SlideShare a Scribd company logo

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

Download as PPTX, PDF
N
Nilanjan Roy

This document provides an overview of microservice security using Spring Security 5.1, OAuth 2.0, and OpenID Connect. It defines OAuth 2.0 and its authorization framework, describing how applications can be authorized to access user data. It outlines the authorization code grant flow and other grant types, including how applications register and use client IDs and secrets. JSON Web Tokens are discussed as an access token format. OpenID Connect is described as extending OAuth 2.0 to provide authentication via ID tokens. Key components like access tokens, refresh tokens, and the client credentials flow are also summarized.

Technology
1 of 61
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Microservice Security with Spring Security 5.1 , OAuth 2.0 and OpenID Connect
Monolith Security
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Definition OAuth 2.0 Authorization Framework : Is a framework for allowing users to authorize applications to access their data on there behalf. Authorized applications get an access token that they can use to call a service. Does not tell the authorized application anything about the identity of the user Does not specify a token format. Expects other frameworks to extend it.
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Life without OAuth
Life without OAuth
Life without OAuth
Life without OAuth
Life without OAuth
Life without OAuth
Life with OAuth
Life with OAuth
Life with OAuth
Life with OAuth
Life with OAuth
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Step1 : Get Authorization Grant - Authorization code grant
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Protocol flow
Token flow
Token flow
Token flow
Token flow
Step 2 – Exchange for Access Token
Step 2 – Exchange for Access Token
Step 3 - Access Protected Resource
Step 3 - Access Protected Resource
The Complete Flow
With Refresh Token
With Refresh Token
Client Credentials
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Application Registration To participate in OAuth, your application has to first register with the service provider (Google , Facebook, and so on) against which you plan to authenticate by providing the application name, application URL, and callback URL. The callback URI is where the service will redirect the user after they authorize (or deny) your application, and therefore the part of your application that will handle authorization codes or access tokens. Successful registration of your application with the service provider gives you two values unique to your application: client application_id and client_secret. client_id can be exposed publicly but client_secret is kept hidden (private). Both these values are needed whenever you access the service provider.
Client ID and Client Secret Successful registration of your application with the service provider gives you two values unique to your application: client application_id and client_secret. client_id can be exposed publicly but client_secret is kept hidden (private). Both these values are needed whenever you access the service provider. The following diagram shows the interactions between these roles:
The steps in the preceding diagram detailed here: 1. The client application requests the resource owner to give them authorization to access the secured resources 2. If the resource owner authorizes this, the authorization grant is sent to the client application 3. The client application asks for a token, using the grant provided by the resource owner along with authentication credentials from the authorization server 4. If the credentials and grant from the client application are valid, the authorization server issues an Access Token to the client application. 5. The client application accesses the protected resources on the resource server using the Access Token provided 6. If the Access Token sent by the client application is valid, the resource server gives access to the secured resources
Authorization Grant Types A grant type defines how a client can obtain an authorization grant from a resource owner to access a resource on their behalf.In the Abstract Protocol Flow above, the first four steps cover obtaining an authorization grant and access token. The authorization grant type depends on the method used by the application to request authorization, and the grant types supported by the API. OAuth 2 defines four grant types, each of which is useful in different cases:
Authorization Grant Types ● Authorization Code: used with server-side Applications ● Implicit: used with Mobile Apps or Web Applications (applications that run on the user's device) ● Resource Owner Password Credentials: used with trusted Applications, such as those owned by the service itself ● Client Credentials: used with Applications API access
Authorization code flow This a is very commonly used grant type and works on redirection at the server. It is highly suitable for server-side applications where the source code is hosted on the server and nothing is available on the client. The following diagram explains the authorization code grant type flow:
Grant Type: Authorization Code The authorization code grant type is the most commonly used because it is optimized for server-side applications, where source code is not publicly exposed, and Client Secret confidentiality can be maintained. This is a redirection-based flow, which means that the application must be capable of interacting with the user-agent (i.e. the user's web browser) and receiving API authorization codes that are routed through the user-agent.
Grant Type: Authorization Code 1. The resource owner of the secured resource is presented with a screen in the browser to authorize the request. Here is a sample authorization link: https://<DOMAIN>/oauth/authorize?response_type=code&client_id=<CLIENT_ID> &redirect_uri=<CALLBACK_URL>&scope=<SCOPE>
Grant Type: Authorization Code These are the important query parameters in the previous link: client_id: The client application ID that we got while registering the application with the service provider. redirect_uri: After successful authorization, the server redirects to this URL supplied. response_type: A very important parameter the client uses to ask the server for the authorization code scope: Specifies the level of access that it requires
