Implementing an OAuth 2 authorization server with Spring Security - the new way! by Laurentiu Spilca

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] [Music] thank you very much everyone i'm so nervous to be here in a room full of people so let's start it with a traditional selfie if you want but for this one i would like to see all your hands up hands up hands up okay and now now say barcelona yeah that's it cool thank you very much so i'm not only nervous because it's maybe the first presentation i have with so many people after two years of pandemics but uh also because of the fact that i still i see that people still consider security an important aspect security is whether i say it or not whether others say it or not a paramount component that we should take into consideration from the very beginning of building a system and it's great that a lot of you i see more and more people attending security presentation maybe maybe it's because people remind remember about december 2021 or something okay my mic okay oh excellent so let's let's start with the beginning um security is important and i'm not going to discuss today about security like um in general i'm going to discuss about a specific specific part component of spring security uh that created uh quite a fast in the past couple of years and i will explain why by the way how many of you do already know about the authorization server from spring security so quite some people i will explain for the others why this is a fuss uh but before uh let's go very very fast through through who i am because i'm pretty sure you didn't come here for me and if you if you did then i'm still going to be here the next couple of days plus the beer event uh most people know me because of my youtube channel you can subscribe uh or follow me on the social media uh some others know me know me about know me because of the the couple of books i wrote and i'm i'm actually writing a third one now it will be renamed into probably troubleshooting java apps because it's about profiling and debugging but that's another story um i prepared for you paper copy of my second book for one of you so if you want you can scan that qr code i only need your full name and email address and for the email address i can assure you that i will delete the data right after the presentation to be gdpr compliant and the email addresses will not be shown anywhere so i will be the only one to see them in case anyone i will put the code also at the very end and i don't have only this book i also have about 15 vouchers plus 10 tickets to the dev talks bucharest where i moderate the java stage but they will be given uh at the end of the pres the conference said the closing session cool spring security and even more than spring security the neutralization projects is basically the subject we discussed today uh it created a lot of us for those of you who don't know because a couple of years ago we uh used to build authorization servers resource servers and everything that's part of what we call call about in general using the project that is called what's called now is deprecated spring security of oauth so the project has been deprecated meanwhile and uh while a part of the functionality has been implemented in built into spring security itself like the resource server um the login the client um the authorization server hasn't been actually put anywhere so by deprecating the spring security wealth project the part of the community who was actually building custom authorization servers with spring didn't have any more a chance to use a project that is not deprecated so basically you had the possibility to use a third party such as kick if you want something open source maybe you could use something like octa or some other some other provider again a third party you could implement it for from scratch you could use a deprecated project but there was no other solutions so what happens is that about one year ago uh the spring security team started implementing a new authorization server to be compliant with the wall 2 and open id connect which is a protocol over a wow too so i basically i do expect that you have some knowledge about the walls 2 and open id connect for this presentation i will not go into all the details but what we will do is we will build together the simplest possible authorization server we using this solution which is now starting yesterday version zero three zero and i will use the latest version even though it was released yesterday so in case you see me failing that might be a reason and even if it's 0 0 3 0 so we start with a 0 the major version is 0 that doesn't mean it's not production already it has been declared production already starting version zero two zero uh which is about six months ago uh and the reason and first of all in case you will need i will i will put on twitter the the slides afterwards but i wanted to to make a bit of uh marketing to the project as well maybe some of you want to uh write some code for open source uh then it would be highly appreciated by the community if you can put your work there and secondly you don't have to read that it's just print screen from from one of the links that you have seen previously i wanted just to mention that 0 to 0 started to be considered production ready but the reason is zero is not not because you shouldn't use it in production it is because it's not aligned yet with springs policies so it will be aligned with springs policy starting with version one meanwhile you need to be careful because whenever something changes here so when two changes to three for example as stated in the policy you might have breaking changes between so that's very important to know if you do choose to start using for the moment at this uh project you have to be careful and attentive and knowledgeable about the policies so do read it uh in detail when um after the conference if you if you want and have the time