OAuth 2.0 in Spring Boot Applications

Explore various oauth 2.0 grant types for acquiring access tokens, including authorization code, client credentials, pkce, and refresh token grants, plus deprecated options and device scenarios.

Learn the authorization code grant, redirects, state verification, and exchanging codes for access tokens, with Pixie enhanced authorization code flow for apps that cannot securely store secrets.

Demonstrate the authorization code flow by sending an http get to the authorization server with response type code, client_id, state, scope, and redirect_uri, then obtain the authorization code.

Exchange an authorization code for an access token via an http post to the token endpoint, supplying grant type, client id, client secret, code, and redirect uri.

Master pixie enhanced authorization code flow, generating a code verifier and code challenge, using code challenge method 256, and exchanging the authorization code for an access token with the verifier.

Generate a PKCE code verifier for oauth 2.0 in spring boot applications using a base64-safe, random alphanumeric string 43–128 characters to derive the code challenge for token exchange.

Learn to generate PKCE code challenge in Spring Boot by creating a code verifier, encoding it in ASCII, hashing with SHA-256, and base64 safe encoding to secure the authorization request.

Explore PKCE by generating a code verifier and code challenge, crafting an authorization request to the endpoint with openid scope, then exchanging the authorization code for an access token.

Demonstrate exchanging an authorization code for an access token using PKCE with an http post to a token endpoint, including client credentials, code, redirect uri, and code verifier.

Demonstrates using Postman to obtain an OAuth 2.0 access token with the client credentials grant type by posting to the token endpoint and requesting email scope.

Explore how the password grant flow retrieves an access token (and refresh token) from the authorization server with user and client credentials via a post request for apps without redirects.

Refresh an expired access token with a refresh token from the authorization server to obtain a new access token and, optionally, a new refresh token for accessing a resource server.

Demonstrates how to request an access token with a non-expiring refresh token using the password grant and offline access scope in Keycloak OpenID Connect.

Demonstrates refreshing an access token using a refresh token with a Postman http post request to the token endpoint, including grant type, client credentials, and the refresh token.

Download the standalone Keycloak server from keycloak.org, unzip the zip archive, and relocate the Keycloak directory for use with OAuth 2.0 in Spring Boot applications.

Start the Keycloak standalone server from the bin folder with ./kc.sh start-dev to run in development mode (with live reloading and simplified logging) on port 8080, and stop with Ctrl+C.

Create an initial admin user to log into keycloak admin console, then create a realm, add users, and register a client application; admin credentials must not be used by clients.

Log in to the administration console with the initial admin user and access master realm. Create a new realm to host regular users as a separate tenant and manage them.

Configure a new OAuth 2.0 client in Keycloak for a spring boot app by creating an OpenID Connect client, choosing public or confidential, enabling authorization, and setting redirect URIs.

Generate or regenerate the client secret for an OAuth client, copy the client id from the credentials tab, and preview or regenerate the secret after enabling client authentication in settings.

Follow an updated oauth 2.0 authorization code flow using keycloak and postman to obtain an access token and id token, validating redirect URIs, client credentials, and scopes OpenID and profile.

Enable or disable specific OAuth 2.0 authentication flows for a Spring Boot application in Keycloak by adjusting the capability config, selecting pkce methods, and saving changes.

Configure a spring boot application as an oauth resource server to protect user resources with access tokens issued by an authorization server.

Create a new resource server by generating a Maven Spring Boot project on start.spring.io, adding Spring Web and OAuth 2 resource server dependencies, then unzip and open the project.

Import a resource server Maven project into Spring Tools Suite or any Java IDE, browse for the project, finish, and start working.

Create a rest controller annotated with @RestController in a Spring Boot app, map get /users/status/check to return 'working', and note that an OAuth resource server requires authentication for all endpoints.

Configure the resource server to validate access tokens using the issuer URI or the public key endpoint via the jwk set URI, ensuring the Keycloak realm matches the authorization server.

Run a Keycloak authorization server and a resource server, obtain an access token via the authorization code flow, and access the protected endpoint with a bearer token.

Access the full JWT token and its claims in Spring Boot using the AuthenticationPrincipal annotation, exposing a /token endpoint that returns a map with the principal and the JWT object.

demonstrates oauth 2.0 authorization code flow in a spring boot resource server, obtaining an access token and using a bearer token to retrieve a jwt with claims.