Grant Type: Authorization Code 2. If the resource owner (user) allows this, they click on the authorize link, which is sent to the authorization server. 3. If the authorization request sent to the authorization server is validated and found to be successful, the client receives the authorization code grant from the authorization server appended as a query parameter in the callback URL (<CALLBACK_URL>?code=<AUTHORIZATION_CODE>) specified in Step 1. 4. Using the authorization grant, the client application requests an Access Token from the authorization server https://<DOMAIN>/oauth/token?client_id=<CLIENT_ID>&client_secret=<CLIENT_ SECRET>&grant_type=authorization_code&code=<AUTHORIZATION_CODE>&r edirect_uri=CALLBACK_URL).
Grant Type: Authorization Code In this URL, the client application's client_secret also has to be passed, along with the grant_type parameter, which states that the code passed is the authorization code. 5. The authorization server validates the credentials and authorization grant and sends the Access Token to the client application, preferably in the form of JSON. 6. The client application calls the protected resource on the resource server using the Access Token received in Step 5. 7. If the Access Token supplied in Step 5 is valid, the resource server gives access to the secured resource.
Grant Type - Client Credentials The client application sends credentials (the client's service account), along with client_ID and client_secret, to the authorization server. If the supplied values are valid, the authorization server sends the Access Token, which can be used to get access to the secured resources.
Grant Type - Client Credentials Request Parameters grant_type (required) The grant_type parameter must be set to client_credentials. scope (optional) Your service can support different scopes for the client credentials grant. In practice, not many services actually support this. Client Authentication (required) The client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
Access Token and Refresh Token The Access Token can be used by the client application to retrieve information from the resource server for a stipulated time for which the token is deemed valid. After this, the server will reject the request with the appropriate HTTP response error code. Along with the Access Token, OAuth allows the authorization server to also send another token, the Refresh Token. When the Access Token expires, the client application can use this second token to request the authorization server to provide a new Access Token.
JSON Web Token (JWT) "JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties." Each request sends the cookie (session ID) in the form of an HTTP header, which gets validated by the server, and a state (a user session) is associated with each request. In modern applications a server-side session ID is replaced with the JWT. The following diagram shows the workings of the JWT:
Client Credentials Flow
JWT
JWT The web server, in this case, doesn't create a user session and the user session management capability needed for a stateful application is offloaded to other mechanisms. In the world of the Spring Framework, the Spring Session module can be employed to externalize the session from the web server to a central persistence store (Redis, Couchbase, and so on). Every request containing a valid token (JWT) is validated against this external store of authenticity and validity. After successful authentication, applications can generate a valid token and send it as a response to the client. The client can then store this token in any client storage mechanism it uses (sessionStorage, localStorage, cookies, and so on, in a browser). Using Spring Security, we can validate this token to ascertain the authenticity and validity of the user and then do whatever is required
Structure of a token The structure of the JWT consists of a header, payload, and a signature. As mentioned, rather than encryption, the data contained within the JWT is encoded and then signed. Encoding does the job of transforming the data in a way that is acceptable by a variety of parties and signing allows us to check for its authenticity and, in fact, its origin: Header This is a JSON object and takes the following format. It gives information on how the signature should be computed. { "alg": "HS256", "typ": "JWT" }
PayLoad The payload forms the actual data (also known as a claim) stored in the JWT. According to your application's requirements, you can put any number of claims into your JWT payload component. There are some predefined claims, such as iss (issuer), sub (subject), exp (expiration time), iat (issued at), and so on, that can be used, but all of these are optional: { "sub": "1234567890", "username": "Test User", "iat": 1516239022 }
OpenID Connect OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by Clients by including the openid scope value in the Authorization Request. An Authorization Request using these extensions is called an Authentication Request. Information about the authentication performed is returned in a JSON Web Token (JWT) [JWT] called an ID Token (see Section 2.2). OAuth 2.0 Authentication Servers implementing OpenID Connect are also referred to as OpenID Providers (OPs). OAuth 2.0 Clients using OpenID Connect are also referred to as Relying Parties (RPs).
OpenID Connect - Id Token ID Token- With OpenID Connect authentication, there is an additional type of OAuth token: an ID token. The ID token, or id_token, represents the identity of the user being authenticated. This is a separate token from the access token, which is used to retrieve the user’s profile information or other user data requested during the same authorization flow.The ID token is a JSON Web Token (JWT), which is a digitally signed and/or encrypted representation of the user’s identity asserted by the identity provider. Instead of using cryptographic operations to validate the JSON Web Token, it can be treated as an opaque string and passed to the Check ID Endpoint for interpretation (see below). This flexibility keeps with
OpenID Connect - Id Token ID Token- With OpenID Connect authentication, there is an additional type of OAuth token: an ID token. The ID token, or id_token, represents the identity of the user being authenticated. This is a separate token from the access token, which is used to retrieve the user’s profile information or other user data requested during the same authorization flow.The ID token is a JSON Web Token (JWT), which is a digitally signed and/or encrypted representation of the user’s identity asserted by the identity provider.
Open ID connect layer
Thank you !