uh but i wanted to mention this as being from my perspective the most important aspect of the policy and you can see here that less than 24 hours ago uh we have version zero three zero it's not not even published uh officially on maven yet but i will show you how to take it uh but before trying it let's make sure that we discuss just a few of the contracts and then of course while coding them i will explain uh what we will do it's will test the authorization server using the simplest but maybe the most relevant grant type in a wealth which is the authorization code run type very quick uh it's we will use the pxe version um and that means that we will send a verifier and a check on the calls and this one basically and this one that requires the token uh and the idea is very simple so the user wants to use something uh on the from the client uh the client redirects the user to the authorization server this is what we built um the authorization server sends a code called authorization code the client uses the authorization code to get the access token uh which is basically in case you use open id connect is the id token and then you get a token and then the client can access the resources on the resource server which is basically the back end so it's the simplest and then the the most known of the flows um we will use json web token which is not necessarily theoretically not mandatory to to use as a token but to be honest with you it's 100 percent what we use today uh when we discuss the world 2 and open id connect uh and about the contracts you will see me coding a registered client and the registered client repository which is basically uh the contracts that the authorization server used to recognize um the client details everything that's related to client details in the previous project did anyone here use the spring security off the previous project okay so in that in that project we named this the client details and the client details service which has are basically synonymous to user detailed service and the user details that are the users contracts from spring security now they are called the register client and the registered client repository we will need to use the provider settings that gives the details about the endpoints for the authorization server and in case and most likely we will use an asynchronous keeper we will need to provide the key source which is basically the object the bin spring will use and project release behind the scenes to define the key pair so let's try it actually because i i don't want to bother you a lot i'm just going to yeah go first of all okay a lot of you already registered we'll take that at the end so this is the page of the project uh this is the announcement for zero three zero yesterday 25th of may uh if you will go to maven you will see zero three zero is not even here yet but trust me it will it will work so we will be able to use zero three zero um and that being said i think we just can go and start our presentation let's create a spring project how do we call it so authorization server spring spring io we use java 17 which is the latest long term supported and then we will only need the web dependency and the spring security dependency we don't have the possibility of using a reactive approach yet in case you are wondering by the way if you have questions please just raise your hand so do interrupt me if you have any question um you don't have to wait up to the end of the presentation just ask and we create the project and of course first of all we don't have a starter yet for spring boot we will have to add the dependency from maven so that's why i'm going to do is i'm going to take this one from here but i will use 0 3 0 so copy it here and use 0 3 0 i'm usually reloading projects so that i'm sure all the jars will be downloaded i am in my local repository and then we will start by defining the configuration classes so i'm usually creating a config package for that and in the config package the first important thing is to make sure that we have the user details because the authorization server authenticates the user so you need the users and for the users fortunately we have spring security so we don't have to use something special it's just the user details user details service contract you already know and um we will call it web security config so here in the web security config which is a configuration class so i'm going to put a configuration annotation uh i'm going to say user detail service and add the bin and then i'm going to say i'm going to use a new memory user of course usually you would get them from a database or something but let's make things simple so just say user with username bill some password i will use plain text again just to make sure we have the time to to be there to to create everything we need at least an authority otherwise it will fail and then we build the user details so what else do we need um well do we need actually a user detail service and i'm going to use the in memory user details manager for that and return it so this is nothing special this is only normal spring security of course the password encoder i will use the password encoder um as the no password encoder which is not something you uh are allowed to use in a production application so in a production application you'd probably use b crypt or something similar but again to avoid uh having to encode the password here to make the demonstration i will use the new no password encoder which is marked as deprecated and crossed with a line because you shouldn't use it it's not encoding anything uh what else do we need here so we also need the security security filter chain so security filter chain for those of you who are not aware yet we don't use any more extends web security configure adapter um that was the way the approach up to maybe three months ago or something like that uh maybe some of you are customized to that you were