Udemy
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
Turn what you know into an opportunity and reach millions around the world.
Learn More
Your cart is empty.
Keep shopping
[NEW] Spring Security 7 + OAuth2 + JWT + Auth0 + Keycloak
Bestseller
Highest Rated
Rating: 4.8 out of 5(57 ratings)
544 students

[NEW] Spring Security 7 + OAuth2 + JWT + Auth0 + Keycloak

Full Stack Angular + Spring Boot 3 + Microservices Security OIDC, RBAC Social Login CSRF COSRS Pre/Post Authorize POC's
Created byCode Decode
Last updated 4/2026
English

What you'll learn

  • MASTER SPRING SECURITY 7 architecture including Authentication, Authorization, Security Filter Chain, and internal request flow
  • IMPLEMENT USER AUTHENTICATION using UserDetailsService, PasswordEncoder, and database-backed user management
  • UNDERSTAND ROLES vs AUTHORITIES and implement RBAC (Role-Based Access Control) & ABAC in real applications
  • APPLY ENDPOINT LEVEL SECURITY and METHOD LEVEL SECURITY using @PreAuthorize and @PostAuthorize
  • UNDERSTAND REQUEST MATCHERS including Ant, MVC, Regex, and modern Spring Security 6 approaches
  • MASTER OAUTH2 FUNDAMENTALS including actors, scopes, flows, and secure authorization architecture
  • IMPLEMENT AUTHORIZATION CODE FLOW and PKCE FLOW used by modern web and mobile applications
  • IMPLEMENT CLIENT CREDENTIALS FLOW for secure machine-to-machine communication
  • IMPLEMENT REFRESH TOKEN FLOW and understand token lifecycle and security best practices
  • MASTER JWT SECURITY including token structure, claims, signing, verification, and public/private key cryptography
  • IMPLEMENT JWT validation using JwtDecoder and JwtAuthenticationConverter in Spring Boot
  • UNDERSTAND OIDC (OpenID Connect) and how identity layer works on top of OAuth2
  • IMPLEMENT SSO (Single Sign-On) architecture using OAuth2 and OIDC
  • UNDERSTAND CSRF protection and why Spring Security enables CSRF by default
  • IMPLEMENT CORS configuration and understand cross-origin security behavior
  • IMPLEMENT AUTH0 including Applications, APIs, Audience, Roles, and Permissions mapping in JWT
  • IMPLEMENT KEYCLOAK including Realm, Clients, Roles, Groups, and identity provider configuration
  • IMPLEMENT SOCIAL LOGIN using Google and GitHub with OAuth2 / OIDC
  • IMPLEMENT RBAC IN MICROSERVICES using roles and permissions extracted from JWT tokens
  • UNDERSTAND JWT vs OPAQUE TOKENS and when each token strategy should be used
  • DESIGN END-TO-END SECURITY ARCHITECTURE used in real enterprise applications
  • BUILD FULL STACK APPLICATION using Angular + Spring Boot secured with Spring Security
  • BUILD FULL STACK AUTH0 POC implementing login, roles, permissions, and JWT-secured APIs
  • BUILD FULL STACK KEYCLOAK POC implementing realm, clients, roles, and secured microservices
  • IMPLEMENT COMPLETE AUTHENTICATION FLOW from frontend login to secured backend APIs
  • APPLY SECURITY BEST PRACTICES and avoid common mistakes in production systems
  • UNDERSTAND KEYCLOAK vs AUTH0 differences and when to choose each

Course content

35 sections319 lectures13h 24m total length
  • Course Introduction7:52

Requirements

  • Basic knowledge of Java and Spring Boot
  • Basic understanding of REST APIs and HTTP concepts
  • Basic idea of Angular or frontend is helpful but not mandatory
  • No prior knowledge of Spring Security, OAuth2 or JWT required
  • System capable of running Java, IDE and browser

Description

What are we going to cover

Spring Security Basics

  • Master Security

  • Security in Spring Boot & Microservices

  • Why Security for your spring boot app?

  • What is Spring Security?

  • Key Spring Security Concepts

  • Authentication

  • Authorization

  • Servlet Filters

  • What are its alternatives?

  • Security Implementation - Who’s responsibility

  • Let’s get started !

  • Why 401 ?

  • Summary

  • Spring Security: Convention-over-Configuration

  • Key Participants in Authentication Framework

  • Flow of Authentication in Spring Security

  • Spring Security Auto-configured Beans

  • UserDetailsService

  • PasswordEncoder

Spring Security Configuration

  • Introduction to POC 2

  • Overriding Default Configurations

  • Customizing Spring Security Configuration

  • Why Authentication Fails Now

  • Fixing Authentication Step by Step

  • Define User Credentials

  • Adding User to InMemoryUserDetailsManager

  • Defining a PasswordEncoder Bean

  • Why Avoid HTTP Basic Authentication?