More Related Content

What's hot (20)

PDF
Authentication through Claims-Based Authentication
ijtsrd
 
PDF
Introduction to OAuth2.0
Oracle Corporation
 
PDF
OAuth2 primer
Manish Pandit
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PDF
1000 ways to die in mobile oauth
Priyanka Aash
 
PDF
O auth2.0 guide
Dilip Mohapatra
 
PPTX
OAuth2 Presentaion
Bhargav Surimenu
 
DOCX
SAML 2
Steward_John
 
PPTX
O auth2 with angular js
Bixlabs
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PDF
Spring security oauth2
axykim00
 
PPT
Web services security_in_wse_3_ppt
Harshavardhan Achrekar
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
PDF
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
PPTX
Restful api
Anurag Srivastava
 
PDF
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
 
Authentication through Claims-Based Authentication
ijtsrd
 
Introduction to OAuth2.0
Oracle Corporation
 
OAuth2 primer
Manish Pandit
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
1000 ways to die in mobile oauth
Priyanka Aash
 
O auth2.0 guide
Dilip Mohapatra
 
OAuth2 Presentaion
Bhargav Surimenu
 
SAML 2
Steward_John
 
O auth2 with angular js
Bixlabs
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Spring security oauth2
axykim00
 
Web services security_in_wse_3_ppt
Harshavardhan Achrekar
 
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Restful api
Anurag Srivastava
 
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
Demystifying OAuth 2.0
Karl McGuinness
 
Survey on Restful Web Services Using Open Authorization (Oauth)I01545356
IOSR Journals
 

Similar to Microservice security with spring security 5.1,Oauth 2.0 and open id connect (20)

PPTX
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
PPTX
Microsoft Graph API Delegated Permissions
Stefan Weber
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
PPTX
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PDF
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
.NET Core, ASP.NET Core Course, Session 19
Amin Mesbahi
 
PPTX
OAuth 2
ChrisWood262
 
PPTX
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
PPTX
Introduction to OAuth2
Kumaresh Chandra Baruri
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PPTX
Amazon Cognito OAuth 2.0 Grants
Sibtay Abbas
 
PPTX
Oauth 2.0 security
vinoth kumar
 
PDF
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
PDF
Intro to API Security with Oauth 2.0
Functional Imperative
 
PPTX
(1) OAuth 2.0 Overview
anikristo
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PDF
Protecting your APIs with OAuth 2.0
Ubisecure
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
Good Dog Labs, Inc.
 