extending web security configure adapter and then you were overriding the configure method uh what we do now is we define a security filter chain bin um and we will just yeah this http security will be provided from the context so i'll call it http security http what does it say here could no no no no beans found don't trust it's only intellij you trust me that one is working and what we do here is say http form login because we will need a page that the authorization server provides to the user when it's redirected now you have to put your username and password there and say and authorize requests and just say any request should be authenticated and build uh and of course this one throws an exception so we put it up there so that's that's the simplest for just having the users and now same as we have users we need to have the client credentials which is the client the the contracts i was showing you earlier on the slide um you go here and you say authorization server config let's call it like this um and then it's configuration class uh and then what we will have to do is basically um because now we do use springboot but this is not yet mature enough to be part of springbook that's why as i said earlier is not not one in front of the version uh we will have to manually declare the the configurations uh with a new filter with an additional filter that we will define basically in the same way we don't need all these actually but what what i'm going to do is use a utilitarian class that's provided by by the project which has the static method apply default security so in the future in the future we expect this will not be needed anymore it will be some somehow hidden by spring wood but for the moment we don't have another chance we we need to apply it ourselves and to make sure it's correctly applied uh i will even place it as being the highest precedence ordered okay and now that we applied the the configurations for the authorization server we need to have the client register client and register client repository so let's do that say public registered client repository register client repository which will be in the spring context and we know we need a registered client um and we create this one pretty easy uh in a builder approach uh with id this is not a client id so it's a bit strange but this is an internal identifier so i'm going to simply use just a random unique identifier for this the client id which is the external id uh is basically what the client will use to identify so these are the username and the password of the client which we call a client id and client secret uh we can simply leave them like this uh what else do we need here so we need a grant type of course and we said that we are going to test the authorization code run type we need an authentication method and this one is mandatory for the authorization code grant type and i will use http basic uh we need a scope of course so i will just i will just choose one of the scopes from open id connect let's say open id and of course we need the redirect uri uh let's just put here uh spring io and i think that's everything we need uh of course that page doesn't exist but we don't care because we'll be able to see that it redirects to the page and we will copy the authorization code manually and then put it in postman to check the whole flow um so we just return here new in memory and um in memory register time repository again usually this information would come from a database the contracts are very simple so if if you uh so you know this one this one if you go here you will see that there are three methods that you would basically have to override and you implement it with jpa with jdbc with whatever you want there to uh get the information you need so it's it's pretty simple we it's based on everything based on interfaces based on contracts we i'm here using some implementations provided by the project very simple for a demonstration like this one in the real world it would be same easier because you would just have to code uh an implementation of this interface and tell the project where to take the client information from uh what else do we need so i just said i need the client and then of course i need the keys and i need the provider settings so the provider settings is the easiest the provider settings which i think in the future will also be part of spring boot anyway that means this bin will not necessarily be customized all the time you will just have to edit only if you want to change one of the end points so just say provider settings builder build which is the uh the default so we get the defaults if you go into the provider settings what you will see is that it defines basically the token endpoint the kiss and point authorization the issuer endpoint all the end points needed from uh from the ovals to specification or open id connect protocol specification uh so that that's why i'm i'm defining this mean but again it's only needed to so i need now to define it because i don't have someone putting it for me but in the future probably it will be auto configured by spring boot and then i will have to put this one only if i literally want to change the the endpoints myself uh for some reason so and then geocache source is what i need okay this is the the key source so i i cannot skip this one otherwise i would not have a keeper to sign the tokens the jv tokens we will need that asynchronous keypair that we will we will define so how do we create the key source uh where is simple interface again very simple a method with two parameters and what it requires is basically you apply sorry the other way around is that you apply the um the set called which is basically called the key set and i defined the key set here which is the collection of keys because you can have multiple keys multiple multiple key pairs so that's why i need a set and i don't need only one key and then of course i need to define the key