OAuth2 and Spring Security
14 likes8,666 views
The document discusses OAuth2 and Spring Security. It provides an overview of OAuth2 concepts including the four main roles (resource owner, resource server, client, and authorization server), four common grant types (authorization code, implicit, resource owner password credentials, and client credentials), and how to implement OAuth2 flows in Spring Security. Sample OAuth2 applications using Spring Security are also mentioned.
OAuth2 and Spring Security
- 1. JavaCommunity OAuth2 and Spring Security OREST IVASIV 8/14/2015 @halyph
- 2. JavaCommunity OAuth2 Overview Use Cases ◦ Service-to-service ◦ Client-to-Service ◦ Client-to-client (SSO) Spring Security OAuth2 Samples 8/14/2015 @halyph2 Agenda
- 3. JavaCommunity Dark Age Pre OAuth 1.0 ◦ Flickr: “FlickrAuth” ◦ Google: “AuthSub” ◦ Facebook: request signed with MD5 hashes ◦ Yahoo: BBAuth (“Browser-Based Auth”) OAuth 1.0 ◦ Uses signature (HMAC hash) Oauth 2.0 ◦ Relies on SSL/HTTPS 8/14/2015 @halyph3 OAuth2 History
- 4. JavaCommunity Authentication Authorization Federated Authentication Delegated Authorization 8/14/2015 @halyph4 Terminology
- 5. JavaCommunity Resource Owner - User Resource Server – API Client Application – 3d party application Authorization Server – Auth API (may be in scope of Resource Server) 8/14/2015 @halyph5 OAuth2 Roles
- 6. JavaCommunity ◦ Register with Authorization Server (get a client_id and maybe a client_secret) ◦ Do not collect user credentials ◦ Obtain a token (opaque) from Authorization Server ◦ On its own behalf - client_credentials ◦ On behalf of a user ◦ Use it to access Resource Server 8/14/2015 @halyph6 Role of Client Application
- 7. JavaCommunity 1. Extract token from request and decode it 2. Make access control decision ◦ Scope ◦ Audience ◦ User account information (id, roles etc.) ◦ Client information (id, roles etc.) 3. Send 403 (FORBIDDEN) if token not sufficient 8/14/2015 @halyph7 Role of Resource Server
- 8. JavaCommunity 1. Compute token content and grant tokens 2. Interface for users to confirm that they authorize the Client to act on their behalf 3. Authenticate users (/authorize) 4. Authenticate clients (/token) #1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons). 8/14/2015 @halyph8 Role of the Authorization Server
- 9. JavaCommunity Authorization code grant flow ◦ Web-server apps – authorization_code Implicit grant flow ◦ Browser-based apps – implicit ◦ Mobile apps – implicit Resource owner password credentials grant flow ◦ Username/password access – password Client credentials grant flow ◦ Application access – client_credentials 8/14/2015 @halyph9 OAuth 2.0 Grant Flows
- 10. JavaCommunity 8/14/2015 @halyph10 Authorization code grant flow
- 11. JavaCommunity 8/14/2015 @halyph11 Authorization code grant flow
- 12. JavaCommunity ◦ Create a “Log In” link ◦ Link to: https://facebook.com/dialog/oauth?response_type=code&client_id=YOU R_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email 8/14/2015 @halyph12 Authorization code grant flow (Cont)
- 13. JavaCommunity ◦ User visits the authorization page https://facebook.com/dialog/oauth?response_type=code&client_id=28 653682475872&redirect_uri=everydaycity.com&scope=email ◦ On success, user is redirected back to your site with auth code https://example.com/auth?code=AUTH_CODE_HERE ◦ On error, user is redirected back to your site with error code https://example.com/auth?error=access_denied 8/14/2015 @halyph13 Authorization code grant flow (Cont)
- 14. JavaCommunity ◦ Server exchanges auth code for an access token POST https://graph.facebook.com/oauth/access_token Post Body: grant_type=authorization_code &code=CODE_FROM_QUERY_STRING &redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET ◦ Your server gets a response like the following { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } or if there was an error { "error":"invalid_request" } 8/14/2015 @halyph14 Authorization code grant flow (Cont)