User Management

  • User Management

  • User Management Components

  • UserDetails

  • UserDetailsManager

  • User

  • Customising User Details Service

  • POC 3

  • Creating User & Authority Table

  • Mapping User & Authorities table

  • Why Authorities are eagerly fetched

  • Fetch saved Authorities from SecurityContext

Authorization

  • Authorization

  • How Authorization works

  • What are we going to learn

  • GrantedAuthority

  • Difference between Authorities and Roles

  • Authorization implementations level

  • Endpoint Level Authorization

Security Filter Chain

  • Security Filter Chain

  • Defining a Filter Chain

  • Modifying Filter chain

  • Why still 403 ?

  • anyRequest().authenticated()

  • anyRequest().permitAll()

  • anyRequest().hasAuthority()

  • anyRequest().hasAnyAuthority()

  • Role

  • anyRequest().hasRole()

  • anyRequest().hasAnyRole()

  • 401 VS 403

  • anyRequest().access()

  • Advantage of anyRequest().access()

  • Disadvantage of anyRequest().access()

  • anyRequest().denyAll()

Request Matchers

  • Matcher Methods

  • List of All Matcher Methods

  • Request Matcher

  • Request Matcher Methods

  • Real-life analogy

  • How requestMatchers() works in this setting

  • Code Block

Types of Matchers

  • Ant Matcher

  • ANT Matcher Methods

  • Why it was popular

  • Example in Spring Security 5.x

  • Why Deprecated in Spring Security 6+

  • MVC Matcher

  • MVC Matcher Methods

  • Why it was used

  • Regex Matcher

  • regexMatchers()

  • Why use it

  • Dispatcher Type Matcher

  • Purpose - What is DispatcherType

  • Servlet Path Matcher

  • Purpose

  • Is it any relevant in spring boot app?

  • Combining all Matcher methods

Method Level Security

  • Authorization at the method level

  • Where do we stand now?

  • Can Spring Security Be Used in Non-Web Applications?

  • Where Can You Apply Method Security?

  • Why Use Method Security?

  • Role of Authentication in Enabling Method Security

  • Why Not Use permitAll() with Method Security

  • Code snippet

  • Enabling method security

  • New way of enabling Method level Authorization

  • What Happens Behind the Scenes

  • Why Called “Aspect Behind the Scene”?

  • Prevent GOD class with Method level Authorization?

  • Best Practice

  • Priority of Rules: Security Config vs Method-Level Authorization

  • Performance Consideration: Method-Level vs Filter-Level Authorization

  • How Method-Level Security Goes Beyond Filters

  • Multi-line @PreAuthorize for Complex Security Rules

  • Disadvantages of Multi-line rules

  • Moving Beyond SpEL: Bean-Based Security Checks

  • Post Authorize

  • Difference Between @PreAuthorize and @PostAuthorize

Filters in Method Security

  • Pre filter

  • Pre filter - Key Pointers

  • Postfilter - Key Pointers

  • Post Filter Pitfalls

  • PreFilter VS PostFilter

  • @Pre/@PostAuthorize VS @Pre/@PostFilter

OAuth 2 & OIDC Basics

  • OAuth 2 & OIDC

  • Basics

  • Actors/Roles in OAuth2

  • OAuth 2 Flow

  • The OAuth 2.0 Solution

  • Why this is powerful

  • Steps in OAuth 2

  • How to get the token?

  • Heart of how OAuth2 + Spring Security works

  • Grant types

  • Types of Grant types

  • Deprecated Grant types

  • OAuth’s Main Security Principle

  • Why Password Grant Type Is Deprecated

  • Modern Replacement

  • Why Implicit Grant Type Is Deprecated

  • Summary

Authorization Code Flow

  • Authorization Code Flow

  • What Is the Authorization Code Grant Type?

  • Step-by-Step Flow

  • Advantages

  • Disadvantages

Authorization Code Flow with PKCE

  • What is PKCE

  • Why PKCE was introduced

  • The Players

  • Authorization Code Flow with PKCE — Step by Step

  • How PKCE Prevents Attacks

  • How Verifier & Challenge Work

  • Real-World Analogy: The Locker & Key

  • Summary of PKCE Flow

  • Authorization Code vs Authorization Code + PKCE

  • Points to remember

Client Credentials Flow

  • Client Credentials Grant Type

  • What is Client Credentials grant

  • When to use it

  • The Actors

  • Flow (step-by-step)

  • Typical token response

  • Client authentication methods with AS

  • How Scopes → Authorities Mapping Works

  • Scopes & authorities

  • Tokens: JWT vs opaque

  • Security considerations / best practices

  • Pitfalls & gotchas

Refresh Token Flow

  • Refresh Token Grant Type

  • What is a Refresh Token?