because this this key set is just a collection it doesn't have the keys so uh to do that i usually prefer to separate um am i missing something here it's only this yeah this is the same problem but i'm i'm pretty sure it's on intellij um anyway so i'm going to to define a separate class let's say keys uh package and then i can call it say key manager and in the key manager which is basically only a very simple normal component i have a method that gives me an rsa key which is not this rsa key actually it's a different one it's this one uh okay so let me actually add a return null here for the moment and go back to completely finalize this class so not public private final key manager it's called in my case key manager he acts i have the final constructor lombok could be good here and then i say key manager rsa key that's basically how i'm just adding a key in the set so i have a set with one item that's defining the the key source pretty easy now of course now i have to to finish the the implementation so how do i do that keeper generator is the easiest way probably to generate an rsa key pair if you know a better one let me know but that's that's how i know um the the java security package i always found it ugly because of this checked exceptions and because of the the way it's uh it's using the code but that's not our purpose for today's talk uh let me just do here throw new runtime exception and of course never use runtime exception like i do here so this is not a production ready code what do i need i do need to initialize the key i do need to generate a keeper this is the keeper and then of course what we know here is that we have a public key which should be of type rsc public key and of course i'll say private key for the other for the pair so we call it public key but i will again have to do something very ugly i don't like it's i will have to actually from the keeper cast the public and the private key but it will work because i know i generate an rsa key so just to spend time to add the instance off and stuff like that but again don't do that in you know your production code uh so private key private key and the same i will do here just a small cost and it's working private otherwise it's not working and we return an rsa key it's actually an instance and let's use the builder based on the public key private key and we need a key identifier as well i can literally put anything here but let's do it like this and of course build because it's a builder too ugly let's put it okay better now that's basically everything so if version zero three zero works as expected i hope it does um this should work as well so not really so i have oh this is easy i i just copy paste it see copy paste programming never do that so i just just copy pasted the same name here so just just change the name of the bin because otherwise you can't have multiple bins with the same name in the context okay and it's working so the assumption that this problem here is intellij is right um and now what what shall we do is just i prepared the links here because i don't want to write them uh i will use the authorized so that what the client does is when the user needs to access and maybe going back to my diagram again so here it is so when when the user needs to access something the client redirects this is a redirect to the page of the authorization server so that's authorized that's the first link you see there and then the second link you see there is this one because once we get the code the authorization code after logging in we will call the token endpoint and then we get the access token and then the access token is basically what the resource server can use okay that that's why we need the two links and because they are quite long uh i didn't want to actually write them by hand now but the idea is very simple so let me explain the links step by step they are according to the wall 2 specification for which you can find the the rfc uh we need on the authorized we specify the response type code which actually means the authorization code grant type is the intention of using the grant the authorization code grant type then we we use the client id which we named client we tell uh the authorization server who um who we are we which is the application the application um that uh that's that's uh creating the intent at the scope and of course the scope should be one of the supported scopes but if i remember correctly um if i remember correctly it is so that's what i've added so clients secret authorization code authentication with via http basic open id and spring io this this information needs to be needs to be correct so open id then spring io valve and the code challenge which which is part of the pixie so what happens here going back to my diagram what happens here is that when we send the authorized code here is what we send is a hash a sha 256 hash over some random string so what the client does is generating uh 32 bits by string and then it hashes it the first string that the randomly generated done is called the verifier the second one is the challenge here we send the challenge we send a hashed um string so if someone intercepts this call they will get the string but being hashed you know that the hash function is not reversible so that means even if i intercept this call i cannot get the verifier i don't i don't know how to get the verifier because i cannot reverse the shot to 256. so then when i will do the second call i send the verifier which is the unhashed string the one randomly generated and that's how i prove that i am the same client who initiated this call otherwise otherwise someone could go in between the calls and uh get the token which is something we don't want because it's called the bird token for a reason is because if you have the token you can do anything you want okay so that that's basically why i have this challenge i previously generated them to spend some time now because