- 17. JavaCommunity ◦ Create a “Log In” link ◦ Link to: https://facebook.com/dialog/oauth?response_type=token&client_id=CL IENT_ID &redirect_uri=REDIRECT_URI&scope=email 8/14/2015 @halyph17 Implicit grant flow (Cont)
- 18. JavaCommunity ◦ User visits the authorization page https://facebook.com/dialog/oauth?response_type=token&client_id=2 865368247587&redirect_uri=everydaycity.com&scope=email ◦ On success, user is redirected back to your site with the access token in the fragment https://example.com/auth#token=ACCESS_TOKEN ◦ On error, user is redirected back to your site with error code https://example.com/auth#error=access_denied 8/14/2015 @halyph18 Implicit grant flow (Cont)
- 19. JavaCommunity 8/14/2015 @halyph19 Resource owner password credentials grant flow
- 20. JavaCommunity 8/14/2015 @halyph20 Resource owner password credentials grant flow
- 21. JavaCommunity POST https://api.example.com/oauth/token Post Body: grant_type=password &username=USERNAME &password=PASSWORD &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } 8/14/2015 @halyph21 Resource owner password credentials grant flow (Cont)
- 22. JavaCommunity 8/14/2015 @halyph22 Client credentials grant flow
- 23. JavaCommunity 8/14/2015 @halyph23 Client credentials grant flow
- 24. JavaCommunity POST https://api.example.com/1/oauth/token Post Body: grant_type=client_credentials &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Response: { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "token_type":"bearer", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" } 8/14/2015 @halyph24 Client credentials grant flow (Cont)
- 25. JavaCommunity authorization_code: ◦ Authorization code grant flow (Web-server apps) ◦ response_type=code implicit: ◦ Implicit grant flow (Mobile and browser-based apps) ◦ response_type=token password: ◦ Resource owner password credentials grant flow (Username/password access) client_credentials: ◦ Client credentials grant flow (Application access) 8/14/2015 @halyph25 Grant Types
- 26. JavaCommunity GET https://api.example.com/me Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Access token can be in an HTTP header or a query string parameter https://api.example.com/me?access_token=RsT5OjbzRn430zqMLgV3Ia 8/14/2015 @halyph26 Accessing Resources
- 27. JavaCommunity POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" 8/14/2015 @halyph27 New access token via refresh token
- 28. JavaCommunity POST https://api.example.com/oauth/token grant_type=refresh_token &reresh_token=e1qoXg7Ik2RRua48lXIV &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET Your server gets a similar response as the original call to oauth/token with new tokens. { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600, "refresh_token":"e1qoXg7Ik2RRua48lXIV" 8/14/2015 @halyph28 New access token via refresh token
- 29. JavaCommunity 1. Sample OAuth2 with password grant 2. Web App Client 8/14/2015 @halyph29 Sample Apps
- 30. JavaCommunity OAuth ◦ The OAuth 2.0 Authorization Framwork ◦ http://oauth.net/2/ ◦ OAuth Bible by @Nijikokun ◦ An Introduction to OAuth 2 by Aaron Parecki ◦ Single-Page-Application & REST security by Igor Bossenko Videos ◦ O'Reilly Webcast: An Introduction to OAuth 2 by Aaron Parecki ◦ David Syer (lead of Spring Security OAuth) ◦ Security for Microservices with Spring and OAuth2 ◦ Webinar Replay: A Single-Page Application with Spring Security and Angular JS ◦ Data Modelling and Identity Management with OAuth2 ◦ Les Hazlewood (Stormpath founder and CTO, Apache Shiro) ◦ Token Authentication for Java Applications Sample Apps ◦ https://github.com/spring-projects/spring-security-oauth/tree/master/tests/ ◦ https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 ◦ https://github.com/dsyer/spring-security-angular/ OAuth and Spring ◦ https://speakerdeck.com/dsyer/security-for-microservices-with-spring 8/14/2015 @halyph30 References