Spring4 security oauth2

Sang Shin
Sang ShinPr. Technical Instructor at Pivotal en Pivotal
1 Spring Security: OAuth2Spring Security: OAuth2 1 Sang ShinSang Shin ““Code with Passion!”Code with Passion!”
2 Topics • What is OAuth2? • Why OAuth2? • Authorization code flow
3 What is OAuth2?What is OAuth2?
4 What is OAuth2? • A protocol for conveying authorization decisions (via access token) > It is NOT an authentication protocol • Standard means of obtaining a token – there are four grant types > Authorization code > Resource owner password grant > Implicit > Client credentials • Separation of client application from resource owner > I, resource owner, authorize this app (client app) to perform these actions on my behalf
5 What is OAuth2 Not? • It is NOT an authentication protocol > The user must be authenticated to obtain a token > How the user is authenticated is outside of the spec > How the token is validated is outside of the spec > What the token contains is outside of the spec
6 Why OAuth2?Why OAuth2?
7 Securing Monolithic App • You only need to authenticate the request once per user • If there has been no session > Verify user credentials > Start a user session > Provide role-based access control • Else (session is already created) > Verify session has not expired • Method calls are trusted
8 Securing Monolithic App • Pros > Limited attack space • Cons > Once granted permission, the user has all the credentials for the rest of the application including database access – once it is hacked, the whole application is in danger
9 OAuth2 Secures Micro Services • Single sign on (SSO) • Stateless – backend services do not want to maintain user sessions • Delegated access (access some resource on behalf of me) • User credentials not exposed • Fine grained authorization • Interoperability with non browser clients
10 Authorization CodeAuthorization Code FlowFlow
11 Authorization Code Flow - Actors • Actors > Resource owner (user) > Client web app > Resource server > Auth. server • Use case > Microservices architecture – client web app access resources server on behalf of user > Consumer space – photo- sharing app (client) want to access user's friends data from Facebook (resource server) client web app auth server resource server
12 Authorization Code Flow – step 1 • User (Resource owner) accesses the client web app and does not have a session with it client web app auth server resource server
13 Authorization Code Flow – step 2 • Client redirects to its own ./login, which in turn, redirects the request to the “./oauth/authorize” endpoint of the auth-server • Note – the client web app has to be configured with endpoint location of the “./oauth/authorize” of the auth server via “user-authorization- uri” property in its application.yml client web app auth server resource server
14 Authorization Code Flow – step 3 • Auth server redirects the user to its login page since the user isn't logged in to the auth server • User logs in and is redirected back to the “./oauth/authorize” endpoint client web app auth server resource server
15 Authorization Code Flow – step 4 • Use is then presented with “do you approve for the client app to perform some actions specified in the scope?” • User authorizes (or approve) them client web app auth server resource server
16 Authorization Code Flow – step 5 • Auth server redirects the user back to the client web app with one time code (in the query params of the redirect) client web app auth server resource server
17 Authorization Code Flow – step 6 • Client web app accesses “./oauth/token” endpoint of the auth server with the one-time code • Note – the client web app has to be configured with endpoint location of the “./oauth/token” of the auth server via “access- token-uri” property in its application.yml client web app auth server resource server
18 Authorization Code Flow – step 7 • Auth server responds with access token • Client web app starts an authenticated session with the auth server and saves the access token in session client web app auth server resource server
19 Authorization Code Flow – step 8 • Client web app accesses the resource server with access token client web app auth server resource server
20 Authorization Code Flow – step 9 • Resource server verifies the token with the auth-server • Note – resource server has to be configured with “user-info- uri” in its application.yml • Auth server sends back user info back after verification client web app auth server resource server
21 Authorization Code Flow – step 10 • Resource server responds back with protected resource • Client web app presents the resource to the user client web app auth server resource server
22 Code with Passion!Code with Passion! 22
1 de 22

Spring4 security oauth2

Descargar para leer sin conexión
Software

OAuth2

Sang Shin
Sang ShinPr. Technical Instructor at Pivotal en Pivotal

Recomendados

Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
75 vistas22 diapositivas
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
341 vistas22 diapositivas
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
9K vistas43 diapositivas
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
5K vistas35 diapositivas
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
1.4K vistas73 diapositivas
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
729 vistas31 diapositivas