i used to talk a lot it's already half an hour gone um and then we have the the method the hashing method because you can have here playing but that's something that i don't even understand why it exists so you can have here play meaning you have the verifier and the the challenge being the same string but that that would mean you can still intercept them and uh and get a token so that's shutter 256 and then when when we will use the token endpoint you will again have the client you have the redirect uri you have the ground type authorization code that's what we do you we have the authorization code that we got by calling the authorized endpoint and we have the code verifier which is the unhatched version so this is the hash of this one hash and b64 encoded okay so that that's basically it so let me actually copy now this one how do i copy it easier here can i and put it in the browser okay it asks me to log in you see the normal form login that's why i configured for login so what was it bill and one two three four five let's check to make sure because i'm an old man ah bill one two three four five okay that should work sign in and of course 404 because spring io doesn't have that page uh which is what we expected but if you look here we see that indeed we got the code so that's that's the authorization code okay so i'm just simply copying the authorization code i can use it only once even if i fail i will not be able to use again the authorization code so when i'm going to the the post here which is basically the end point you've seen i'm just going to replace this code with my new one i'm going to press the send button and what you see in the response is the uh the access token uh i only have the access token and the id token i have the id token because i'm using one of the open id scopes uh i still have the access token because open id connect is built on top of house 2. i don't have a refresh token because i didn't configure the refresh token ground type but if i would configure the refresh token run type i would i would have here also a refresh token i can use um and if you want to take a deeper look into this um code into this token you can simply use i like to use jwt.io and paste it here and that's basically so you see in the header the key id the algorithm and some details that also are also customizable i i won't show now how to customize it but you can trust me it's customizable the way the token looks like is customizable and the key id this key id is basically the key id that we we set that random unique identifier uh but what you can do to prove that the token has the the key is indeed the key pair with identified with this key id e8326 is um if you go here in the well known endpoint of the open id configuration where you see all the endpoints uh some one of the endpoints should be the keys the key set endpoint this is the one so i'm going to i'm going to copy it and call it and you see e8326 yeah not probably not very easy for you to to spot it but i can do something like this so this is the same key id as we have in the header of the token so basically this is uh what i wanted to show you okay this opened in browser and this is the future for what we call the authorization server so um i didn't see any questions throughout the talk although okay two of them let's take them in order okay order of those keep in mind so i have a question here no second row here okay the microphone please um meanwhile before the question this is um a discount code for any mining product if you want to to use it uh i will put it afterwards if you want on the presentation uh and again for this book as well as for the other vouchers that we will give at the closing session i have the other uh the other code that i will basically leave it here for um for the rest of the presentation so while i'm um answering the questions yeah so one question is my question is about uh it's about the code actually okay and you had two configurations in one configuration with the security supply chain you did the http at the moment form login enable and then you had a second configuration when you did again http for login enabled is this on purpose or why would you do you need to enable the form login two times uh that that's a good question actually um to be honest if you if you i'm not sure if if it's if you need to put the phone login twice so i just to understand why we have those two methods so one of them applies the authorization server configurations that will be hidden sometime in the future and you will only have to to create your own uh filter okay cool and we had a question there in the back i guess yes so the role of the jwt source what is the role of the jwt source uh we to to sign the tokens we need a key pair an rsa key pair which is composed of the public and the private key an authorization server can configure multiple keys so sometimes we configure multiple keys to rotate the keys we use to sign the tokens so we will have multiple keypairs that are used the private key is used to sign the token the public keys what you saw when we call the endpoint and it's what the resource server uses to validate that the signature is correct the key source is the bin that the authorization server uses to get all the keys so the entire key set so it's the manager of the key set of the set of the keys so we can when we create the key source uh the authorization server will use the key source the key source contains the set of all the key pairs and in our case we only added one key for the demonstration [Music] very good question so i didn't get into that detail indeed but the resource server needs to validate somehow the token so the question is how does the resource server know how to validate the token well when we generated the token we saw that in the header we have the key id so what the resource server actually does is it takes the key id from the header and then calls the key set which