SlideShare a Scribd company logo

Spring4 security oauth2

A
axykim00

OAuth2 is a protocol for authorization that allows clients to access user resources stored on a resource server. It separates the client application from the resource owner credentials. The authorization code flow involves a client redirecting a user to an authorization server, the user authenticating and authorizing access, and the authorization server returning an authorization code to the client which can then request an access token to access protected resources from the resource server on the user's behalf, without exposing the user's credentials directly. This flow allows for single sign-on across microservices and fine-grained authorization of delegated access to resources.

Software
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
1 Spring Security: OAuth2Spring Security: OAuth2 1 Sang ShinSang Shin ““Code with Passion!”Code with Passion!”
2 Topics • What is OAuth2? • Why OAuth2? • Authorization code flow
3 What is OAuth2?What is OAuth2?
4 What is OAuth2? • A protocol for conveying authorization decisions (via access token) > It is NOT an authentication protocol • Standard means of obtaining a token – there are four grant types > Authorization code > Resource owner password grant > Implicit > Client credentials • Separation of client application from resource owner > I, resource owner, authorize this app (client app) to perform these actions on my behalf
5 What is OAuth2 Not? • It is NOT an authentication protocol > The user must be authenticated to obtain a token > How the user is authenticated is outside of the spec > How the token is validated is outside of the spec > What the token contains is outside of the spec
6 Why OAuth2?Why OAuth2?
7 Securing Monolithic App • You only need to authenticate the request once per user • If there has been no session > Verify user credentials > Start a user session > Provide role-based access control • Else (session is already created) > Verify session has not expired • Method calls are trusted
8 Securing Monolithic App • Pros > Limited attack space • Cons > Once granted permission, the user has all the credentials for the rest of the application including database access – once it is hacked, the whole application is in danger
9 OAuth2 Secures Micro Services • Single sign on (SSO) • Stateless – backend services do not want to maintain user sessions • Delegated access (access some resource on behalf of me) • User credentials not exposed • Fine grained authorization • Interoperability with non browser clients
10 Authorization CodeAuthorization Code FlowFlow
11 Authorization Code Flow - Actors • Actors > Resource owner (user) > Client web app > Resource server > Auth. server • Use case > Microservices architecture – client web app access resources server on behalf of user > Consumer space – photo- sharing app (client) want to access user's friends data from Facebook (resource server) client web app auth server resource server
12 Authorization Code Flow – step 1 • User (Resource owner) accesses the client web app for the first time client web app auth server resource server
13 Authorization Code Flow – step 2 • Client redirects the request to the “./oauth/authorize” endpoint of the auth-server • Note – the client web app has to be configured with endpoint location of the “./oauth/authorize” of the auth server via “user-authorization- uri” property in its application.yml client web app auth server resource server
14 Authorization Code Flow – step 3 • Auth server redirects the user to its login page since the user isn't logged in to the auth server (authentication) • User logs in and is redirected back to the “./oauth/authorize” endpoint client web app auth server resource server
15 Authorization Code Flow – step 4 • Use is then presented with “do you approve for the client app to perform some actions specified in the scope?” • User authorizes (or approve) them client web app auth server resource server
16 Authorization Code Flow – step 5 • Auth server redirects the user back to the client web app with “authorization code” (in the query params of the redirect) client web app auth server resource server
17 Authorization Code Flow – step 6 • Client web app accesses “./oauth/token” endpoint of the auth server with the authorization code • Note – the client web app has to be configured with endpoint location of the “./oauth/token” of the auth server via “access- token-uri” property in its application.yml client web app auth server resource server
18 Authorization Code Flow – step 7 • Auth server responds with “access token” client web app auth server resource server
19 Authorization Code Flow – step 8 • Client web app accesses the resource server with access token client web app auth server resource server
20 Authorization Code Flow – step 9 • Resource server verifies the token with the auth-server • Note – resource server has to be configured with “user-info- uri” in its application.yml • Auth server sends back user info back after verification client web app auth server resource server
21 Authorization Code Flow – step 10 • Resource server responds back with protected resource • Client web app presents the resource to the user client web app auth server resource server
22 Code with Passion!Code with Passion! 22

More Related Content

What's hot (20)