Learn scope-based access control in OAuth 2.0 for Spring Boot, including authorization, consent, access tokens, and OpenID Connect scopes like OpenID, Profile, and Email.

Create a web security configuration class to configure http security for a resource server, using a security filter chain and spring boot annotations.

Configure Http security to require authentication for all requests, declare the app as an OAuth2 resource server, and expect JWT tokens using default Spring Security settings.

Enforce scope-based access for a Spring Security resource server by restricting GET /users to tokens with the profile scope of access, using request matchers and token validation.

Configure a spring boot resource server to enforce explicit scopes, remove default profile access, and protect /users/status/check. Demonstrate obtaining an authorization code token and testing access with and without profile.

Request an authorization code with the profile scope, exchange it for an access token, and use it to access the resource server's /users/status endpoint.

explain how roles and authorities work in spring boot, how a role is a collection of authorities, and how to configure the resource server to validate user roles.

Create a new realm role in Keycloak and assign it to a user via the role mapping, naming it developer and saving the changes.

Secure a spring boot endpoint for a specific role using has role or has any role, and convert JWT roles from access token into granted authorities with a converter class.

Create a Keycloak role converter that reads claims from the access token's jwt and maps roles to granted authorities for Spring Boot OAuth 2.0 apps.

Decode a JWT to extract realm access roles and convert them into granted authority objects in a Spring Boot OAuth 2.0 app, using jwt.io and Postman for debugging.

Convert roles from a JWT claims map into a collection of SimpleGrantedAuthority objects by prefixing each role with ROLE_ and returning an empty list if the map is empty.

Register a JwtAuthenticationConverter with HttpSecurity by creating a converter instance, wiring a custom authority converter (Keycloak role converter), and applying it to security configuration to run the app.

Demonstrates oauth 2.0 in spring boot by exchanging authorization codes for access tokens and enforcing developer versus user role checks on a status check endpoint.

Learn method level security in spring boot apps by using security annotations at method and class levels, with pre authorized and post authorized expressions for role-based or ownership checks.

Enable global method security in a Spring Boot app by annotating a configuration class and enable the secured annotation with securedEnabled = true to protect controller and service methods.

Secure a delete endpoint with @Secured, using a path variable for the user id. Enforce the developer role via an authority name with the role prefix and tokens.

Enable pre-authorized checks in spring boot by turning on prePostEnabled with EnableGlobalMethodSecurity and annotating methods with PreAuthorize. Use security expressions like hasRole and hasAuthority, noting hasRole auto-prefixes ROLE_.

enhance security with a pre-authorized annotation, allowing the developer role or profile owner to delete a user by comparing the path variable id with the JWT subject from authentication.

Explore how the @PreAuthorized annotation guards a Spring Boot resource server by enforcing a developer role or record ownership using a jwt access token from an authorization code flow.

Create a get user endpoint for post authorized annotation, replacing delete with a get mapping and returning user details via a response model with first name, last name, and id.

Acquire an access token via authorization code, inspect the token to extract the user id, and test protected endpoints using the post authorize annotation in a Spring Boot resource server.

Learn to place multiple resource servers behind a single API gateway with Spring Cloud Gateway, securing requests with oauth 2.0 tokens from an identity provider via password grant.

Create a Spring Boot API gateway project with Spring Initializr, add Spring Cloud API Gateway and DevTools to enable fast restarts and routing of requests to microservices.

Import the Spring Cloud API gateway project into Spring Tool Suite by selecting existing Maven projects, browsing to the project folder, finishing the import, then building and running it.

Configure OAuth 2.0 in Spring Boot by starting Keycloak, a resource server, and an API gateway; obtain an authorization code and exchange it for an access token.

Demonstrates how the Spring Cloud Gateway routes http requests to two resource servers, albums and photos, by importing two Maven projects. Ports 8090 and 8091 host /photos and /albums.

Configure a Spring Cloud api gateway to route requests to albums and photos resource servers via routes in application properties, using ports 8091 and 1890 and paths /albums and /force.

Discover how the Eureka discovery service lets microservices register themselves and expose IP addresses and ports as they scale. See how the API gateway uses Eureka to balance load.

Create a Spring Boot Eureka discovery service project using Spring Tool Suite, add Netflix Eureka client and server dependencies, and understand how Eureka can act as both client and server.

Configure a Spring Boot Eureka server by adding the Eureka server annotation, moving the application name to bootstrap properties, and disabling registration and registry fetch for a single instance.