Page 1
SECURING MICROSERVICES WITHSECURING MICROSERVICES WITHOAUTH 2 UND OPENID CONNECTOAUTH 2 UND OPENID CONNECT
OWASP Chapter Munich 30.4.2019 Slides: https://andifalk.github.io/owasp-chapter-munich-04-2019
Demos: https://github.com/andifalk/owasp-chapter-munich-04-2019
1 . 1
Page 2
ANDREAS FALKANDREAS FALK
Novatec Consulting GmbH
[email protected] / @andifalk (Twitter)
https://www.novatec-gmbh.de
1 . 2
Page 3
AGENDAAGENDAIntro to OAuth 2.0 & OpenID Connect 1.0
4th OAuth Security Workshop 2019
OAuth 2 & OIDC with Spring Security (Live Demo)
Discussion
1 . 3
Page 4
OAUTH 2.0OAUTH 2.0101101
RFC 6749: The OAuth 2.0 Authorization FrameworkRFC 6750: OAuth 2.0 Bearer Token Usage
RFC 6819: OAuth 2.0 Threat Model and SecurityConsiderations
2 . 1
Page 5
WHAT IS OAUTH 2.0?WHAT IS OAUTH 2.0?OAuth 2.0 is an authorization delegation framework
2 . 2
Page 6
OAUTH 2.0 MODELOAUTH 2.0 MODEL
2 . 3
Page 7
OAUTH 2.0 GRANT FLOWSOAUTH 2.0 GRANT FLOWSClient Type Flow Refresh
Tokens
Confidential Authorization Code X
Public (Native) Authorization Code(PKCE)
X
Public (SPA) Implicit --
Trusted RO Password Creds X
No ResourceOwner
Client Credentials --
2 . 4
Page 8
AUTHORIZATION CODE GRANT FLOWAUTHORIZATION CODE GRANT FLOW
2 . 5
Page 9
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 10
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 11
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 12
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 13
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 14
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 15
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 6
Page 16
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
?code=ab23bhW56Xb
&state=xyz
2 . 7
Page 17
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
?code=ab23bhW56Xb
&state=xyz
2 . 7
Page 18
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
?code=ab23bhW56Xb
&state=xyz
2 . 7
Page 19
TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzOjQ1Ng==
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback2 . 8
Page 20
TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzOjQ1Ng==
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback2 . 8
Page 21
TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzOjQ1Ng==
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback2 . 8
Page 22
TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzOjQ1Ng==
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback2 . 8
Page 23
TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzOjQ1Ng==
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback2 . 8
Page 24
TOKEN REQUEST (BASIC AUTH)TOKEN REQUEST (BASIC AUTH)Client-Id=123, Client-Secret=456, Base64(123:456)="MTIzOjQ1Ng=="
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MTIzOjQ1Ng==
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback2 . 8
Page 25
TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=4562 . 9
Page 26
TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=4562 . 9
Page 27
TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=4562 . 9
Page 28
TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=4562 . 9
Page 29
TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=4562 . 9
Page 30
TOKEN REQUEST (BODY)TOKEN REQUEST (BODY)Client-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=4562 . 9
Page 31
TOKEN RESPONSETOKEN RESPONSEHTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
2 . 10
Page 32
IMPLICIT GRANT FLOWIMPLICIT GRANT FLOW
2 . 11
Page 33
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 34
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 35
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 36
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 37
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 38