  • Why Refresh Tokens Exist

  • Who uses the Refresh Token flow?

  • Refresh Token Grant Type Flow

  • Static (Reusable) Refresh Tokens

  • Rotating (One-time) Refresh Tokens

  • How OAuth2 servers decide

  • What clients must do

  • Key Token Lifetimes

  • Why Refresh Tokens Are Sensitive

  • Refresh Token Flow vs Access Token Flow

Tokens

  • What is opaque token?

  • How opaque token Works?

  • Introspection response

  • Non-opaque tokens vs opaque tokens

JWT

  • JWTs

  • What is a JWT?

  • The basic structure of a JWT

  • How JWT works

  • JWT signing methods

  • Common JWT claims

  • How JWTs are verified

  • Private and Public keys

  • What is /jwks.json?

  • Why JWTs are so popular

  • Limitations / Pitfalls

OIDC

  • OIDC

  • What is OIDC

  • Authorization code flow with PKCE

  • Real-world example (Google Login)

  • Why OIDC exists

  • What OIDC Actually Is

  • Core Components in OIDC

  • ID Token

  • Standard Claims in ID Token

  • OIDC Scopes

  • OIDC Endpoints

  • Benefits of OIDC

  • Common pitfalls

  • Nonce

  • Why Nonce

SSO

  • SSO

  • What is SSO

  • Actors in SSO

  • Steps in SSO

  • Why SSO works

  • Common Pitfalls Of SSO

  • Security benefit of SSO

  • SSO Logout Scenarios

  • Why OAuth2 + OIDC are REQUIRED for SSO

CSRF

  • CSRF

  • What is CSRF

  • Core browser behavior

  • Why CSRF is dangerous

  • How websites stop CSRF

  • Why Spring Security enables CSRF by default

CORS

  • CORS

  • What is CORS

  • Why CORS exists

  • What is an origin

  • CORS Rule

  • Spring Boot CORS config

  • Common CORS mistakes

  • CORS vs CSRF

Full Stack POC

  • Full stack POC

  • Intro to Foodify App

  • UI Of Foodify App POC

  • Backend Of Foodify App POC

  • Auth0 configurations

  • Spring Security Implementation

Auth0

  • What is Auth0

  • Key Components of Auth0

  • What Happens During Login

  • Why Use Auth0

  • MFA

  • Social Login

  • Centralized Identity

  • Developer Productivity

  • When SHOULD you build yourself?

Roles & Permissions

  • What is Authentication vs Authorization?

  • What is OAuth2 / OIDC?

  • Architecture for End to end POC with Auth0

  • What is Application in Auth0?

  • What is API in Auth0?

  • What is Audience?

  • What are Roles?

  • What are Permissions?

  • Roles vs Permissions

  • RBAC

  • Why RBAC is Used

  • Why roles & permissions in JWT?

JWT Processing in Spring Security

  • What is JwtDecoder?

  • What is JwtAuthenticationConverter?

  • What is Authority in Spring?

  • ROLE_ prefix

  • Common Mistakes

Implementation Steps

  • Steps to Implement Spring Security

  • Steps to setup Auth0

  • Steps to add Roles in token

  • What happens in backend

  • FINAL FLOW (END-TO-END)

  • KEY CONCEPTS

  • COMMON MISTAKES

Keycloak

  • Keycloak

  • What is Keycloak?

  • High Level Architecture

  • Core Terminologies

  • Types of Clients

  • Role Types

  • Client Scope

  • Groups

  • Identity Provider (IDP)

  • Flows

  • Keycloak vs Auth0

  • Feature Comparison

  • who should choose Keycloak vs Auth0

Social Login

  • Social Login

  • What is Social Login

  • How Social Login works

  • Benefits of Social Login

  • Configure Identity Providers in Keycloak

  • Google login Steps

  • Github social login steps


Who this course is for:

  • Java developers who want to learn Spring Security deeply
  • Developers building secure REST APIs using Spring Boot
  • Developers preparing for Spring Security interview questions
  • Backend or full stack developers working with microservices
  • Developers wanting hands-on experience with OAuth2, JWT, Auth0, Keycloak
  • Engineers designing secure enterprise applications