Microsoft Graph API Delegated Permissions
Stefan Weber
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Lecture #25 : Oauth 2.0
Dr. Ramchandra Mangrulkar
 
OAuth2 Implementation Presentation (Java)
Knoldus Inc.
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Deep Dive into OAuth for Connected Apps
Salesforce Developers
 
OAuth2 + API Security
Amila Paranawithana
 
.NET Core, ASP.NET Core Course, Session 19
Amin Mesbahi
 
OAuth 2
ChrisWood262
 
Oauth 2.0 Introduction and Flows with MuleSoft
shyamraj55
 
Introduction to OAuth2
Kumaresh Chandra Baruri
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Amazon Cognito OAuth 2.0 Grants
Sibtay Abbas
 
Oauth 2.0 security
vinoth kumar
 
API Security with OAuth2.0.
Kellton Tech Solutions Ltd
 
Intro to API Security with Oauth 2.0
Functional Imperative
 
(1) OAuth 2.0 Overview
anikristo
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Protecting your APIs with OAuth 2.0
Ubisecure
 
Ad

Recently uploaded (20)

PDF
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
PDF
Bitkom eIDAS Summit | European Business Wallet: Use Cases, Macroeconomics, an...
Carsten Stoecker
 
PDF
Supporting the NextGen 911 Digital Transformation with FME
Safe Software
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PPTX
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
PDF
Proactive Server and System Monitoring with FME: Using HTTP and System Caller...
Safe Software
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PDF
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
PPTX
CapCut Pro PC Crack Latest Version Free Free
josanj305
 
PDF
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PDF
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PDF
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
PDF
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PDF
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
PPTX
Wondershare Filmora Crack Free Download 2025
josanj305
 
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
Bitkom eIDAS Summit | European Business Wallet: Use Cases, Macroeconomics, an...
Carsten Stoecker
 
Supporting the NextGen 911 Digital Transformation with FME
Safe Software
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
Proactive Server and System Monitoring with FME: Using HTTP and System Caller...
Safe Software
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
CapCut Pro PC Crack Latest Version Free Free
josanj305
 
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
“A Re-imagination of Embedded Vision System Design,” a Presentation from Imag...
Edge AI and Vision Alliance
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
“Scaling i.MX Applications Processors’ Native Edge AI with Discrete AI Accele...
Edge AI and Vision Alliance
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
Wondershare Filmora Crack Free Download 2025
josanj305
 