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 39
AUTHORIZATION REQUESTAUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=token
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
2 . 12
Page 40
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer
&expires_in=3600
&scope=api.read api.write
&state=xyz
2 . 13
Page 41
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer
&expires_in=3600
&scope=api.read api.write
&state=xyz
2 . 13
Page 42
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer
&expires_in=3600
&scope=api.read api.write
&state=xyz
2 . 13
Page 43
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer
&expires_in=3600
&scope=api.read api.write
&state=xyz
2 . 13
Page 44
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer
&expires_in=3600
&scope=api.read api.write
&state=xyz
2 . 13
Page 45
AUTHORIZATION RESPONSEAUTHORIZATION RESPONSEHTTP/1.1 302 Found
Location: https://client.abc.com/callback
#access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=bearer
&expires_in=3600
&scope=api.read api.write
&state=xyz
2 . 13
Page 46
FURTHER OAUTH 2.0 STANDARDSFURTHER OAUTH 2.0 STANDARDSRFC 7636: Proof Key for Code Exchange (“Pixy”)
RFC 7662: Token Introspection
RFC 7009: Token Revocation
2 . 14
Page 47
OPENID CONNECT 1.0OPENID CONNECT 1.0(OIDC)(OIDC)
101101
OpenID Connect Core 1.0
OpenID Connect Dynamic Client Registration 1.0OpenID Connect Discovery 1.0
3 . 1
Page 48
OPENID CONNECT 1.0 IS FOROPENID CONNECT 1.0 IS FORAUTHENTICATIONAUTHENTICATION
OAuth 2.0 is not an authentication protocol
3 . 2
Page 49
OIDC MODELOIDC MODEL
3 . 3
Page 50
ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)
User Info Endpoint
Standard Scopes
Hybrid Grant Flow
OpenID Provider Configuration Information
3 . 4
Page 51
ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)
User Info Endpoint
Standard Scopes
Hybrid Grant Flow
OpenID Provider Configuration Information
3 . 4
Page 52
ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)
User Info Endpoint
Standard Scopes
Hybrid Grant Flow
OpenID Provider Configuration Information
3 . 4
Page 53
ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)
User Info Endpoint
Standard Scopes
Hybrid Grant Flow
OpenID Provider Configuration Information
3 . 4
Page 54
ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)
User Info Endpoint
Standard Scopes
Hybrid Grant Flow
OpenID Provider Configuration Information
3 . 4
Page 55
ADDITIONS TO OAUTH 2.0ADDITIONS TO OAUTH 2.0Id Token (JWT format)
User Info Endpoint
Standard Scopes
Hybrid Grant Flow
OpenID Provider Configuration Information
3 . 4
Page 56
ID TOKENID TOKENJSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)
Base 64 Encoded JSON Formatted Value of...
GET / HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...
RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current PracticesProof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
3 . 5
Page 57
ID TOKENID TOKENJSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)
Base 64 Encoded JSON Formatted Value of...
...Header
GET / HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...
RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current PracticesProof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
3 . 5
Page 58
ID TOKENID TOKENJSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)
Base 64 Encoded JSON Formatted Value of...
...Header
...Payload
GET / HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...
RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current PracticesProof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
3 . 5
Page 59
ID TOKENID TOKENJSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)
Base 64 Encoded JSON Formatted Value of...
...Header
...Payload
...SignatureGET / HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...
RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current PracticesProof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
3 . 5
Page 60
JSON WEB TOKEN (JWT)JSON WEB TOKEN (JWT)Header
Payload
{ typ: "JWT", alg: "RS256" }
{ iss: "https://identity.example.com", aud: "my-client-id", exp: 1495782385, nonce: "N0.46824857243233511495739124749", iat: 1495739185, at_hash: "hC1NDSB8WZ9SnjXTid175A", sub: "mysubject", auth_time: 1495739185, email: "[email protected] " }
3 . 6
Page 61
ID TOKEN CLAIMSID TOKEN CLAIMSScope Required Description
iss X Issuer Identifier
sub X Subject Identifier
aud X Audience(s) of this ID Token
exp X Expiration time
iat X Time at which the JWT was issued
auth_time (X) Time of End-User authentication
nonce -- Associate a client with an ID Token
3 . 7
Page 62
TOKEN VALIDATIONTOKEN VALIDATION
3 . 8
Page 63
USER INFO ENDPOINTUSER INFO ENDPOINTGET /userinfo HTTP/1.1 Host: identityserver.example.com Authorization: Bearer SlAV32hkKG
HTTP/1.1 200 OK Content-Type: application/json { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "[email protected] ", "picture": "http://example.com/janedoe/me.jpg" }
3 . 9
Page 64
OIDC FLOWSOIDC FLOWSAuthorization Code (w/ or w/o PKCE)ImplicitHybrid
3 . 10
Page 65
OPENID CONNECT 1.0 CONFIGURATIONOPENID CONNECT 1.0 CONFIGURATIONhttps://example.com/.well-known/openid-
configuration{ "authorization_endpoint": "https://idp.example.com/auth", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token" ], "issuer": "https://idp.example.com", "jwks_uri": "https://idp.example.com/keys", "token_endpoint": "https://idp.example.com/token", "userinfo_endpoint": "https://idp.example.com/userinfo", ... }
OpenID Connect Discovery 1.0
3 . 11
Page 66
4TH OAUTH SECURITY WORKSHOP 20194TH OAUTH SECURITY WORKSHOP 2019
Stuttgart
https://sec.uni-stuttgart.de/events/osw20194 . 1
Page 67
https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-
2436ced1c9264 . 2
Page 68
Lots of discussions and comments
4 . 3
Page 69
OAUTH 2.0 SECURITY BEST CURRENTOAUTH 2.0 SECURITY BEST CURRENTPRACTICEPRACTICE
Torsten Lodderstedt and Daniel Fett
OAuth 2.0 Security Best Current Practice
4 . 4
Page 70
IMPLICIT FLOW ATTACKSIMPLICIT FLOW ATTACKS
Source: Torsten Lodderstedt and Daniel Fett
4 . 5
Page 71
OAUTH 2.0 FOR BROWSER-BASED APPSOAUTH 2.0 FOR BROWSER-BASED APPSDavid Waite (PingFederate)
OAuth 2.0 for Browser-Based Apps
4 . 6
Page 72
OAUTH 2.0 FOR BROWSER-BASED APPSOAUTH 2.0 FOR BROWSER-BASED APPSContent-Security Policy
Use a unique redirect URI
NOT issue refresh tokensOAuth 2.0 for Browser-Based Apps
4 . 7
Page 73
OTHER KNOWN OAUTH 2.0 ATTACKSOTHER KNOWN OAUTH 2.0 ATTACKSLack of CSRF protectionAuthorization code leakage and replayAuthorization code injectionOpen Re-directorsState leakage and replayInsufficient Redirect URI matchingToo powerful access tokensMix-Up Attacks
4 . 8
Page 74
OPEN REDIRECT !!OPEN REDIRECT !!
4 . 9
Page 75
“OAUTH 2.1” GRANT FLOWS“OAUTH 2.1” GRANT FLOWSClient Type Flow Refresh
Tokens
Confidential Authorization Code(PKCE)
X
Public (Native) Authorization Code(PKCE)
X
Public (SPA) Authorization Code(PKCE)
--
Trusted RO Password Creds X
No ResourceOwner
Client Credentials --4 . 10
Page 76
PROOF KEY FOR CODEPROOF KEY FOR CODEEXCHANGE BY OAUTH PUBLICEXCHANGE BY OAUTH PUBLIC
CLIENTS (PKCE)CLIENTS (PKCE)(“Pixy”)
Mitigates authorization code attacks