PPTX
Extended Security with WSO2 API Management Platform
WSO2
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PPTX
The State of OAuth2
Aaron Parecki
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PPTX
Microservice with OAuth2
◄ vaquar khan ► ★✔
 
PPTX
OAuth in the new .NET world (OWIN)
Emad Alashi
 
PDF
Access Management for Cloud and Mobile
ForgeRock
 
PPTX
OAuth
Vijay Naik
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
OAuth 2
ChrisWood262
 
PDF
The Ultimate Guide to Mobile API Security
Stormpath
 
PDF
OAuth - Open API Authentication
leahculver
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
Web API 2 Token Based Authentication
jeremysbrown
 
KEY
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
Extended Security with WSO2 API Management Platform
WSO2
 
OAuth2 - Introduction
Knoldus Inc.
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Single-Page-Application & REST security
Igor Bossenko
 
The State of OAuth2
Aaron Parecki
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Microservice with OAuth2
◄ vaquar khan ► ★✔
 
OAuth in the new .NET world (OWIN)
Emad Alashi
 
Access Management for Cloud and Mobile
ForgeRock
 
OAuth
Vijay Naik
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
OAuth 2
ChrisWood262
 
The Ultimate Guide to Mobile API Security
Stormpath
 
OAuth - Open API Authentication
leahculver
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Web API 2 Token Based Authentication
jeremysbrown
 
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
OAuth 2.0
Uwe Friedrichsen
 
Demystifying OAuth 2.0
Karl McGuinness
 

Similar to Spring4 security oauth2 (20)

PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PDF
O auth2.0 guide
Dilip Mohapatra
 
PPTX
OAuth
Numaan Mohammad
 
PPTX
Securing SharePoint Apps with OAuth
Kashif Imran
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PDF
oauth-for-credentials-security-in-rest-api-access
idsecconf
 
PDF
OAuth: Trust Issues
Lorna Mitchell
 
PDF
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
PDF
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PPTX
OAuth [noddyCha]
noddycha
 
PDF
Learn with WSO2 - API Security
WSO2
 
PPTX
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
PPTX
Single Page Applications - Where Security Goes to Die
Curity
 
PDF
Intro to API Security with Oauth 2.0
Functional Imperative
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
O auth2.0 guide
Dilip Mohapatra
 
OAuth
Numaan Mohammad
 
Securing SharePoint Apps with OAuth
Kashif Imran
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
oauth-for-credentials-security-in-rest-api-access
idsecconf
 
OAuth: Trust Issues
Lorna Mitchell
 
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
OAuth [noddyCha]
noddycha
 
Learn with WSO2 - API Security
WSO2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 
Single Page Applications - Where Security Goes to Die
Curity
 
Intro to API Security with Oauth 2.0
Functional Imperative
 
Ad

Recently uploaded (20)

PDF
10 posting ideas for community engagement with AI prompts
Pankaj Taneja
 
PPTX
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
PPTX
GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWARE
philipnathen82
 
PDF
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
PDF
AI Image Enhancer: Revolutionizing Visual Quality”
docmasoom
 
PDF
How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025
ronakdubey419
 
PPTX
Presentation about variables and constant.pptx
kr2589474
 
PDF
ChatPharo: an Open Architecture for Understanding How to Talk Live to LLMs
ESUG
 
PDF
Salesforce Implementation Services Provider.pdf
VALiNTRY360
 
PPT
Activate_Methodology_Summary presentatio
annapureddyn
 
PPTX
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
PDF
Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19
CandidRoot Solutions Private Limited
 
PDF
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
PPTX
Presentation about Database and Database Administrator
abhishekchauhan86963
 
PDF
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
PPTX
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PDF
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
PDF
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
10 posting ideas for community engagement with AI prompts
Pankaj Taneja
 
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
GALILEO CRS SYSTEM | GALILEO TRAVEL SOFTWARE
philipnathen82
 
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
AI Image Enhancer: Revolutionizing Visual Quality”
docmasoom
 