Más contenido relacionado

La actualidad más candente

Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
1.4K vistas59 diapositivas
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
3.3K vistas18 diapositivas
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
11.5K vistas73 diapositivas
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
6.3K vistas12 diapositivas

La actualidad más candente(20)

Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
WSO21.4K vistas
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko21K vistas
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
Oracle Corporation3.3K vistas
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy11.5K vistas
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.6.3K vistas
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO21.8K vistas
OAuthOAuth
OAuth
Vijay Naik580 vistas
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki108.2K vistas
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath2.2K vistas
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
Emad Alashi7.7K vistas
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki14.7K vistas
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit4K vistas
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown2.6K vistas
The State of OAuth2The State of OAuth2
The State of OAuth2
Aaron Parecki6.1K vistas
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
ForgeRock2.6K vistas
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv8.5K vistas
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J535 vistas
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc49.2K vistas
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
◄ vaquar khan ► ★✔1.2K vistas
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver22.3K vistas

Similar a Spring4 security oauth2

Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
784 vistas58 diapositivas
OAuthOAuth
OAuthNumaan Mohammad
304 vistas19 diapositivas
O auth2.0 guideO auth2.0 guide
O auth2.0 guideDilip Mohapatra
2K vistas19 diapositivas

Similar a Spring4 security oauth2(20)

Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes1.2K vistas
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya1K vistas
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman139 vistas
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter784 vistas
OAuthOAuth
OAuth
Numaan Mohammad304 vistas
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
Dilip Mohapatra2K vistas
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
Kashif Imran6.7K vistas
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
Orkhan Gasimov2K vistas
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
noddycha980 vistas
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell62.2K vistas
oauth-for-credentials-security-in-rest-api-accessoauth-for-credentials-security-in-rest-api-access
oauth-for-credentials-security-in-rest-api-access
idsecconf491 vistas
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
Gaurav Sharma4K vistas
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
Lorna Mitchell2.7K vistas
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
Derek Binkley1.4K vistas
Oauth Php AppOauth Php App
Oauth Php App
Abdullah Mamun1.5K vistas
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell40.1K vistas
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit630 vistas
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
anikristo560 vistas
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy75 vistas
Ritou idcon7Ritou idcon7
Ritou idcon7
Ryo Ito689 vistas

Último

Último(20)

Software testing company in India.pptxSoftware testing company in India.pptx
Software testing company in India.pptx
SakshiPatel827 vistas
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking Techniques
Dimpy Adhikary17 vistas
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
marksimpsongw74 vistas
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
Tiago Henriques70 vistas
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent16 vistas
SUGCON ANZ Presentation V2.1 Final.pptxSUGCON ANZ Presentation V2.1 Final.pptx
SUGCON ANZ Presentation V2.1 Final.pptx
Jack Spektor21 vistas
Les nouveautés produit Neo4j Les nouveautés produit Neo4j
Les nouveautés produit Neo4j
Neo4j26 vistas
What Can Employee Monitoring Software Do?​What Can Employee Monitoring Software Do?​
What Can Employee Monitoring Software Do?​
wAnywhere17 vistas
Roadmap y Novedades de productoRoadmap y Novedades de producto
Roadmap y Novedades de producto
Neo4j31 vistas
Headless JS UG Presentation.pptxHeadless JS UG Presentation.pptx
Headless JS UG Presentation.pptx
Jack Spektor5 vistas
LAVADORA ROLO.docxLAVADORA ROLO.docx
LAVADORA ROLO.docx
SamuelRamirez835247 vistas
Applying Platform Engineering Thinking to Observability.pdfApplying Platform Engineering Thinking to Observability.pdf
Applying Platform Engineering Thinking to Observability.pdf
Natan Yellin11 vistas
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
Deltares10 vistas
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Safe Software349 vistas
WebAssemblyWebAssembly
WebAssembly
Jens Siebert32 vistas
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Icinga32 vistas
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
Deltares9 vistas
Why Cloud Services.pdfWhy Cloud Services.pdf
Why Cloud Services.pdf
Pi DATACENTERS6 vistas
Neo4j y GenAI Neo4j y GenAI
Neo4j y GenAI
Neo4j27 vistas
Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 vistas

