JHipster and Okta - JHipster Virtual Meetup December 2020

Matt Raible | @mraible
December 1, 2020
JHipster and
Photo by Caleb Lucas on https://unsplash.com/photos/Wl3dPgNc8Nw

@mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter
Bus Lover
Web Developer and Java Champion
Okta Developer Advocate
Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible

@mraible
Today’s Agenda
What the Heck is OAuth 2.0 and OIDC?
JHipster’s OAuth Implementation
3 Quick Demos
Keycloak
Okta CLI
Heroku

What the Heck is OAuth 2.0 and OIDC?

The Delegated Authorization Problem
How can you let a website access your data
(without giving it your password)?

Have you ever seen one of these?

Hotel Key Cards, but for Apps
OAuth Authorization Server Resource (API)Access Token

Delegated Authorization with OAuth 2.0
I trust Gmail and I kind of trust
Yelp. I want Yelp to have
access to my contacts only.
yelp.com
Connect with Google

Delegated Authorization with OAuth 2.0
yelp.com
Connect with Google
accounts.google.com
Email
**********
accounts.google.com
Allow Yelp to access your public
profile and contacts?
No Yes
contacts.google
yelp.com/callback

OAuth 2.0 Terminology
Actors
Clients
Authorization Server
Resource Server
Access Tokens
Redirect URI

Authorization
Server (AS)
Resource
Owner (RO) Client
Delegates
Obtains Token
Uses Token
Resource
Server (RS)
Actors

Clients
Public
(Client Identification)
Confidential
(Client Authentication)

Authorize Endpoint
(/oauth2/authorize)
Token Endpoint
(/oauth2/token)
Authorization Grant
Refresh Token
Access Token
Introspection Endpoint
(/oauth2/introspect)
Revocation Endpoint
(/oauth2/revoke)

Tokens
• Short-lived token used by
Client to access Resource
Server (API)
• Opaque to the Client
• No client authentication
required (Public Clients)
• Optimized for scale and
performance
• Revocation is dependent on
implementation
Access Token (Required)
• Long-lived token that is used
by Client to obtain new
access tokens from
• Usually requires
Confidential Clients with
authentication
• Forces client to rotate
secrets
• Can usually be revoked
Refresh Token (Optional)
OAuth doesn’t define the format of a token!

Access Token Types
Self-encoded tokens
Protected, time-limited data structure agreed upon between Authorization Server and
Resource Server that contains metadata and claims about the identity of the user or
client over the wire.
Resource Server can validate the token locally by checking the signature, expected
issuer name and expected audience or scope.
Commonly implemented as a signed JSON Web Tokens (JWT)
Reference tokens (aka opaque tokens)
Infeasible-to-guess (secure-random) identifier for a token issued and stored by the
OAuth 2.0 Authorization Server
Resource Server must send the identifier via back-channel to the OAuth 2.0
Authorization Server’s token introspection endpoint to determine if the token is valid
and obtain claims/scopes

OAuth 2.0 Authorization Code Flow
yelp.com
Connect with Google
accounts.google.com
No Yes
yelp.com/callback
Resource owner clicks ^^
Back to redirect URI
with authorization code
contacts.google
Talk to resource server
with access token
Exchange code for
access token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Response type: code
Authorization ServerClient

OAuth 2.0 and OpenID Connect
OpenID Connect
OAuth 2.0
HTTP
OpenID Connect is for authentication
OAuth 2.0 is for authorization

OIDC Authorization Code Flow
yelp.com/callback
Back to redirect URI
with authorization code
Exchange code for
access token and ID token
accounts.google.com
Email
**********
Go to authorization server
Redirect URI: yelp.com/cb
Scope: openid profile
yelp.com
Connect with Google
Resource owner
Client
accounts.google.com
No Yes
Request consent
from resource owner
Hello Matt!
accounts.google
Get user info
with access token
/userinfo

@mraible
Does OAuth 2.0 feel like a maze of specs?
https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

@mraible
OAuth 2.1 to the rescue!
https://oauth.net/2.1
PKCE is required for all clients using the authorization code flow
Redirect URIs must be compared using exact string matching
The Implicit grant is omitted from this specification
The Resource Owner Password Credentials grant is omitted from this specification
Bearer token usage omits the use of bearer tokens in the query string of URIs
Refresh tokens for public clients must either be sender-constrained or one-time use

@mraible
JHipster’s OAuth Implementation
Leverages Spring Security’s OAuth and OIDC Support
Creates an AuthorizationHeaderFilter for Zuul
Supports Spring WebFlux and Spring Cloud Gateway
Creates a LogoutResource that returns an ID Token and a Redirect URI
Creates a Docker configuration and pre-configured users for Keycloak

@mraible
SecurityConfiguration.java
.and()

.oauth2Login()

.and()

.oauth2ResourceServer()

.jwt()

.jwtAuthenticationConverter(authenticationConverter())

.and()

.and()

.oauth2Client();

@mraible
OIDC Configuration in application.yml
spring:

security:

oauth2:

client:

provider:

oidc:

issuer-uri: http:"//localhost:9080/auth/realms/jhipster

registration:

oidc:

client-id: web_app

client-secret: web_app

@mraible
How to use another Identity Provider (IdP)
Create a groups claim and add it to the ID token
Add groups named ROLE_ADMIN and ROLE_USER

Register an OIDC app at your IdP with JHipster’s Redirect URI
Override the default settings with environment variables
export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="{yourIssuer}"

export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}"

export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}"
https://www.jhipster.tech/security/#oauth2

mkdir blog-oauth2

cd blog-oauth2

jhipster jdl blog-oauth2

docker-compose -f src/main/docker/keycloak.yml up -d

./mvnw

open http:"//localhost:8080
JHipster with Keycloak

take blog-oauth2


# Install Okta CLI using cli.okta.com

okta apps create # select Web > JHipster

source .okta.env

./mvnw

open http:"//localhost:8080
JHipster with Okta CLI

take blog-oauth2


jhipster heroku # Yes, provision the Okta add-on

open https:"//<heroku-app-url>
JHipster with Heroku + Okta

@mraible
Better, Faster, Lighter Java with Java 12 and JHipster 6
Java Microservices with Spring Cloud Config and JHipster
Mobile Development with Ionic, React Native, and JHipster
Build a Secure Micronaut and Angular App with JHipster
> https://developer.okta.com/blog/tags/jhipster
JHipster Tutorials on developer.okta.com/blog

developer.okta.com/blog
@oktadev

Thanks!
Keep in Touch
raibledesigns.com
@mraible
Presentations
speakerdeck.com/mraible
Code
github.com/oktadeveloper
developer.okta.com

JHipster and Okta - JHipster Virtual Meetup December 2020

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to JHipster and Okta - JHipster Virtual Meetup December 2020

Similar to JHipster and Okta - JHipster Virtual Meetup December 2020 (20)

More from Matt Raible

More from Matt Raible (20)

Recently uploaded

Recently uploaded (20)

JHipster and Okta - JHipster Virtual Meetup December 2020