Implementing an OAuth 2 authorization server with Spring Security - the new way! by Laurentiu Spilca
ฝัง
- เผยแพร่เมื่อ 12 ก.ย. 2022
- Spring I/O 2022 - Barcelona, 26-27 May
After project Spring Security OAuth has been deprecated, there was a lot of confusion in the community. You could use Spring Security to write the resource server but not the authorization server. But the dark age is now over.
In this session, we discuss implementing an authorization server using the new Spring Security Authorization Server project. spring.io/blog/2021/08/19/spr...
OAuth 2 and OpenID Connect are tremendously important today since they represent the most used standards for implementing authentication in apps. Spring apps are no exception to this approach. We’ll start with a refresher on OAuth 2 and OpenID Connect and remember shortly how an authorization server was configured using the Spring Security OAuth project (now deprecated). Then, we’ll work on an example where we implement an authorization server using the new approach -the Spring Security Authorization Server project. You’ll learn how to use the new project to write your custom authorization server but also what advantages does this project brings above the old-fashioned way. - วิทยาศาสตร์และเทคโนโลยี
In looking through dozens of sites advising on this topic, it was super handy hearing him mention deprecated methods and implementations
I love this guys channel. He really knows his stuff.
Laur is a great teacher. I learned a lot from him!
Great Explanation of OAUTH .......
Yay Laurentiu !!
Helped me a lot thank you
Hi. Can i use a jjwt implementation instead of nimbous jwt?
Thanks!
what about if i dont want jwt tokens? just like the old way which is using opaque token, is it possible? especially if the auth server and reaource server are in one project? hope you can have a demo
Does JWT need to be stored on the server?
amazing
the best
Is it possible and supported in current version to change formLogin to httpBasic?
How are you generation code verifier?
Rename ProviderSettings -> AuthorizationServerSettings
In 0.3.0 version is it supporting password grant ?
If I am going to user Redis to store token data, how do I create a filter that will fetch the token first on Redis before proceeding with the checking of JWT? I am planning to use Redis as a cache and Postgresql as the DB
Can we have multiple authentication manager configured for different purpose if yes then how?
Where is the code challenge being maintained in the spring backend to validate against the code verifier? If it is in memory, it will cause an issue every time the server is restarted. The authenticated public client might use the non-existent code verifier.
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
how the resource server knows this token is from the authorization server? minute 7:36 the diagram misses this point .
Is this the norm in actual development?
I'm a beginner, I'm not really sure as to how that code_challenge was generated, can someone explain it?
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
Help. It is statefull, isn't it?? because no sessionCreationPolicy configuration written. like customizer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
I loved the part where he mentioned about Log4J XD
at the post request i'll always get {"error":"invalid_client"}, stackoverflow and github show solutions but only for version 0.2.. has someone an idea?
Ahh ok, so of course postman has the role in this example of a public client as such the clientAuthenticationMethod has to be ClientAuthenticationMethod.NONE according to registeredClient documentation... So either Mr. Spilca changed it and did no show it or he used some other trick..
@@csvxmlfan3853 the trick is the hidden Authorization tab in postman. Try adding --header 'Authorization: Basic Y2xpZW50OnNlY3JldA=='
@CSVXML FAN, Víctor Martín is right, you have to pass client_id and client_secret using Authorization Header: In Postman's Authorization tab select 'Basic Auth' in 'Type' dropdown menu and then type client_id/client_secret in appeared Username/Password fields.
Please can someone help me with the "code_challenge" i need to generate a SHA256 from any string like "anything" and in "code_verifier" i send "anything" ?
same question i have... if you find any solution please let me know
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
I love this presentation! How to get the code and file on your presentation?
Can this example be used in actual development? A friend of mine said that this example has drawbacks. After the server restarts, everyone will be disconnected. Is that true?
It can't be used, for the actual development you would probably want to use db instead of in-memory solution
@Rendell Jay Eyas no, but should be pretty easy, just read the documentation
@Rendell Jay Eyas Check the speakers channel. Has an ongoing playlist on the subject
why I am getting this error ?
Error creating bean with name 'securityFilterChainAs' defined in class path resource
it is actually the Noclassdef error for OAuth2AuthorizationServerConfiguration , anyone to help?
ok, spring changes the version, oauth2-server 0.3.0 will not work with spring 3.0.0, I needed to change ti to 1.0.1 version. I don't know what will spring do tomorrow. :)
Now i follow all steps, but found a response invalid_request. Huuh, i don't know about this error at all.
I am getting error while using BCryptPasswordEncoder instead of NoOpPasswordEncoder. It says Encoded password does not look like BCrypt.
Did u fix it? I have the same problem but I want to use BCryptPasswordEncoder
@@xxxHipHopRap no
@@sadiulhakim7814 I fixed it doing this if u still need it:
@Bean
public RegisteredClientRepository registeredClientRepository() {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
RegisteredClient r1 = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("myclient")
.clientSecret(passwordEncoder.encode("secret"))........
can anyone tell me how can i generate my own code chanllenge
I got answer. Its totally pkce. We can get it from online and generate our own pkce code
@@jafajarvis324 Hey, could you clarify how? It'll be really helpful, thanks
public static void main(String[] args) throws NoSuchAlgorithmException {
SpringApplication.run(Application.class, args);
String codeVerifier=createCodeVerifier();
log.info("code verifier:"+codeVerifier);
log.info("code_challenge:"+createCodeChallenge(codeVerifier));
}
private static String createCodeChallenge(String value) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
}
private static String createCodeVerifier(){
StringKeyGenerator secureKeyGenerator =
new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
return secureKeyGenerator.generateKey();
}
Dude speaks like a MACHINE (nvm i had it on 1.25x)
🤣🤣
i do the same configuration but when i try to get access token on /oauth2/token it return 404 not found exception
Your issue resolved ?
@@kiranjawale8822 yes the problem was in query params and the Authorization header