Session

Look who's talking!

Andreas Falk

Securing Microservices with OpenID Connect and Spring Security 5.1 [Workshop]

Andreas Falk - Novatec Consulting

Have you ever wondered what the heck is OpenID Connect and how it differs from OAuth 2.0? Are Grant Types, Flows, JOSE, JWT or JWK unknown beings for you?

Then this workshop is a great opportunity for you to get to know all these things by getting your hands dirty in code using Spring Security 5.1.

After a short introduction to the basic concepts of OAuth 2.0 and OpenID Connect 1.0, we will take an existing sample spring boot application to implement authentication with OpenID Connect (OIDC) in several steps.

During the hands-on part we will cover the following parts:

- Best practices to avoid OWASP Top 10 security risks of broken authentication and access controls
- Usage of a certified OpenID Connect Provider Service
- Insights into the authorization code flow of OAuth 2.0/OpenID Connect
- Basic implementation of a Resource Server
- Authorization with automatically mapped OIDC Scopes
- Custom mapping of OIDC claims to Spring Security roles and authorities
- Realization of an OIDC Login Client
- Extended validation of JWT’s
- Differences in OIDC/OAuth 2.0 support for servlet-based and reactive web stacks (during hands-on we will mainly use the servlet-based web stack)

The workshop will be complemented with current best practices in OIDC & OAuth 2.0 and will end with an outlook on what’s coming with the next Spring Security versions 5.2 and 5.3.

Prerequisites: General experience in Java and Spring-Boot is expected. For the Hands-On part, you’ll need a notebook with JDK 8, 9 or 11 and a Java IDE of your choice.

- Please clone the following git repository: https://github.com/andifalk/oidc-workshop-spring-io-2019.git
- Download JBoss Keycloak server from: https://downloads.jboss.org/keycloak/6.0.1/keycloak-6.0.1.zip