Securing OAuth 2.0 Resources in Spring Security 5.0

October 4, 2018

The OAuth 2.0 Authorization Framework is elaborate, with several nuances and subtleties that can make it overwhelming for implementers. Its strength and flexibility, have propelled it to an industry standard; quite often organizations look to frameworks to ensure correct implementation. Spring Security 5.0 marked the beginning of a long-term mission that the Spring Security team has to simplify Spring’s support for OAuth 2.0. Last year, it began with OAuth 2.0 Login over OpenID Connect 1.0. And this year that journey continues to now include additional OAuth 2.0 Client features and the first release of OAuth 2.0 Resource Server support. In this talk, we’ll take a look at two insecure applications--one a web application and the other a REST API--and integrate them both with an OAuth 2.0 Authorization Server. The first will feature Spring Security’s most recent OAuth 2.0 Client feature set and the second, its newly-released Resource Server support. For the web application, we’ll configure the client to use the Authorization Code Grant flow. For the REST API, we’ll configure the resource server for JWT support, OAuth2-specific authorization expressions, and JWK set resolution. Finally, we’ll put it all together, logging into our application and retrieving a secure resource. Speakers: Josh Cummings Principal Software Engineer, Pivotal Joe Grandja Staff Software Engineer, Pivotal Filmed at SpringOne Platform 2018

Previous
Metrics for the Masses
Metrics for the Masses

Timely information about an applications health and performance is critical. In a clustered environment, kn...

Next Video
Evolve Legacy Java EE Apps to Spring Boot Apps in One Minute
Evolve Legacy Java EE Apps to Spring Boot Apps in One Minute

At CCEE, a company which manages the financial aspect of the Brazilian electric sector, we use Spring Frame...