which offers the the set of all the public keys so here we have only the public part of the key and identifies the key using the key id okay thank you also yes one question here or you can shout a few i think it already has an introspection endpoint but to be honest with you in i did uh write some code for this project because if you in the past months i didn't have the time to do that anymore so i'm a little bit deprecated with absolutely everything that has been deployed so i don't want to say anything wrong but we can check here so they have the user info and i'm not sure we have an introspection point but i'm pretty sure if it isn't already which again i don't know for sure it will be okay thank you other questions have a question there okay so token gvt has none algorithm for signing and it has vulnerability so easily supported by default so i'm sure finders to the question but so you say the jvt token has a vulnerability yeah it has one claim alg which basically states what signing algorithm should be used for the rs yes yeah yeah so basically if you pass down none uh it should ignore the uh the third part of the token so easily supported by default so i'm pretty sure it should be supported i i have to mention if i didn't test that but i would be surprised if it isn't because if you intercept the token then basically yeah i understand you just you just can quit the signature and then it will be considered valid so i'm pretty sure that's not the case with the new authorization server okay thanks thank you although we had problems even in log4j in december so who knows can't be sure about anything yes we have the refresh token actually and we have possibilities to configure them i didn't show i can quickly show you um where you have the client where you define the register client so here you have client settings and token settings so these two methods basically allow you to set all the settings you need on the token and on the on the client yeah exactly so on the token settings here if you use token settings you will see that you can even define the expiration time refresh token time to leave access token time to leave of course you don't have everything complete yet because it's version 0.30 so i expect some of the things that even things that you had in the spring security walls the deprecate project they are not there yet but they will be yes ah thank you okay thank you so uh i can see that we are at very early stage of this project uh i'm wondering why uh we are restarting this initiative or authorization server and uh is there gonna be any additional value like uh when comparing to current solutions like key clock cocktail etc yeah very good question thank you very much so um this is the the fact that it's being restarted is not something i can answer about because i'm i'm not leading this project so i'm i'm just a committer on on the project so i don't want to answer that for the team uh but i'm pretty sure first of all above key cloak and other solutions yes it's the only way you can easily implement the custom your own authorization server so in terms of what they do well you basically still have the same awards to specification implemented and open id connect space protocol implemented so i'm it won't bring something new above that but is the way you can implement your own you can easily implement your own authorization server without needing at all a third party because that's that's the idea of the project and that's why it was requested by the community um i'm not sure again why was it restarted and they didn't continue on the existing one probably because yeah uh you when you you and anyway on over that one you had to to add a lot of functionality for open id connect and the oauth 2 and maybe it made a lot more sense to simply have it from scratch and deprecate completely the existing one but i don't want to answer for the for the team on that thank you very much yes one more question again i'm i'm not sure i can answer that but uh as a developer and this is a software consultant and as a security enthusiast i do encourage security audits frequently so i i can't say if the team plans or not to have that but i can encourage them publicly to do that uh especially because i've entered on the on the github just a few moments ago and well what was it so we have some cvs already here reported by github so you know what i mean cool thank you for the moment only programmatically because being version zero three zero uh the latest uh it's not uh supported by springboot but probably when version one the image version one will be introduced you will have uh the bins that i've configured manually the default configuration will be part of springboot and then we will have properties in the properties for yaml file okay any other curiosities or discussions otherwise i will just take two more minutes to find out who gets this book and for the other prizes i will leave them for the closing session and if you want to discuss more with me on any topic as i said you can find me on social media live on youtube very frequently and today and tomorrow here including the beer event in the evening uh so i will go now to to the page that displays your names guys i have hidden on purpose the email addresses to bgdpr compliant uh so we have starting with four and ending with oh my god oh my god one seven eight so fourth one seven eight because the first two are my tests fourth one seven eight oh sorry so 4 2 1 7 8 and we have number 120 so number 120 is so is luis luis thompson okay i will find you here after the presentation louise thank you very much [Applause] since there are no other questions then i say thank you very much everyone for watching the presentation muchisimas gracias merciatus obrigado you

Info

Channel: Spring I/O

Views: 40,903

Rating: undefined out of 5

Keywords:

Id: DaUGKnA7aro

Channel Id: undefined

Length: 44min 51sec (2691 seconds)

Published: Tue Sep 13 2022