How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025
ronakdubey419
 
Presentation about variables and constant.pptx
kr2589474
 
ChatPharo: an Open Architecture for Understanding How to Talk Live to LLMs
ESUG
 
Salesforce Implementation Services Provider.pdf
VALiNTRY360
 
Activate_Methodology_Summary presentatio
annapureddyn
 
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19
CandidRoot Solutions Private Limited
 
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
Presentation about Database and Database Administrator
abhishekchauhan86963
 
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
WatchTraderHub - Watch Dealer software with inventory management and multi-ch...
WatchDealer Pavel
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
Ad

Spring4 security oauth2

  • 1. 1 Spring Security: OAuth2Spring Security: OAuth2 1 Sang ShinSang Shin ““Code with Passion!”Code with Passion!”
  • 2. 2 Topics • What is OAuth2? • Why OAuth2? • Authorization code flow
  • 4. 4 What is OAuth2? • A protocol for conveying authorization decisions (via access token) > It is NOT an authentication protocol • Standard means of obtaining a token – there are four grant types > Authorization code > Resource owner password grant > Implicit > Client credentials • Separation of client application from resource owner > I, resource owner, authorize this app (client app) to perform these actions on my behalf
  • 5. 5 What is OAuth2 Not? • It is NOT an authentication protocol > The user must be authenticated to obtain a token > How the user is authenticated is outside of the spec > How the token is validated is outside of the spec > What the token contains is outside of the spec
  • 7. 7 Securing Monolithic App • You only need to authenticate the request once per user • If there has been no session > Verify user credentials > Start a user session > Provide role-based access control • Else (session is already created) > Verify session has not expired • Method calls are trusted
  • 8. 8 Securing Monolithic App • Pros > Limited attack space • Cons > Once granted permission, the user has all the credentials for the rest of the application including database access – once it is hacked, the whole application is in danger
  • 9. 9 OAuth2 Secures Micro Services • Single sign on (SSO) • Stateless – backend services do not want to maintain user sessions • Delegated access (access some resource on behalf of me) • User credentials not exposed • Fine grained authorization • Interoperability with non browser clients
  • 11. 11 Authorization Code Flow - Actors • Actors > Resource owner (user) > Client web app > Resource server > Auth. server • Use case > Microservices architecture – client web app access resources server on behalf of user > Consumer space – photo- sharing app (client) want to access user's friends data from Facebook (resource server) client web app auth server resource server
  • 12. 12 Authorization Code Flow – step 1 • User (Resource owner) accesses the client web app for the first time client web app auth server resource server
  • 13. 13 Authorization Code Flow – step 2 • Client redirects the request to the “./oauth/authorize” endpoint of the auth-server • Note – the client web app has to be configured with endpoint location of the “./oauth/authorize” of the auth server via “user-authorization- uri” property in its application.yml client web app auth server resource server
  • 14. 14 Authorization Code Flow – step 3 • Auth server redirects the user to its login page since the user isn't logged in to the auth server (authentication) • User logs in and is redirected back to the “./oauth/authorize” endpoint client web app auth server resource server
  • 15. 15 Authorization Code Flow – step 4 • Use is then presented with “do you approve for the client app to perform some actions specified in the scope?” • User authorizes (or approve) them client web app auth server resource server
  • 16. 16 Authorization Code Flow – step 5 • Auth server redirects the user back to the client web app with “authorization code” (in the query params of the redirect) client web app auth server resource server
  • 17. 17 Authorization Code Flow – step 6 • Client web app accesses “./oauth/token” endpoint of the auth server with the authorization code • Note – the client web app has to be configured with endpoint location of the “./oauth/token” of the auth server via “access- token-uri” property in its application.yml client web app auth server resource server
  • 18. 18 Authorization Code Flow – step 7 • Auth server responds with “access token” client web app auth server resource server
  • 19. 19 Authorization Code Flow – step 8 • Client web app accesses the resource server with access token client web app auth server resource server
  • 20. 20 Authorization Code Flow – step 9 • Resource server verifies the token with the auth-server • Note – resource server has to be configured with “user-info- uri” in its application.yml • Auth server sends back user info back after verification client web app auth server resource server
  • 21. 21 Authorization Code Flow – step 10 • Resource server responds back with protected resource • Client web app presents the resource to the user client web app auth server resource server
  • 22. 22 Code with Passion!Code with Passion! 22