The document discusses OAuth2 and Spring Security. It provides an overview of OAuth2 concepts including the four main roles (resource owner, resource server, client, and authorization server), four common grant types (authorization code, implicit, resource owner password credentials, and client credentials), and how to implement OAuth2 flows in Spring Security. Sample OAuth2 applications using Spring Security are also mentioned.
5. JavaCommunity
Resource Owner - User
Resource Server – API
Client Application – 3d party application
Authorization Server – Auth API (may be in scope of Resource Server)
8/14/2015 @halyph5
OAuth2 Roles
6. JavaCommunity
◦ Register with Authorization Server (get a client_id and maybe a client_secret)
◦ Do not collect user credentials
◦ Obtain a token (opaque) from Authorization Server
◦ On its own behalf - client_credentials
◦ On behalf of a user
◦ Use it to access Resource Server
8/14/2015 @halyph6
Role of Client Application
7. JavaCommunity
1. Extract token from request and decode it
2. Make access control decision
◦ Scope
◦ Audience
◦ User account information (id, roles etc.)
◦ Client information (id, roles etc.)
3. Send 403 (FORBIDDEN) if token not sufficient
8/14/2015 @halyph7
Role of Resource Server
8. JavaCommunity
1. Compute token content and grant tokens
2. Interface for users to confirm that they authorize the Client to act on their behalf
3. Authenticate users (/authorize)
4. Authenticate clients (/token)
#1 and #4 are covered thoroughly by the spec; #2 and #3 not (for good reasons).
8/14/2015 @halyph8
Role of the Authorization Server
9. JavaCommunity
Authorization code grant flow
◦ Web-server apps – authorization_code
Implicit grant flow
◦ Browser-based apps – implicit
◦ Mobile apps – implicit
Resource owner password credentials grant flow
◦ Username/password access – password
Client credentials grant flow
◦ Application access – client_credentials
8/14/2015 @halyph9
OAuth 2.0 Grant Flows
12. JavaCommunity
◦ Create a “Log In” link
◦ Link to:
https://facebook.com/dialog/oauth?response_type=code&client_id=YOU
R_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email
8/14/2015 @halyph12
Authorization code grant flow (Cont)
13. JavaCommunity
◦ User visits the authorization page
https://facebook.com/dialog/oauth?response_type=code&client_id=28
653682475872&redirect_uri=everydaycity.com&scope=email
◦ On success, user is redirected back to your site with auth code
https://example.com/auth?code=AUTH_CODE_HERE
◦ On error, user is redirected back to your site with error code
https://example.com/auth?error=access_denied
8/14/2015 @halyph13
Authorization code grant flow (Cont)
14. JavaCommunity
◦ Server exchanges auth code for an access token
POST https://graph.facebook.com/oauth/access_token
Post Body:
grant_type=authorization_code
&code=CODE_FROM_QUERY_STRING
&redirect_uri=REDIRECT_URI &client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
◦ Your server gets a response like the following
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"e1qoXg7Ik2RRua48lXIV"
}
or if there was an error
{
"error":"invalid_request"
}
8/14/2015 @halyph14
Authorization code grant flow (Cont)
17. JavaCommunity
◦ Create a “Log In” link
◦ Link to:
https://facebook.com/dialog/oauth?response_type=token&client_id=CL
IENT_ID
&redirect_uri=REDIRECT_URI&scope=email
8/14/2015 @halyph17
Implicit grant flow (Cont)
18. JavaCommunity
◦ User visits the authorization page
https://facebook.com/dialog/oauth?response_type=token&client_id=2
865368247587&redirect_uri=everydaycity.com&scope=email
◦ On success, user is redirected back to your site with the access token in the fragment
https://example.com/auth#token=ACCESS_TOKEN
◦ On error, user is redirected back to your site with error code
https://example.com/auth#error=access_denied
8/14/2015 @halyph18
Implicit grant flow (Cont)
30. JavaCommunity
OAuth
◦ The OAuth 2.0 Authorization Framwork
◦ http://oauth.net/2/
◦ OAuth Bible by @Nijikokun
◦ An Introduction to OAuth 2 by Aaron Parecki
◦ Single-Page-Application & REST security by Igor Bossenko
Videos
◦ O'Reilly Webcast: An Introduction to OAuth 2 by Aaron Parecki
◦ David Syer (lead of Spring Security OAuth)
◦ Security for Microservices with Spring and OAuth2
◦ Webinar Replay: A Single-Page Application with Spring Security and Angular JS
◦ Data Modelling and Identity Management with OAuth2
◦ Les Hazlewood (Stormpath founder and CTO, Apache Shiro)
◦ Token Authentication for Java Applications
Sample Apps
◦ https://github.com/spring-projects/spring-security-oauth/tree/master/tests/
◦ https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2
◦ https://github.com/dsyer/spring-security-angular/
OAuth and Spring
◦ https://speakerdeck.com/dsyer/security-for-microservices-with-spring
8/14/2015 @halyph30
References