Ad

Microservice security with spring security 5.1,Oauth 2.0 and open id connect

  • 1. Microservice Security with Spring Security 5.1 , OAuth 2.0 and OpenID Connect
  • 6. Definition OAuth 2.0 Authorization Framework : Is a framework for allowing users to authorize applications to access their data on there behalf. Authorized applications get an access token that they can use to call a service. Does not tell the authorized application anything about the identity of the user Does not specify a token format. Expects other frameworks to extend it.
  • 21. Step1 : Get Authorization Grant - Authorization code grant
  • 28. Step 2 – Exchange for Access Token
  • 29. Step 2 – Exchange for Access Token
  • 30. Step 3 - Access Protected Resource
  • 31. Step 3 - Access Protected Resource
  • 37. Application Registration To participate in OAuth, your application has to first register with the service provider (Google , Facebook, and so on) against which you plan to authenticate by providing the application name, application URL, and callback URL. The callback URI is where the service will redirect the user after they authorize (or deny) your application, and therefore the part of your application that will handle authorization codes or access tokens. Successful registration of your application with the service provider gives you two values unique to your application: client application_id and client_secret. client_id can be exposed publicly but client_secret is kept hidden (private). Both these values are needed whenever you access the service provider.
  • 38. Client ID and Client Secret Successful registration of your application with the service provider gives you two values unique to your application: client application_id and client_secret. client_id can be exposed publicly but client_secret is kept hidden (private). Both these values are needed whenever you access the service provider. The following diagram shows the interactions between these roles:
  • 39. The steps in the preceding diagram detailed here: 1. The client application requests the resource owner to give them authorization to access the secured resources 2. If the resource owner authorizes this, the authorization grant is sent to the client application 3. The client application asks for a token, using the grant provided by the resource owner along with authentication credentials from the authorization server 4. If the credentials and grant from the client application are valid, the authorization server issues an Access Token to the client application. 5. The client application accesses the protected resources on the resource server using the Access Token provided 6. If the Access Token sent by the client application is valid, the resource server gives access to the secured resources
  • 40. Authorization Grant Types A grant type defines how a client can obtain an authorization grant from a resource owner to access a resource on their behalf.In the Abstract Protocol Flow above, the first four steps cover obtaining an authorization grant and access token. The authorization grant type depends on the method used by the application to request authorization, and the grant types supported by the API. OAuth 2 defines four grant types, each of which is useful in different cases:
  • 41. Authorization Grant Types ● Authorization Code: used with server-side Applications ● Implicit: used with Mobile Apps or Web Applications (applications that run on the user's device) ● Resource Owner Password Credentials: used with trusted Applications, such as those owned by the service itself ● Client Credentials: used with Applications API access
  • 42. Authorization code flow This a is very commonly used grant type and works on redirection at the server. It is highly suitable for server-side applications where the source code is hosted on the server and nothing is available on the client. The following diagram explains the authorization code grant type flow:
  • 43. Grant Type: Authorization Code The authorization code grant type is the most commonly used because it is optimized for server-side applications, where source code is not publicly exposed, and Client Secret confidentiality can be maintained. This is a redirection-based flow, which means that the application must be capable of interacting with the user-agent (i.e. the user's web browser) and receiving API authorization codes that are routed through the user-agent.
  • 44. Grant Type: Authorization Code 1. The resource owner of the secured resource is presented with a screen in the browser to authorize the request. Here is a sample authorization link: https://<DOMAIN>/oauth/authorize?response_type=code&client_id=<CLIENT_ID> &redirect_uri=<CALLBACK_URL>&scope=<SCOPE>
  • 45. Grant Type: Authorization Code These are the important query parameters in the previous link: client_id: The client application ID that we got while registering the application with the service provider. redirect_uri: After successful authorization, the server redirects to this URL supplied. response_type: A very important parameter the client uses to ask the server for the authorization code scope: Specifies the level of access that it requires
  • 46. Grant Type: Authorization Code 2. If the resource owner (user) allows this, they click on the authorize link, which is sent to the authorization server. 3. If the authorization request sent to the authorization server is validated and found to be successful, the client receives the authorization code grant from the authorization server appended as a query parameter in the callback URL (<CALLBACK_URL>?code=<AUTHORIZATION_CODE>) specified in Step 1. 4. Using the authorization grant, the client application requests an Access Token from the authorization server https://<DOMAIN>/oauth/token?client_id=<CLIENT_ID>&client_secret=<CLIENT_ SECRET>&grant_type=authorization_code&code=<AUTHORIZATION_CODE>&r edirect_uri=CALLBACK_URL).
