redirect_uri=https://app.example.com/oauth2/callback&

    response_type=code&

    client_id=812741506391&

    state=af0ifjsldkj


    View full-size slide

  37. Token Request
    Note: Parameters are not URL-encoded for example purposes
    POST /oauth2/v3/token HTTP/1.1


    Host: www.googleapis.com


    Content-Type: application/x-www-form-urlencoded


    code=MsCeLvIaQm6bTrgtp7&


    client_id=812741506391&


    client_secret={client_secret}&


    redirect_uri=https://app.example.com/oauth2/callback&


    grant_type=authorization_code

    View full-size slide

  38. Token Response
    {
    "access_token": "2YotnFZFEjr1zCsicMWpAA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA"
    }

    View full-size slide

  39. Making Protected Resource Requests
    curl -H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA" \


    https://www.googleapis.com/gmail/v1/users/1444587525/messages

    View full-size slide

  40. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code


    (front channel)
    contacts.google
    Talk to resource server


    (back channel)
    Exchange code for


    access token (back channel)
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/callback


    (front channel)
    Authorization Server
    Client
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent


    from resource owner

    View full-size slide

  41. OAuth 2.0 Grant Types (Flows)
    • Optimized for browser-only
    Public Clients


    • Access token returned
    directly from authorization
    request (Front-channel only)


    • Does not support refresh
    tokens


    • Assumes Resource Owner
    and Public Client are on the
    same device


    • Most vulnerable to security
    threats
    Implicit
    • Front channel flow used by
    Client to obtain authorization
    code grant


    • Back channel flow used by
    Client to exchange
    authorization code grant
    for access token and
    optionally refresh token


    • Assumes Resource Owner
    and Client are on separate
    devices


    • Most secure flow as tokens
    never passes through user-
    agent
    Authorization Code
    • Optimized for server-only
    Confidential Clients acting
    on behalf of itself or a user


    • Back-channel only flow to
    obtain an access token
    using the Client’s credentials


    • Supports shared secrets or
    assertions as Client
    credentials signed with
    either symmetric or
    asymmetric keys
    Client Credential

    View full-size slide

  42. OAuth 2.0 Grant Types (Flows)
    • Legacy grant type for native
    username/password apps
    such as desktop apps


    • Username/password is
    authorization grant to
    obtain access token from
    Authorization Server


    • Does not support refresh
    tokens


    • Assumes Resource Owner
    and Public Client or on the
    same device


    Resource Owner Password
    • Optimized for devices that
    do not have access to web-
    browsers


    • User code is returned from
    authorization request that
    must be redeemed by
    visiting a URL on a device
    with a browser to authorize


    • Back channel flow used by
    Client to poll for
    authorization approval for
    access token and optionally
    refresh token


    Device
    • Allows Authorization Server
    to trust authorization
    grants from third party such
    as SAML IdP (Federation)


    • Assertion is used to obtain
    access token with token
    request


    • Does not support refresh
    tokens


    Assertion

    View full-size slide

  43. Six different flows


    Necessary because of:


    How you get consent from client?


    Who is making consent?


    Adds a lot of complexity to OAuth
    OAuth Flows

    View full-size slide

  44. OAuth 2.0 Playground https://oauth.com/playground

    View full-size slide

  45. Not backward compatible with OAuth
    1.0


    Interoperability issues exists as its not
    a protocol but rather an authorization
    framework


    OAuth 2.0 is not an authentication
    protocol


    OAuth 2.0 alone says absolutely
    nothing about the user
    OAuth 2.0 Facts

    View full-size slide

  46. OAuth 2.0 and OpenID Connect
    OpenID Connect
    OAuth 2.0
    HTTP
    OpenID Connect is for authentication


    OAuth 2.0 is for authorization

    View full-size slide

  47. Extends OAuth 2.0 with new signed id_token for the
    Client and UserInfo endpoint to fetch user attributes


    Provides a standard set of scopes and claims for
    identities


    profile


    email


    address


    phone


    Built-in registration, discovery & metadata for dynamic
    federations


    Bring Your Own Identity (BYOI)


    Supports high assurance levels and key SAML use
    cases (enterprise)
    OpenID Connect
    OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts)

    View full-size slide

  48. Authorization Request
    HTTP/1.1 302 Found

    Location: https://app.example.com/oauth2/callback?

    code=MsCeLvIaQm6bTrgtp7&

    state=af0ifjsldkj
    Request
    Response
    Note: Parameters are not URL-encoded for example purposes
    GET https://accounts.google.com/o/oauth2/auth?

    scope=openid email&

    redirect_uri=https://app.example.com/oauth2/callback&

    response_type=code&

    client_id=812741506391&

    state=af0ifjsldkj


    View full-size slide

  49. Token Request
    POST /oauth2/v3/token HTTP/1.1


    Host: www.googleapis.com


    Content-Type: application/x-www-form-urlencoded


    code=MsCeLvIaQm6bTrgtp7&


    client_id=812741506391&


    client_secret={client_secret}&


    redirect_uri=https://app.example.com/oauth2/callback&


    grant_type=authorization_code

    View full-size slide

  50. Token Response
    {
    "access_token": "2YotnFZFEjr1zCsicMWpAA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",