Mitigates token leakage in SPAsProof Key for Code Exchange by OAuth Public Clients
4 . 11
Page 77
PKCE - AUTHORIZATION REQUESTPKCE - AUTHORIZATION REQUESTGET https://authserver.example.com/authorize
?response_type=code
&client_id=abcdefg
&redirect_uri=https://client.abc.com/callback
&scope=api.read api.write
&state=xyz
&code_challenge=xyz...&code_challenge_method=
4 . 12
Page 78
PKCE - TOKEN REQUESTPKCE - TOKEN REQUESTClient-Id=123, Client-Secret=456
POST https://authserver.example.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=ab23bhW56X
&redirect_uri=https://client.abc.com/callback
&client_id=123&client_secret=456
&code_verifier=4gth4jn78k_84 . 13
Page 79
STEAL TOKENS VIA XSSSTEAL TOKENS VIA XSS“XSS is Game-Over for OAuth 2” (Jim Manico)
4 . 14
Page 80
OAUTH 2 ACCESS TOKEN JWT PROFILEOAUTH 2 ACCESS TOKEN JWT PROFILEVittorio Bertocci (Auth0)
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens4 . 15
Page 81
OAUTH 2 ACCESS TOKEN JWT PROFILEOAUTH 2 ACCESS TOKEN JWT PROFILERequired claims: iss, exp, aud, sub, client_id
Consider privacy restrictions for identity claims
Authorization claims according to SCIM Core(RFC7643):
GroupsEntitlementsRoles
System for Cross-domain Identity Management (SCIM)
4 . 16
Page 82
TOKEN BINDINGTOKEN BINDINGRFC8471: The Token Binding Protocol Version 1.0
RFC8472: (TLS) Extension for Token Binding ProtocolNegotiation
RFC8473: Token Binding over HTTP
OAuth 2.0 Mutual TLS Client Authentication andCertificate-Bound Access Tokens
Google - Intent to Remove: Token Binding
4 . 17
Page 83
FURTHER INTERNET-DRAFTS FORFURTHER INTERNET-DRAFTS FOROAUTH 2OAUTH 2
List of OAuth 2 Internet-Dra�s (by date)
4 . 18
Page 84
DEMO TIMEDEMO TIMEOAUTH 2.0 & OPENID CONNECT 1.0OAUTH 2.0 & OPENID CONNECT 1.0
WITH SPRING SECURITY 5WITH SPRING SECURITY 5
5 . 1
Page 85
“LEGACY” SPRING SECURITY“LEGACY” SPRING SECURITYOAUTH 2 STACKOAUTH 2 STACK
5 . 2
Page 86
“NEW” SPRING SECURITY “NEW” SPRING SECURITY OAUTH 2 STACKOAUTH 2 STACK
5 . 3
Page 87
DEMO APPLICATIONDEMO APPLICATION
5 . 4
Page 88
WHAT'S NEW INWHAT'S NEW INSPRING SECURITY 5.2 & 5.3SPRING SECURITY 5.2 & 5.3
5 . 5
Page 89
SPRING SECURITY 5.2SPRING SECURITY 5.2
Client Support for PKCEOpenID Connect RP-Initiated LogoutSupport for OAuth 2.0 Token IntrospectionSupport for Resource Server Multi-tenancy
Spring Security 5.2.0 M2 GitHub IssuesSpring Security 5.2.0 RC1 GitHub Issues
5 . 6
Page 90
BOOK REFERENCESBOOK REFERENCES
6 . 1
Page 91
Q&AQ&A
[email protected] Twitter: @andifalk
https://www.novatec-gmbh.dehttps://blog.novatec-gmbh.de
6 . 2
Page 92
ONLINE REFERENCESONLINE REFERENCES
All images used are from and are published under
All used logos are trademarks of respective companies
RFC 6749: The OAuth 2.0 Authorization FrameworkRFC 6750: OAuth 2.0 Bearer Token UsageRFC 6819: OAuth 2.0 Threat Model and Security ConsiderationsRFC 7636: Proof Key for Code Exchange (“Pixy”)OpenID Connect Core 1.0OpenID Connect Dynamic Client Registration 1.0OpenID Connect Discovery 1.0RFC 7519: JSON Web Token (JWT)JSON Web Token Best Current Practices4. OAuth Security Workshop 2019 event web pageWhy you should stop using the OAuth implicit grantOAuth 2.0 Security Best Current PracticeOAuth 2.0 for Browser-Based AppsOAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access TokensJSON Web Token (JWT) Profile for OAuth 2.0 Access TokensSpring Security
Pixabay Creative Commons CC0 license.
6 . 3