Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JHipster and Okta - JHipster Virtual Meetup December 2020

YouTube video: https://www.youtube.com/watch?v=ym-OPn4e_nQ

When I first started working at Okta, I refactored JHipster's OAuth support to move from authentication on the client to the server, leveraging Spring Security. This allowed for easier client integration since we didn't need to worry about finding an OIDC client for each frontend framework.

Fast forward four years and JHipster's OAuth 2.0 and OIDC support is first-class! It uses Keycloak in a Docker container by default, but it's easy to switch to another identity provider (IdP) thanks to Spring Boot. Other blueprints like Micronaut, Quarkus, Node.js, and .NET support OAuth and OIDC too!

This presentation explains what OAuth 2.0 and OIDC is, gives an overview of JHipster’s OAuth implementation, and provides three quick demos with Keycloak, the Okta CLI, and Heroku.

See https://developer.okta.com/blog/tags/jhipster for Okta + JHipster tutorials and screencasts! 邏

You also might enjoy my What the Heck is OAuth? blog post:

https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

  • Be the first to comment

JHipster and Okta - JHipster Virtual Meetup December 2020

  1. 1. Matt Raible | @mraible December 1, 2020 JHipster and Photo by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw
  2. 2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  3. 3. developer.okta.com
  4. 4. @mraible Today’s Agenda What the Heck is OAuth 2.0 and OIDC? JHipster’s OAuth Implementation 3 Quick Demos Keycloak Okta CLI Heroku
  5. 5. What the Heck is OAuth 2.0 and OIDC?
  6. 6. The Delegated Authorization Problem How can you let a website access your data (without giving it your password)?
  7. 7. Don’t do it this way!
  8. 8. Have you ever seen one of these?
  9. 9. © Okta and/or its affiliates. All rights reserved. Okta Confidential
  10. 10. Hotel Key Cards, but for Apps
  11. 11. Hotel Key Cards, but for Apps OAuth Authorization Server Resource (API)Access Token
  12. 12. Delegated Authorization with OAuth 2.0 I trust Gmail and I kind of trust Yelp. I want Yelp to have access to my contacts only. yelp.com Connect with Google
  13. 13. Delegated Authorization with OAuth 2.0 yelp.com Connect with Google accounts.google.com Email ********** accounts.google.com Allow Yelp to access your public profile and contacts? No Yes contacts.google yelp.com/callback
  14. 14. OAuth 2.0 Terminology Actors Clients Authorization Server Resource Server Access Tokens Redirect URI
  15. 15. Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token Resource Server (RS) Actors
  16. 16. Authorization Server (AS) Resource Owner (RO) Client Delegates Obtains Token Uses Token Resource Server (RS) Actors
  17. 17. Clients Public (Client Identification) Confidential (Client Authentication)
  18. 18. Client Registration
  19. 19. Authorization Server Authorize Endpoint (/oauth2/authorize) Token Endpoint (/oauth2/token) Authorization Server Authorization Grant Refresh Token Access Token Introspection Endpoint (/oauth2/introspect) Revocation Endpoint (/oauth2/revoke)
  20. 20. Tokens • Short-lived token used by Client to access Resource Server (API) • Opaque to the Client • No client authentication required (Public Clients) • Optimized for scale and performance • Revocation is dependent on implementation Access Token (Required) • Long-lived token that is used by Client to obtain new access tokens from Authorization Server • Usually requires Confidential Clients with authentication • Forces client to rotate secrets • Can usually be revoked Refresh Token (Optional) OAuth doesn’t define the format of a token!
  21. 21. Access Token Types Self-encoded tokens Protected, time-limited data structure agreed upon between Authorization Server and Resource Server that contains metadata and claims about the identity of the user or client over the wire. Resource Server can validate the token locally by checking the signature, expected issuer name and expected audience or scope. Commonly implemented as a signed JSON Web Tokens (JWT) Reference tokens (aka opaque tokens) Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0 Authorization Server Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes
  22. 22. OAuth 2.0 Authorization Code Flow yelp.com Connect with Google accounts.google.com Allow Yelp to access your public profile and contacts? No Yes yelp.com/callback Resource owner clicks ^^ Back to redirect URI with authorization code contacts.google Talk to resource server with access token Exchange code for access token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Response type: code Authorization ServerClient
  23. 23. OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication OAuth 2.0 is for authorization
  24. 24. OIDC Authorization Code Flow yelp.com/callback Back to redirect URI with authorization code Exchange code for access token and ID token accounts.google.com Email ********** Go to authorization server Redirect URI: yelp.com/cb Scope: openid profile Authorization Server yelp.com Connect with Google Resource owner Client accounts.google.com Allow Yelp to access your public profile and contacts? No Yes Request consent from resource owner Hello Matt! accounts.google Get user info with access token /userinfo
  25. 25. @mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
  26. 26. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
  27. 27. @mraible JHipster’s OAuth Implementation Leverages Spring Security’s OAuth and OIDC Support Creates an AuthorizationHeaderFilter for Zuul Supports Spring WebFlux and Spring Cloud Gateway Creates a LogoutResource that returns an ID Token and a Redirect URI Creates a Docker configuration and pre-configured users for Keycloak
  28. 28. @mraible SecurityConfiguration.java .and() .oauth2Login() .and() .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(authenticationConverter()) .and() .and() .oauth2Client();
  29. 29. @mraible OIDC Configuration in application.yml spring: security: oauth2: client: provider: oidc: issuer-uri: http:"//localhost:9080/auth/realms/jhipster registration: oidc: client-id: web_app client-secret: web_app
  30. 30. @mraible How to use another Identity Provider (IdP) Create a groups claim and add it to the ID token Add groups named ROLE_ADMIN and ROLE_USER Register an OIDC app at your IdP with JHipster’s Redirect URI Override the default settings with environment variables export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}" export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}" https://www.jhipster.tech/security/#oauth2
  31. 31. @mraible Demos!
  32. 32. mkdir blog-oauth2 cd blog-oauth2 jhipster jdl blog-oauth2 docker-compose -f src/main/docker/keycloak.yml up -d ./mvnw open http:"//localhost:8080 JHipster with Keycloak
  33. 33. take blog-oauth2 jhipster jdl blog-oauth2 # Install Okta CLI using cli.okta.com okta apps create # select Web > JHipster source .okta.env ./mvnw open http:"//localhost:8080 JHipster with Okta CLI
  34. 34. take blog-oauth2 jhipster jdl blog-oauth2 jhipster heroku # Yes, provision the Okta add-on open https:"//<heroku-app-url> JHipster with Heroku + Okta
  35. 35. @mraible Better, Faster, Lighter Java with Java 12 and JHipster 6 Java Microservices with Spring Cloud Config and JHipster Mobile Development with Ionic, React Native, and JHipster Build a Secure Micronaut and Angular App with JHipster > https://developer.okta.com/blog/tags/jhipster JHipster Tutorials on developer.okta.com/blog
  36. 36. developer.okta.com/blog @oktadev
  37. 37. Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper developer.okta.com
  38. 38. developer.okta.com

×