    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ..."
    }

    View full-size slide

  51. Validate ID
    Token
    Token Endpoint
    Authorization Endpoint
    /.well-known/

    openid-configuration
    JWKS Endpoint
    UserInfo Endpoint
    OAuth 2.0 Authorization Server &


    OpenID Connect Provider (OP)
    OAuth 2.0 Resource Server
    Client


    (Relying Party) 1
    3
    2
    5
    4
    1 Discover OpenID Provider Metadata
    2 Perform OAuth flow to obtain a ID
    token and/or access token
    3 Get JSON Web Key Set (JWKS)
    for signature keys
    4 Validate ID token

    (JSON Web Token)
    5 Get additional user attributes
    with access token from UserInfo
    endpoint
    OpenID Connect

    View full-size slide

  52. OIDC Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI


    with authorization code
    accounts.google
    /userinfo
    Get user info

    with access token
    Exchange code for


    access token and ID token
    accounts.google.com
    Email
    **********
    Go to authorization server


    Redirect URI: yelp.com/callback


    Scope: openid profile
    Authorization Server
    Client
    accounts.google.com



    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent


    from resource owner
    Hello Matt!

    View full-size slide

  53. JSON Web Token (JWT)
    eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4
    YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxd
    llsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeE
    VqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDY
    zMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjox
    NDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb
    20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq
    p R 2 2 L L t i 7 7 7 A M M V C x M 7 F j E P K Z Q n d -
    AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H-
    L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyiZ9
    _YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhEQsgm
    8
    {


    "alg": "RS256”

    "kid": "123456789"


    }
    {


    "iss": "https://example.okta.com",


    "sub": "00ugrenMeqvYla4HW0g3",


    "aud": "w255HEWiSU4AuNxEjeij",


    "iat": 1446305282,


    "exp": 1446308882,


    "amr": [


    "pwd"


    ],


    "auth_time": 1446305282,


    "email": "[email protected]",


    "email_verified": true


    }
    Header Claims
    Signature
    Header
    Claims
    base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)

    View full-size slide

  54. jwt.io https://jwt.io

    View full-size slide

  55. No. A browser is required.


    Three options if a user is involved:


    1. Web app: handle a redirect


    2. CLI, TV, etc: use the Device Grant


    3. Native app: use a custom URL handler
    Can you do OAuth without a browser?

    View full-size slide

  56. PKCE is required for all clients using the authorization code flow


    Redirect URIs must be compared using exact string matching


    The Implicit grant is omitted from this specification


    The Resource Owner Password Credentials grant is omitted from this specification


    Bearer token usage omits the use of bearer tokens in the query string of URIs


    Refresh tokens for public clients must either be sender-constrained or one-time use
    OAuth 2.1
    https://oauth.net/2.1/

    View full-size slide

  57. Java's OAuth 2.0 Support

    View full-size slide

  58. Java, the language, does not have OAuth support


    The JDK doesn't contain APIs to write a web app


    Building blocks are provided by Servlet API and Jakarta EE


    Jakarta Security 3.0 supports OpenID Connect!
    Java's OAuth 2.0 Support

    View full-size slide

  59. OAuth in Java Frameworks

    View full-size slide

  60. MicroProfile JWT Authentication

    View full-size slide

  61. What about JSF and Wicket?

    View full-size slide

  62. Jakarta EE 10 and OpenID Connect
    https://auth0.com/blog/jakarta-ee-oidc

    View full-size slide

  63. OAuth 2.0 in Action

    View full-size slide

  64. https://github.com/oktadev/auth0-java-oauth-examples
    Java OAuth Demos

    View full-size slide

  65. Java Security Frameworks

    View full-size slide

  66. Java Security Frameworks

    View full-size slide

  67. OAuth 2.0 Authorization
    Servers

    View full-size slide

  68. Open Source OAuth 2.0 Authorization Servers
    Keycloak Spring Authorization Server WSO2 Identity Server

    View full-size slide

  69. What about JavaFX?

    View full-size slide

  70. Do Scala and Kotlin support OAuth?

    View full-size slide

  71. Learn more about Java and OAuth
    https://developer.okta.com/blog/2022/06/16/oauth-java

    View full-size slide

  72. Play with OAuth 2.0 and OpenID Connect
    developer.auth0.com

    View full-size slide

  73. Join us as an Auth0 Ambassador!
    auth0.com/ambassador-program

    View full-size slide

  74. Subscribe to our Zero Index newsletter!
    h
    tt
    ps://a0.to/nl-signup/java

    View full-size slide

  75. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    Thank you!
    Keep in Touch


    raibledesigns.com


    @mraible


    Presentations


    speakerdeck.com/mraible


    Code


    github.com/oktadev

    View full-size slide