Securing OAuth 2.0 Resources in Spring Security 5.0
Vložit
- čas přidán 9. 07. 2024
- The OAuth 2.0 Authorization Framework is elaborate, with several nuances and subtleties that can make it overwhelming for implementers. Its strength and flexibility, have propelled it to an industry standard; quite often organizations look to frameworks to ensure correct implementation.
Spring Security 5.0 marked the beginning of a long-term mission that the Spring Security team has to simplify Spring’s support for OAuth 2.0. Last year, it began with OAuth 2.0 Login over OpenID Connect 1.0. And this year that journey continues to now include additional OAuth 2.0 Client features and the first release of OAuth 2.0 Resource Server support.
In this talk, we’ll take a look at two insecure applications--one a web application and the other a REST API--and integrate them both with an OAuth 2.0 Authorization Server. The first will feature Spring Security’s most recent OAuth 2.0 Client feature set and the second, its newly-released Resource Server support.
For the web application, we’ll configure the client to use the Authorization Code Grant flow. For the REST API, we’ll configure the resource server for JWT support, OAuth2-specific authorization expressions, and JWK set resolution. Finally, we’ll put it all together, logging into our application and retrieving a secure resource.
Speakers:
Josh Cummings
Principal Software Engineer, Pivotal
Joe Grandja
Staff Software Engineer, Pivotal
Filmed at SpringOne Platform 2018 - Věda a technologie
The only and best tutorial about Spring Security 5.0 with OAuth2 and JWT with IAM/UAA server
You guys are amazing, my life was saved
Very informative and helpful video. Thanks a lot.
Great presentation guys. Some excellent information to get you going as well. Keep up the good work!
You probably dont give a shit but does someone know a tool to get back into an Instagram account??
I stupidly forgot my password. I would love any tips you can give me.
@Anders Kamden Instablaster :)
@Royce Louie Thanks so much for your reply. I got to the site on google and Im trying it out now.
Looks like it's gonna take quite some time so I will reply here later with my results.
@Royce Louie It did the trick and I finally got access to my account again. I'm so happy!
Thanks so much you saved my ass !
@Anders Kamden happy to help :D
15:28 is it available not only in spring data repos?
At 35:18, just after including custom authorizationRequestResolver, how is the new scope added to token if we didn't go through the authorization flow once more? Why is 403 not thrown, even if the user didn't login again?
where is the github link for this project please someone provide me
Can you help me plese?
After running: .\gradlew -b uaa-server\build.gradle cargoRunLocal
I get such an error: org.codehaus.cargo.container.ContainerException: Failed to start the Tomcat 8.x container. Check the [C:\Users\sszczebiot\IdeaProjects\untitled\messaging-app\uaa-server\uaa-server.log] file containing the container logs for more details.
Why are we scrapping off the oauth2 and resource server on spring 2.5.6 and above?
"with several nuances and subtleties that can make it overwhelming for implementers"... right, to be honest, hopefully this video will help, thanks
the thing that overwhelms me is when there are those many ways of doing the same thing, there are approaches in this video I haven't seen in other examples, I'd like to have a big picture idea, I think we have to have two databases, one on the authorization server, the other on the resource server, both handling end user data, but I'm not sure if I'm doing it wrong.
To all those triggered by Spring...if you dont like the water stay out of the pool! Spring is THE best way to deal with the complexities of developing distributed applications. It's a work of art.
SOURCE CODE : github.com/jgrandja/oauth2-protocol-patterns
@Josh Cummings
Guys you make changes in resource server & restart client and say its working as expected (timestamp 44:03). The one assumption both the presenters are making is everyone who is watching the video knows the overall application they are using, the client aspect & are well versed in each aspect of oauth, which is not at true
Rob's presentations used to be so good when it comes to Spring Security. Now a days, the presentations are mere presentations, with very little emphasis on making them understandable
where is the repo
Is that ok to have spring security 5.1.0.RELEASE as a dependency, and call a video Spring Security 5.0?
where is the git repo.
Makes things difficult..
please link for code
here you go!
github.com/jzheaux/messaging-app/tree/springone2018-demo
@@2012kostyan Thanks for code but while running server Resource_Server project,I am getting below error :
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration with the provided Issuer of "localhost:8090/uaa/oauth/token"
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.1.0.RC3.jar:5.1.0.RC3]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:619) ~[spring-beans-5.1.0.RC3.jar:5.1.0.RC3]
... 21 common frames omitted
Caused by: java.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration with the provided Issuer of "localhost:8090/uaa/oauth/token"
at org.springframework.security.oauth2.jwt.JwtDecoders.getOpenidConfiguration(JwtDecoders.java:78) ~[spring-security-oauth2-jose-5.1.0.RELEASE.jar:5.1.0.RELEASE]
at org.springframework.security.oauth2.jwt.JwtDecoders.fromOidcIssuerLocation(JwtDecoders.java:48) ~[spring-security-oauth2-jose-5.1.0.RELEASE.jar:5.1.0.RELEASE]
at sample.config.ResourceServerConfig.jwtDecoder(ResourceServerConfig.java:64) ~[main/:na]
at sample.config.ResourceServerConfig.configure(ResourceServerConfig.java:56) ~[main/:na]
Do you have any idea ???
@@2012kostyan you are a hero mate.. :)
The presentation is really great .please share the code link.
Is there a better tutorial on this topic than this one? This doesn't appear to be a topic that lends itself well to a bottom up explanation. By all means start with some Restful services that don't require authentication and then go thru the steps necessary to provide it. I also find the way the code is displayed to be difficult to follow and there's generally too many context switches to follow what's going on.
This framework is just ugly
What are the alternatives?
@@aiwprton805 Pray
@@giuseppemiragliotta5222 Play Framework? Then need to know Scala well.
hey anyone can help me learn security please i need some support