  • 47. Grant Type: Authorization Code In this URL, the client application's client_secret also has to be passed, along with the grant_type parameter, which states that the code passed is the authorization code. 5. The authorization server validates the credentials and authorization grant and sends the Access Token to the client application, preferably in the form of JSON. 6. The client application calls the protected resource on the resource server using the Access Token received in Step 5. 7. If the Access Token supplied in Step 5 is valid, the resource server gives access to the secured resource.
  • 48. Grant Type - Client Credentials The client application sends credentials (the client's service account), along with client_ID and client_secret, to the authorization server. If the supplied values are valid, the authorization server sends the Access Token, which can be used to get access to the secured resources.
  • 49. Grant Type - Client Credentials Request Parameters grant_type (required) The grant_type parameter must be set to client_credentials. scope (optional) Your service can support different scopes for the client credentials grant. In practice, not many services actually support this. Client Authentication (required) The client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
  • 50. Access Token and Refresh Token The Access Token can be used by the client application to retrieve information from the resource server for a stipulated time for which the token is deemed valid. After this, the server will reject the request with the appropriate HTTP response error code. Along with the Access Token, OAuth allows the authorization server to also send another token, the Refresh Token. When the Access Token expires, the client application can use this second token to request the authorization server to provide a new Access Token.
  • 51. JSON Web Token (JWT) "JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties." Each request sends the cookie (session ID) in the form of an HTTP header, which gets validated by the server, and a state (a user session) is associated with each request. In modern applications a server-side session ID is replaced with the JWT. The following diagram shows the workings of the JWT:
  • 53. JWT
  • 54. JWT The web server, in this case, doesn't create a user session and the user session management capability needed for a stateful application is offloaded to other mechanisms. In the world of the Spring Framework, the Spring Session module can be employed to externalize the session from the web server to a central persistence store (Redis, Couchbase, and so on). Every request containing a valid token (JWT) is validated against this external store of authenticity and validity. After successful authentication, applications can generate a valid token and send it as a response to the client. The client can then store this token in any client storage mechanism it uses (sessionStorage, localStorage, cookies, and so on, in a browser). Using Spring Security, we can validate this token to ascertain the authenticity and validity of the user and then do whatever is required
  • 55. Structure of a token The structure of the JWT consists of a header, payload, and a signature. As mentioned, rather than encryption, the data contained within the JWT is encoded and then signed. Encoding does the job of transforming the data in a way that is acceptable by a variety of parties and signing allows us to check for its authenticity and, in fact, its origin: Header This is a JSON object and takes the following format. It gives information on how the signature should be computed. { "alg": "HS256", "typ": "JWT" }
  • 56. PayLoad The payload forms the actual data (also known as a claim) stored in the JWT. According to your application's requirements, you can put any number of claims into your JWT payload component. There are some predefined claims, such as iss (issuer), sub (subject), exp (expiration time), iat (issued at), and so on, that can be used, but all of these are optional: { "sub": "1234567890", "username": "Test User", "iat": 1516239022 }
  • 57. OpenID Connect OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by Clients by including the openid scope value in the Authorization Request. An Authorization Request using these extensions is called an Authentication Request. Information about the authentication performed is returned in a JSON Web Token (JWT) [JWT] called an ID Token (see Section 2.2). OAuth 2.0 Authentication Servers implementing OpenID Connect are also referred to as OpenID Providers (OPs). OAuth 2.0 Clients using OpenID Connect are also referred to as Relying Parties (RPs).
  • 58. OpenID Connect - Id Token ID Token- With OpenID Connect authentication, there is an additional type of OAuth token: an ID token. The ID token, or id_token, represents the identity of the user being authenticated. This is a separate token from the access token, which is used to retrieve the user’s profile information or other user data requested during the same authorization flow.The ID token is a JSON Web Token (JWT), which is a digitally signed and/or encrypted representation of the user’s identity asserted by the identity provider. Instead of using cryptographic operations to validate the JSON Web Token, it can be treated as an opaque string and passed to the Check ID Endpoint for interpretation (see below). This flexibility keeps with
  • 59. OpenID Connect - Id Token ID Token- With OpenID Connect authentication, there is an additional type of OAuth token: an ID token. The ID token, or id_token, represents the identity of the user being authenticated. This is a separate token from the access token, which is used to retrieve the user’s profile information or other user data requested during the same authorization flow.The ID token is a JSON Web Token (JWT), which is a digitally signed and/or encrypted representation of the user’s identity asserted by the identity provider.