Implementing an OAuth 2 authorization server with Spring Security

Implementing an OAuth 2 authorization server with Spring Security - the new way! by Laurentiu Spilca

Рет қаралды 48,978

Күн бұрын

Пікірлер: 55

@joshzoolian7821 Жыл бұрын

In looking through dozens of sites advising on this topic, it was super handy hearing him mention deprecated methods and implementations

@HenrryWith2Rs 2 жыл бұрын

I love this guys channel. He really knows his stuff.

@adrianstefan1814 11 ай бұрын

Laur is a great teacher. I learned a lot from him!

@vishaldas1665 15 сағат бұрын

Hello every one I am trying to setup this, an Interesting issue is happening, when I try the authorize request on an anonymous context it goes to error page with code 999, but it I try it on a logged in uses it works, do any one knows this?

@ngocanha85 Жыл бұрын

Rename ProviderSettings -> AuthorizationServerSettings

@alxdm9760 2 жыл бұрын

what about if i dont want jwt tokens? just like the old way which is using opaque token, is it possible? especially if the auth server and reaource server are in one project? hope you can have a demo

@donnerlucky 2 жыл бұрын

Great Explanation of OAUTH .......

@nihmathaafiya9693 Жыл бұрын

I'm a beginner, I'm not really sure as to how that code_challenge was generated, can someone explain it?

@jofrantoba Жыл бұрын

public static void main(String[] args) throws NoSuchAlgorithmException { SpringApplication.run(Application.class, args); String codeVerifier=createCodeVerifier(); log.info("code verifier:"+codeVerifier); log.info("code_challenge:"+createCodeChallenge(codeVerifier)); } private static String createCodeChallenge(String value) throws NoSuchAlgorithmException { MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII)); return Base64.getUrlEncoder().withoutPadding().encodeToString(digest); } private static String createCodeVerifier(){ StringKeyGenerator secureKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96); return secureKeyGenerator.generateKey(); }

@arulmurugansubramaniam8452 2 жыл бұрын

How are you generation code verifier?

@陈俏锋 6 ай бұрын

I love this presentation! How to get the code and file on your presentation?

@mayankgupta2543 11 ай бұрын

Can we have multiple authentication manager configured for different purpose if yes then how?

@fredzouza 2 жыл бұрын

Please can someone help me with the "code_challenge" i need to generate a SHA256 from any string like "anything" and in "code_verifier" i send "anything" ?

@jafajarvis324 Жыл бұрын

same question i have... if you find any solution please let me know

@jofrantoba Жыл бұрын

@csvxmlfan3853 2 жыл бұрын

at the post request i'll always get {"error":"invalid_client"}, stackoverflow and github show solutions but only for version 0.2.. has someone an idea?

@csvxmlfan3853 2 жыл бұрын

Ahh ok, so of course postman has the role in this example of a public client as such the clientAuthenticationMethod has to be ClientAuthenticationMethod.NONE according to registeredClient documentation... So either Mr. Spilca changed it and did no show it or he used some other trick..

@victormartin6264 2 жыл бұрын

@@csvxmlfan3853 the trick is the hidden Authorization tab in postman. Try adding --header 'Authorization: Basic Y2xpZW50OnNlY3JldA=='

@arsenmemetov5794 2 жыл бұрын

@CSVXML FAN, Víctor Martín is right, you have to pass client_id and client_secret using Authorization Header: In Postman's Authorization tab select 'Basic Auth' in 'Type' dropdown menu and then type client_id/client_secret in appeared Username/Password fields.

@ridhopratama9639 9 ай бұрын

Help. It is statefull, isn't it?? because no sessionCreationPolicy configuration written. like customizer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)

@AnkitKumar-ow6fg Жыл бұрын

I loved the part where he mentioned about Log4J XD

@sadiulhakim7814 9 ай бұрын

I am getting error while using BCryptPasswordEncoder instead of NoOpPasswordEncoder. It says Encoded password does not look like BCrypt.

@xxxHipHopRap 8 ай бұрын

Did u fix it? I have the same problem but I want to use BCryptPasswordEncoder

@sadiulhakim7814 8 ай бұрын

@@xxxHipHopRap no

@xxxHipHopRap 8 ай бұрын

@@sadiulhakim7814 I fixed it doing this if u still need it: @Bean public RegisteredClientRepository registeredClientRepository() { BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(); RegisteredClient r1 = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("myclient") .clientSecret(passwordEncoder.encode("secret"))........

@rahmonaliyoqubov 2 жыл бұрын

Hi. Can i use a jjwt implementation instead of nimbous jwt?

@rakeshnukapeyyi5528 Жыл бұрын

Where is the code challenge being maintained in the spring backend to validate against the code verifier? If it is in memory, it will cause an issue every time the server is restarted. The authenticated public client might use the non-existent code verifier.

@jofrantoba Жыл бұрын

@mohamedibrahim1836 Жыл бұрын

how the resource server knows this token is from the authorization server? minute 7:36 the diagram misses this point .

@dawidd6356 2 жыл бұрын

Dude speaks like a MACHINE (nvm i had it on 1.25x)

@parisanangangom2300 Жыл бұрын

🤣🤣

@testingdave7629 Жыл бұрын

If I am going to user Redis to store token data, how do I create a filter that will fetch the token first on Redis before proceeding with the checking of JWT? I am planning to use Redis as a cache and Postgresql as the DB

@yuyeyang4973 2 жыл бұрын

Does JWT need to be stored on the server?

@sabbirtanvir177 Жыл бұрын

why I am getting this error ? Error creating bean with name 'securityFilterChainAs' defined in class path resource

@sabbirtanvir177 Жыл бұрын

it is actually the Noclassdef error for OAuth2AuthorizationServerConfiguration , anyone to help?

@sabbirtanvir177 Жыл бұрын

ok, spring changes the version, oauth2-server 0.3.0 will not work with spring 3.0.0, I needed to change ti to 1.0.1 version. I don't know what will spring do tomorrow. :) Now i follow all steps, but found a response invalid_request. Huuh, i don't know about this error at all.

@sergeybayramov1466 2 жыл бұрын

Is it possible and supported in current version to change formLogin to httpBasic?

@nico-s29 2 жыл бұрын

Helped me a lot thank you

@jafajarvis324 Жыл бұрын

can anyone tell me how can i generate my own code chanllenge

@jafajarvis324 Жыл бұрын

I got answer. Its totally pkce. We can get it from online and generate our own pkce code

@nihmathaafiya9693 Жыл бұрын

@@jafajarvis324 Hey, could you clarify how? It'll be really helpful, thanks

@jofrantoba Жыл бұрын

@yuyeyang4973 2 жыл бұрын

Can this example be used in actual development? A friend of mine said that this example has drawbacks. After the server restarts, everyone will be disconnected. Is that true?

@nick_bezverkhyi 2 жыл бұрын

It can't be used, for the actual development you would probably want to use db instead of in-memory solution

@nick_bezverkhyi 2 жыл бұрын

@Rendell Jay Eyas no, but should be pretty easy, just read the documentation

@khajalieubarrie5088 Жыл бұрын

@Rendell Jay Eyas Check the speakers channel. Has an ongoing playlist on the subject

@yuyeyang4973 2 жыл бұрын

Is this the norm in actual development?