Spring4 security oauth2

  • 1. 1 Spring Security: OAuth2Spring Security: OAuth2 1 Sang ShinSang Shin ““Code with Passion!”Code with Passion!”
  • 2. 2 Topics • What is OAuth2? • Why OAuth2? • Authorization code flow
  • 4. 4 What is OAuth2? • A protocol for conveying authorization decisions (via access token) > It is NOT an authentication protocol • Standard means of obtaining a token – there are four grant types > Authorization code > Resource owner password grant > Implicit > Client credentials • Separation of client application from resource owner > I, resource owner, authorize this app (client app) to perform these actions on my behalf
  • 5. 5 What is OAuth2 Not? • It is NOT an authentication protocol > The user must be authenticated to obtain a token > How the user is authenticated is outside of the spec > How the token is validated is outside of the spec > What the token contains is outside of the spec
  • 7. 7 Securing Monolithic App • You only need to authenticate the request once per user • If there has been no session > Verify user credentials > Start a user session > Provide role-based access control • Else (session is already created) > Verify session has not expired • Method calls are trusted
  • 8. 8 Securing Monolithic App • Pros > Limited attack space • Cons > Once granted permission, the user has all the credentials for the rest of the application including database access – once it is hacked, the whole application is in danger
  • 9. 9 OAuth2 Secures Micro Services • Single sign on (SSO) • Stateless – backend services do not want to maintain user sessions • Delegated access (access some resource on behalf of me) • User credentials not exposed • Fine grained authorization • Interoperability with non browser clients
  • 11. 11 Authorization Code Flow - Actors • Actors > Resource owner (user) > Client web app > Resource server > Auth. server • Use case > Microservices architecture – client web app access resources server on behalf of user > Consumer space – photo- sharing app (client) want to access user's friends data from Facebook (resource server) client web app auth server resource server
  • 12. 12 Authorization Code Flow – step 1 • User (Resource owner) accesses the client web app and does not have a session with it client web app auth server resource server
  • 13. 13 Authorization Code Flow – step 2 • Client redirects to its own ./login, which in turn, redirects the request to the “./oauth/authorize” endpoint of the auth-server • Note – the client web app has to be configured with endpoint location of the “./oauth/authorize” of the auth server via “user-authorization- uri” property in its application.yml client web app auth server resource server
  • 14. 14 Authorization Code Flow – step 3 • Auth server redirects the user to its login page since the user isn't logged in to the auth server • User logs in and is redirected back to the “./oauth/authorize” endpoint client web app auth server resource server
  • 15. 15 Authorization Code Flow – step 4 • Use is then presented with “do you approve for the client app to perform some actions specified in the scope?” • User authorizes (or approve) them client web app auth server resource server
  • 16. 16 Authorization Code Flow – step 5 • Auth server redirects the user back to the client web app with one time code (in the query params of the redirect) client web app auth server resource server
  • 17. 17 Authorization Code Flow – step 6 • Client web app accesses “./oauth/token” endpoint of the auth server with the one-time code • Note – the client web app has to be configured with endpoint location of the “./oauth/token” of the auth server via “access- token-uri” property in its application.yml client web app auth server resource server
  • 18. 18 Authorization Code Flow – step 7 • Auth server responds with access token • Client web app starts an authenticated session with the auth server and saves the access token in session client web app auth server resource server
  • 19. 19 Authorization Code Flow – step 8 • Client web app accesses the resource server with access token client web app auth server resource server
  • 20. 20 Authorization Code Flow – step 9 • Resource server verifies the token with the auth-server • Note – resource server has to be configured with “user-info- uri” in its application.yml • Auth server sends back user info back after verification client web app auth server resource server
  • 21. 21 Authorization Code Flow – step 10 • Resource server responds back with protected resource • Client web app presents the resource to the user client web app auth server resource server
  • 22. 22 Code with Passion!Code with Passion! 22