In this presentation, I talk about OAuth and OIDC. I explain what they are, and how they work. Then I show a JHipster app that uses Keycloak and allows user registration. Next, I turn it into a PWA, and deploy it to Heroku. Along the way, I show how to switch to Okta. Then I show how Okta allows user registration, as well as UI customization.
Blog post: https://developer.okta.com/blog/2018/06/25/react-spring-boot-photo-gallery-pwa
Screencast: https://youtu.be/GlJWUqy1SJM
Source code on GitHub: https://github.com/oktadeveloper/okta-react-photo-gallery-example
Add SSO to Your JHipster Apps with OIDC - JHipsterConf 2018
1. Matt Raible | @mraible
Add SSO to Your JHipster Apps with OIDC
June 21, 2018 #jhipsterconf
https://www.flickr.com/photos/chriswaits/5720940652
2. Blogger on raibledesigns.com
Web Developer and Java Champion
Father, Skier, Mountain Biker,
Whitewater Rafter
Open Source Connoisseur
Who is Matt Raible?
Bus Lover
Okta Developer Advocate
7. What About You?
How many people ❤ Java?
What about JavaScript? … or TypeScript?
Who wants to be a Java Hipster?
…
Who likes Fortnite?
8. An open standard for authorization; anyone can implement it
Provides “secure delegated access” to client applications
Works over HTTPS and authorizes:
Devices
APIs
Servers
Applications
… with access tokens rather than credentials
What is OAuth?
9. OAuth 2.0
Enables apps to obtain limited access (scopes) to
a user’s data without giving away a user’s
password
Decouples authentication from authorization
Supports multiple use cases addressing different
client capabilities and deployment models
Server-to-server apps
Browser-based apps
Mobile/Native apps
Consoles/TVs
Web-scale delegated authorization framework for REST/APIs
Protecting APIs
Since
October 2012
11. Hotel Key Cards, but for Apps
OAuth Authorization Server Resource (API)Access Token
12. OAuth Simplified
App requests authorization from User1
User authorizes App and delivers proof2
App presents proof of authorization to server to get a Token3
Token is restricted to only access what the User authorized
for the specific App
4
14. Validate ID
Token
Token Endpoint
Authorization Endpoint
/.well-known/
openid-configuration
JWKS Endpoint
UserInfo Endpoint
OAuth 2.0 Authorization Server &
OpenID Connect Provider (OP)
OAuth 2.0 Resource Server
Client
(Relying Party)
1
3
2
54
1 Discover OpenID Provider Metadata
2
Perform OAuth flow to obtain a ID
token and/or access token
3 Get JSON Web Key Set (JWKS) for
signature keys
4
Validate ID token
(JSON Web Token)
5
Get additional user attributes with
access token from UserInfo
endpoint
OpenID Connect
15. Authorization Code Flow (Web)
Authenticate via User Agent
1
User starts flow by visiting Web App
Client with User Agent
2
Client sends authentication request
with openid scope via browser
redirect to Authorize Endpoint on
Authorization Server
3
User authenticates and consents to
Client to access user’s identity
4
Authorization Code Grant and optionally
ID Token for Web App is returned to Client
via browser redirect
4
2
3
1
User
Web App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
16. Authorization Code Flow (Web)
Exchange Grant for Tokens
1b
1a
User
Web App
(Client)
Resource
Server (RS)
/UserInfo
Authorization
Server (AS)
2
2
Client optionally fetches additional
claims with Access Token from UserInfo
endpoint
Client authenticates & exchanges
Authorization Code Grant with token
endpoint on Authorization Server for an ID
Token, Access Token and optionally
Refresh Token
1
17. ⏩ Convert to PWA
🔑 Keycloak + Registration
$ Save User Snapshot
⛅ Okta + Registration
💜 Deploy to Heroku
🍿 Okta Customization
JHipster OIDC Demo
20. Written with Asciidoctor
Quick and to the point, 162 pages
Developed a Real World App:
www.21-points.com
Free Download from
infoq.com/minibooks/jhipster-4-mini-book
The JHipster Mini-Book