Using OpenID Connect in the experimental authorization server version 0.1.0

Рет қаралды 5,276

Күн бұрын

Version 0.1.0 of the Spring Security authorization server is out. Let's discuss the additions to this new version.
Release page: spring.io/blog...
Code on GitHub: github.com/lsp...

Пікірлер: 20

@ayoubeljabiry4134 3 жыл бұрын

thanks for those videos, it's a very interesting approach to learn, especially those who will discover or try the framework after adding so much features in it , they will certainly find this video list very helpful cause it contain the history of the framework which will make a gentle learning curve. can you make a video describing the proper grant type to use for each type of client ? thanks in advance

@laurspilca 3 жыл бұрын

Hi Ayoub. Thanks for the question. What do you mean with "for each type of client"?

@ayoubeljabiry4134 3 жыл бұрын

@@laurspilca hi Laurentiu, by client i mean the type of apps (spa, mobile app, server rendering app as theameaf and so on ...)

@laurspilca 3 жыл бұрын

@@ayoubeljabiry4134 Hi Ayoub. This is how you choose the grant type usually: if you have a user that needs to log in, you generally choose authorization_code. The other alternative least desired is password (but mind that in the case of password, you assume the client knows the user credentials which is not quire fine) If you don't have a user (for example you have another service acting as a client), then you use the client credentials grant type.

@ayoubeljabiry4134 3 жыл бұрын

@@laurspilca hi Laurentiu. thanks for your answer, your are as reliable as alwis

@sharifyy 3 жыл бұрын

It's so cool that you make a video for each version of the experimental authorization server. I wonder If we have a custom login page that allows new users to register, is there any way to redirect the user to redirect URI after successful registration? In short, can we generate an authorization code and redirect manually?

@laurspilca 3 жыл бұрын

Hi Mohamad, for the moment there is no registration implementation. I'm not sure if this feature is planned to be added to the framework. But it will, I will make a video about it :)

@RaymondNathan 3 жыл бұрын

Thank you for these video series, in your opinion should clientSecret be hashed or encrypted. Reason I am asking this is if its a public OAuth2Client registration functionality if the user forgets the secret should they be able to view it again from an admin panel, or is it better to regenerate the secret?

@laurspilca 3 жыл бұрын

Hi Raymond. I would actually go for using PKCE instead. Then, you only have a client ID and you don't need to hash or encrypt it anyhow.

@RaymondNathan 3 жыл бұрын

@@laurspilca Thanks for your reply, is there any guide on how this can be implemented in the Spring Security Authorization server?

@laurspilca 3 жыл бұрын

@@RaymondNathan Yes, you can find it in one of the next videos in this same playlist.

@rahulshrimantbake6886 6 ай бұрын

Hi Laura, Previously we have JDBCTokenStore, how would we replace in the new version of spring security

@miaowansheng8243 3 жыл бұрын

thank you so much

@nabinpakka8718 3 жыл бұрын

Can you do a video on integration test of controllers secured with oauth2 experimental?? Thank you for such helpful contents😊

@laurspilca 3 жыл бұрын

Hi Nabin. Thanks for the idea. You mean testing the endpoints on the authorization server side?

@endgameagain 3 жыл бұрын

Does somebody know is it possible to implement password grant type authorization in this authorization server? it seems like there is no default instantiating AuthenticationManagers provide functionality of processing this type of requests In OAuth2AuthorizationServerConfiguration. And also there is no such supported AuthenticationManagers in authorization server at all

@laurspilca 3 жыл бұрын

The constant seems to be there, but I don't think the server is yet implemented for the password grant type. You could however change to the authorization code with PKCE which is a better approach anyways.

@endgameagain 3 жыл бұрын

@@laurspilca thanks for the answer!