YouTube video: https://www.youtube.com/watch?v=ym-OPn4e_nQ
When I first started working at Okta, I refactored JHipster's OAuth support to move from authentication on the client to the server, leveraging Spring Security. This allowed for easier client integration since we didn't need to worry about finding an OIDC client for each frontend framework.
Fast forward four years and JHipster's OAuth 2.0 and OIDC support is first-class! It uses Keycloak in a Docker container by default, but it's easy to switch to another identity provider (IdP) thanks to Spring Boot. Other blueprints like Micronaut, Quarkus, Node.js, and .NET support OAuth and OIDC too!
This presentation explains what OAuth 2.0 and OIDC is, gives an overview of JHipster’s OAuth implementation, and provides three quick demos with Keycloak, the Okta CLI, and Heroku.
See https://developer.okta.com/blog/tags/jhipster for Okta + JHipster tutorials and screencasts! 邏
You also might enjoy my What the Heck is OAuth? blog post:
https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
JHipster and Okta - JHipster Virtual Meetup December 2020
1. Matt Raible | @mraible
December 1, 2020
JHipster and
Photo by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw
2. @mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter
Bus Lover
Web Developer and Java Champion
Okta Developer Advocate
Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible
14. Hotel Key Cards, but for Apps
OAuth Authorization Server Resource (API)Access Token
15. Delegated Authorization with OAuth 2.0
I trust Gmail and I kind of trust
Yelp. I want Yelp to have
access to my contacts only.
yelp.com
Connect with Google
16. Delegated Authorization with OAuth 2.0
yelp.com
Connect with Google
accounts.google.com
Email
**********
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
contacts.google
yelp.com/callback
23. Tokens
• Short-lived token used by
Client to access Resource
Server (API)
• Opaque to the Client
• No client authentication
required (Public Clients)
• Optimized for scale and
performance
• Revocation is dependent on
implementation
Access Token (Required)
• Long-lived token that is used
by Client to obtain new
access tokens from
Authorization Server
• Usually requires
Confidential Clients with
authentication
• Forces client to rotate
secrets
• Can usually be revoked
Refresh Token (Optional)
OAuth doesn’t define the format of a token!
24. Access Token Types
Self-encoded tokens
Protected, time-limited data structure agreed upon between Authorization Server and
Resource Server that contains metadata and claims about the identity of the user or
client over the wire.
Resource Server can validate the token locally by checking the signature, expected
issuer name and expected audience or scope.
Commonly implemented as a signed JSON Web Tokens (JWT)
Reference tokens (aka opaque tokens)
Infeasible-to-guess (secure-random) identifier for a token issued and stored by the
OAuth 2.0 Authorization Server
Resource Server must send the identifier via back-channel to the OAuth 2.0
Authorization Server’s token introspection endpoint to determine if the token is valid
and obtain claims/scopes
25. OAuth 2.0 Authorization Code Flow
yelp.com
Connect with Google
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
yelp.com/callback
Resource owner clicks ^^
Back to redirect URI
with authorization code
contacts.google
Talk to resource server
with access token
Exchange code for
access token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Response type: code
Authorization ServerClient
26. OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
OpenID Connect is for authentication
OAuth 2.0 is for authorization
27. OIDC Authorization Code Flow
yelp.com/callback
Back to redirect URI
with authorization code
Exchange code for
access token and ID token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Scope: openid profile
Authorization Server
yelp.com
Connect with Google
Resource owner
Client
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
Request consent
from resource owner
Hello Matt!
accounts.google
Get user info
with access token
/userinfo
28. @mraible
Does OAuth 2.0 feel like a maze of specs?
https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
29. @mraible
OAuth 2.1 to the rescue!
https://oauth.net/2.1
PKCE is required for all clients using the authorization code flow
Redirect URIs must be compared using exact string matching
The Implicit grant is omitted from this specification
The Resource Owner Password Credentials grant is omitted from this specification
Bearer token usage omits the use of bearer tokens in the query string of URIs
Refresh tokens for public clients must either be sender-constrained or one-time use
30. @mraible
JHipster’s OAuth Implementation
Leverages Spring Security’s OAuth and OIDC Support
Creates an AuthorizationHeaderFilter for Zuul
Supports Spring WebFlux and Spring Cloud Gateway
Creates a LogoutResource that returns an ID Token and a Redirect URI
Creates a Docker configuration and pre-configured users for Keycloak
33. @mraible
How to use another Identity Provider (IdP)
Create a groups claim and add it to the ID token
Add groups named ROLE_ADMIN and ROLE_USER
Register an OIDC app at your IdP with JHipster’s Redirect URI
Override the default settings with environment variables
export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}"
https://www.jhipster.tech/security/#oauth2
35. mkdir blog-oauth2
cd blog-oauth2
jhipster jdl blog-oauth2
docker-compose -f src/main/docker/keycloak.yml up -d
./mvnw
open http:"//localhost:8080
JHipster with Keycloak
36. take blog-oauth2
jhipster jdl blog-oauth2
# Install Okta CLI using cli.okta.com
okta apps create # select Web > JHipster
source .okta.env
./mvnw
open http:"//localhost:8080
JHipster with Okta CLI
37. take blog-oauth2
jhipster jdl blog-oauth2
jhipster heroku # Yes, provision the Okta add-on
open https:"//<heroku-app-url>
JHipster with Heroku + Okta
38. @mraible
Better, Faster, Lighter Java with Java 12 and JHipster 6
Java Microservices with Spring Cloud Config and JHipster
Mobile Development with Ionic, React Native, and JHipster
Build a Secure Micronaut and Angular App with JHipster
> https://developer.okta.com/blog/tags/jhipster
JHipster Tutorials on developer.okta.com/blog