Download as PDF, PPTX
Uploaded byOrest Ivasiv
OAuth2 and Spring Security
The document discusses OAuth2 and Spring Security. It provides an overview of OAuth2 concepts including the four main roles (resource owner, resource server, client, and authorization server), four common grant types (authorization code, implicit, resource owner password credentials, and client credentials), and how to implement OAuth2 flows in Spring Security. Sample OAuth2 applications using Spring Security are also mentioned.
More Related Content
Similar to OAuth2 and Spring Security
OAuth2 and Spring Security
- 1. JavaCommunity OAuth2 and Spring Security ORESTIVASIV 8/14/2015 @halyph
- 2. JavaCommunity OAuth2 Overview Use Cases ◦Service-to-service ◦ Client-to-Service ◦ Client-to-client (SSO) Spring Security OAuth2 Samples 8/14/2015 @halyph2 Agenda
- 3. JavaCommunity Dark Age Pre OAuth1.0 ◦ Flickr: “FlickrAuth” ◦ Google: “AuthSub” ◦ Facebook: request signed with MD5 hashes ◦ Yahoo: BBAuth (“Browser-Based Auth”) OAuth 1.0 ◦ Uses signature (HMAC hash) Oauth 2.0 ◦ Relies on SSL/HTTPS 8/14/2015 @halyph3 OAuth2 History
- 4.
- 5. JavaCommunity Resource Owner -User Resource Server – API Client Application – 3d party application Authorization Server – Auth API (may be in scope of Resource Server) 8/14/2015 @halyph5 OAuth2 Roles
- 6. JavaCommunity ◦ Register withAuthorization Server (get a client_id and maybe a client_secret) ◦ Do not collect user credentials ◦ Obtain a token (opaque) from Authorization Server ◦ On its own behalf - client_credentials ◦ On behalf of a user ◦ Use it to access Resource Server 8/14/2015 @halyph6 Role of Client Application
- 7. JavaCommunity 1. Extract tokenfrom request and decode it 2. Make access control decision ◦ Scope ◦ Audience ◦ User account information (id, roles etc.) ◦ Client information (id, roles etc.) 3. Send 403 (FORBIDDEN) if token not sufficient 8/14/2015 @halyph7 Role of Resource Server
- 8. JavaCommunity 1. Compute tokencontent and grant tokens 2. Interface for users to confirm that they authorize the Client to act on their behalf 3. Authenticate users (/authorize) 4. Authenticate clients (/token) #1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons). 8/14/2015 @halyph8 Role of the Authorization Server
- 9. JavaCommunity Authorization code grantflow ◦ Web-server apps – authorization_code Implicit grant flow ◦ Browser-based apps – implicit ◦ Mobile apps – implicit Resource owner password credentials grant flow ◦ Username/password access – password Client credentials grant flow ◦ Application access – client_credentials 8/14/2015 @halyph9 OAuth 2.0 Grant Flows
- 10.
- 11.
- 12. JavaCommunity ◦ Create a“Log In” link ◦ Link to: https://facebook.com/dialog/oauth?response_type=code&client_id=YOU R_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email 8/14/2015 @halyph12 Authorization code grant flow (Cont)
- 13. JavaCommunity ◦ User visitsthe authorization page https://facebook.com/dialog/oauth?response_type=code&client_id=28 653682475872&redirect_uri=everydaycity.com&scope=email ◦ On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE ◦ On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied 8/14/2015 @halyph13 Authorization code grant flow (Cont)
- 14. JavaCommunity ◦ Server exchangesauth code for an access token POST https://graph.facebook.com/oauth/access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET ◦ Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" } 8/14/2015 @halyph14 Authorization code grant flow (Cont)
- 15.
- 16.
- 17. JavaCommunity ◦ Create a“Log In” link ◦ Link to: https://facebook.com/dialog/oauth?response_type=token&client_id=CL IENT_ID &redirect_uri=REDIRECT_URI&scope=email 8/14/2015 @halyph17 Implicit grant flow (Cont)
- 18. JavaCommunity ◦ User visitsthe authorization page https://facebook.com/dialog/oauth?response_type=token&client_id=2 865368247587&redirect_uri=everydaycity.com&scope=email ◦ On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN ◦ On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied 8/14/2015 @halyph18 Implicit grant flow (Cont)
- 19. JavaCommunity 8/14/2015 @halyph19 Resource ownerpassword credentials grant flow
- 20. JavaCommunity 8/14/2015 @halyph20 Resource ownerpassword credentials grant flow
- 21. JavaCommunity POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } 8/14/2015@halyph21 Resource owner password credentials grant flow (Cont)
- 22.
- 23.
- 24. JavaCommunity POST https://api.example.com/1/oauth/token Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } 8/14/2015@halyph24 Client credentials grant flow (Cont)
- 25. JavaCommunity authorization_code: ◦ Authorization codegrant flow (Web-server apps) ◦ response_type=code implicit: ◦ Implicit grant flow (Mobile and browser-based apps) ◦ response_type=token password: ◦ Resource owner password credentials grant flow (Username/password access) client_credentials: ◦ Client credentials grant flow (Application access) 8/14/2015 @halyph25 Grant Types
- 26. JavaCommunity GET https://api.example.com/me Authorization: BearerRsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzRn430zqMLgV3Ia 8/14/2015 @halyph26 Accessing Resources
- 27. JavaCommunity POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your servergets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" 8/14/2015 @halyph27 New access token via refresh token
- 28. JavaCommunity POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your servergets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" 8/14/2015 @halyph28 New access token via refresh token
- 29. JavaCommunity 1. Sample OAuth2with password grant 2. Web App Client 8/14/2015 @halyph29 Sample Apps
- 30. JavaCommunity OAuth ◦ The OAuth2.0 Authorization Framwork ◦ http://oauth.net/2/ ◦ OAuth Bible by @Nijikokun ◦ An Introduction to OAuth 2 by Aaron Parecki ◦ Single-Page-Application & REST security by Igor Bossenko Videos ◦ O'Reilly Webcast: An Introduction to OAuth 2 by Aaron Parecki ◦ David Syer (lead of Spring Security OAuth) ◦ Security for Microservices with Spring and OAuth2 ◦ Webinar Replay: A Single-Page Application with Spring Security and Angular JS ◦ Data Modelling and Identity Management with OAuth2 ◦ Les Hazlewood (Stormpath founder and CTO, Apache Shiro) ◦ Token Authentication for Java Applications Sample Apps ◦ https://github.com/spring-projects/spring-security-oauth/tree/master/tests/ ◦ https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 ◦ https://github.com/dsyer/spring-security-angular/ OAuth and Spring ◦ https://speakerdeck.com/dsyer/security-for-microservices-with-spring 8/14/2015 @halyph30 References
- 31.