Implementing Microservices Security Patterns and Protocols with Spring Security
Vložit
- čas přidán 15. 10. 2019
- Building secure microservices requires mastering a variety of patterns, protocols, frameworks, and technologies. This session provides a holistic end-to-end view of how to secure microservices using industry standard protocols and Spring Security. The goal is to present how standards such as JWT, JWA, JWS, JWE, JWK, OAuth2, OpenID Connect, and TLS can be combined to make writing secure microservices easy.
The session will focus on walkthroughs/live coding showing how to apply the patterns and standards using Spring Security 5.1. The following patterns and their implementations will be demonstrated:
Web SSO Login
implementing OAuth2 resource servers
implementing edge service gateways
Token Exchange in a microservice call chain
Token Relay in a microservice call chain
integration with OpenID Connect/OAuth2 Servers
features of Spring Security 5.1 that make it easier to secure microservices
Speakers: Joe Grandja, Spring Security Senior Engineer, Pivotal and Stephen Doxsee, Software Engineer, Simple Step Solutions
Filmed at SpringOne Platform 2019
Slides: www.slideshare.net/SpringCent... - Věda a technologie
thank you JOE
you make spring security easy for me , before i was heat it . but now , i see the full picture
thank you again .
go ahead
Glad you found the talk helpful, Ali!
43:00 Why is there no audience passed in the authorization request (and thus an empty aud claim inside the JWT)? Should that not be the respective resource server/microservice? That would be especially interesting to see since there are multiple microservices being called.
I'm looking for a way to perform service to service authorization between a client app and a secured (with Keycloak) Spring Cloud Config Server. However, the config server contains properties that my client needs at startup. I know I can use a spring.factories file and define a custom configuration at bootstrap. Can I use that custom configuration to get my client authorized so it can request config properties?
I have a requirement to authenticate my rest endpoint using both okta and azure issuer url. Can anyone suggest how to implement this feature in spring security
Can the same resource be accessed with two different tenants? Can someone pls provide code for that . I am trying to access rest api using jwt generated
By okta and azure ad b2c
where I can download the demo project? thank you
Hi @Springdeveloper, do you have complete course by this instructor? pls share if you have.
Hello, I want to know if Is posible combine Spring Security with Azure Function, What I Want is secure my function using spring cloud and azure function and spring security. It could be posible ? Thanks you
Is the project in any way still reachable? The slides linked in the video description are down too.
Could you share your repository?
github project?
Could you please share the Github code URL
Hey Chinmaya, the code can be found here: github.com/jgrandja/oauth2-protocol-patterns We were using the "s1p-2019" branch but the documentation is better on the "master" branch using UAA instead of keycloak.
Somehow I'm missing something here. All the amount of configuration just to get a couple of micro services secured is daunting. What will I have to do when adding a new micro service? It almost looks like I will have to do a new set of configuration here. So with say 500 micro services this is going to be a config nightmare. Surely this is not the way production security will have to be configured? If so, then Spring is loosing the plot bigtime.....
Hi Andre. Thanks for your comments and questions. I share your desire for a GREAT developer experience. As a user of spring security/boot, I've found the configuration to be quite minimal (e.g. vanilla resource server = dependency + jwk-set-uri property). The demo was intentionally more complex to help people with scenarios that go beyond "hello world". If there's a particular configuration that you find excessive, please share your suggestions by creating an issue on spring-security's github repo. Also, give me a shout and I'd be happy to discuss your situation! simplestep.ca/contact or twitter.com/doxsees. Cheers!
Thank you Stephen - still busy working through the video to try and get a proper understanding. Appreciate the feedback.
I always try my best to get the full env running without going to github so that I understand what is being said.
may be corona