Securing OAuth 2.0 Resources in Spring Security 5.0

Рет қаралды 50,754

Күн бұрын

The OAuth 2.0 Authorization Framework is elaborate, with several nuances and subtleties that can make it overwhelming for implementers. Its strength and flexibility, have propelled it to an industry standard; quite often organizations look to frameworks to ensure correct implementation.
Spring Security 5.0 marked the beginning of a long-term mission that the Spring Security team has to simplify Spring’s support for OAuth 2.0. Last year, it began with OAuth 2.0 Login over OpenID Connect 1.0. And this year that journey continues to now include additional OAuth 2.0 Client features and the first release of OAuth 2.0 Resource Server support.
In this talk, we’ll take a look at two insecure applications--one a web application and the other a REST API--and integrate them both with an OAuth 2.0 Authorization Server. The first will feature Spring Security’s most recent OAuth 2.0 Client feature set and the second, its newly-released Resource Server support.
For the web application, we’ll configure the client to use the Authorization Code Grant flow. For the REST API, we’ll configure the resource server for JWT support, OAuth2-specific authorization expressions, and JWK set resolution. Finally, we’ll put it all together, logging into our application and retrieving a secure resource.
Speakers:
Josh Cummings
Principal Software Engineer, Pivotal
Joe Grandja
Staff Software Engineer, Pivotal
Filmed at SpringOne Platform 2018

Пікірлер: 36

@qwalers 5 жыл бұрын

The only and best tutorial about Spring Security 5.0 with OAuth2 and JWT with IAM/UAA server

@samuellarico5364 2 жыл бұрын

You guys are amazing, my life was saved

@pranavkhandelwal4783 Жыл бұрын

Very informative and helpful video. Thanks a lot.

@kappaj01 4 жыл бұрын

Great presentation guys. Some excellent information to get you going as well. Keep up the good work!

@anderskamden857 2 жыл бұрын

You probably dont give a shit but does someone know a tool to get back into an Instagram account?? I stupidly forgot my password. I would love any tips you can give me.

@roycelouie3786 2 жыл бұрын

@Anders Kamden Instablaster :)

@anderskamden857 2 жыл бұрын

@Royce Louie Thanks so much for your reply. I got to the site on google and Im trying it out now. Looks like it's gonna take quite some time so I will reply here later with my results.

@anderskamden857 2 жыл бұрын

@Royce Louie It did the trick and I finally got access to my account again. I'm so happy! Thanks so much you saved my ass !

@roycelouie3786 2 жыл бұрын

@Anders Kamden happy to help :D

@flatmapper 3 жыл бұрын

15:28 is it available not only in spring data repos?

@songs4enjoy 5 жыл бұрын

@Josh Cummings Guys you make changes in resource server & restart client and say its working as expected (timestamp 44:03). The one assumption both the presenters are making is everyone who is watching the video knows the overall application they are using, the client aspect & are well versed in each aspect of oauth, which is not at true Rob's presentations used to be so good when it comes to Spring Security. Now a days, the presentations are mere presentations, with very little emphasis on making them understandable

@LennarthAnaya 4 жыл бұрын

"with several nuances and subtleties that can make it overwhelming for implementers"... right, to be honest, hopefully this video will help, thanks

@LennarthAnaya 4 жыл бұрын

the thing that overwhelms me is when there are those many ways of doing the same thing, there are approaches in this video I haven't seen in other examples, I'd like to have a big picture idea, I think we have to have two databases, one on the authorization server, the other on the resource server, both handling end user data, but I'm not sure if I'm doing it wrong.

@rajatagrawal141 5 жыл бұрын

where is the github link for this project please someone provide me

@boobalangnanasekaran3381 2 жыл бұрын

At 35:18, just after including custom authorizationRequestResolver, how is the new scope added to token if we didn't go through the authorization flow once more? Why is 403 not thrown, even if the user didn't login again?

@emmanuelogoma2595 4 жыл бұрын

where is the repo

@sebastianszczebiot345 4 жыл бұрын

Can you help me plese? After running: .\gradlew -b uaa-server\build.gradle cargoRunLocal I get such an error: org.codehaus.cargo.container.ContainerException: Failed to start the Tomcat 8.x container. Check the [C:\Users\sszczebiot\IdeaProjects\untitled\messaging-app\uaa-server\uaa-server.log] file containing the container logs for more details.

@vtvkerala 4 жыл бұрын

Makes things difficult..

@mageulgu5322 4 жыл бұрын

SOURCE CODE : github.com/jgrandja/oauth2-protocol-patterns

@mikeklein4810 5 жыл бұрын

To all those triggered by Spring...if you dont like the water stay out of the pool! Spring is THE best way to deal with the complexities of developing distributed applications. It's a work of art.

@kennethmarete5329 2 жыл бұрын

Why are we scrapping off the oauth2 and resource server on spring 2.5.6 and above?

@nikhilkant123 5 жыл бұрын

The presentation is really great .please share the code link.

@vitaliikalancha205 3 жыл бұрын

Is that ok to have spring security 5.1.0.RELEASE as a dependency, and call a video Spring Security 5.0?

@premierde 5 жыл бұрын

where is the git repo.

@braiekaymen2524 5 жыл бұрын

please link for code

@2012kostyan 5 жыл бұрын

here you go! github.com/jzheaux/messaging-app/tree/springone2018-demo

@sucountary 5 жыл бұрын

@@2012kostyan Thanks for code but while running server Resource_Server project,I am getting below error : Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration with the provided Issuer of "localhost:8090/uaa/oauth/token" at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.1.0.RC3.jar:5.1.0.RC3] at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:619) ~[spring-beans-5.1.0.RC3.jar:5.1.0.RC3] ... 21 common frames omitted Caused by: java.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration with the provided Issuer of "localhost:8090/uaa/oauth/token" at org.springframework.security.oauth2.jwt.JwtDecoders.getOpenidConfiguration(JwtDecoders.java:78) ~[spring-security-oauth2-jose-5.1.0.RELEASE.jar:5.1.0.RELEASE] at org.springframework.security.oauth2.jwt.JwtDecoders.fromOidcIssuerLocation(JwtDecoders.java:48) ~[spring-security-oauth2-jose-5.1.0.RELEASE.jar:5.1.0.RELEASE] at sample.config.ResourceServerConfig.jwtDecoder(ResourceServerConfig.java:64) ~[main/:na] at sample.config.ResourceServerConfig.configure(ResourceServerConfig.java:56) ~[main/:na] Do you have any idea ???

@achyuthkodali3194 3 жыл бұрын

@@2012kostyan you are a hero mate.. :)

@rydmerlin 3 жыл бұрын

Is there a better tutorial on this topic than this one? This doesn't appear to be a topic that lends itself well to a bottom up explanation. By all means start with some Restful services that don't require authentication and then go thru the steps necessary to provide it. I also find the way the code is displayed to be difficult to follow and there's generally too many context switches to follow what's going on.