Spring Security - Lesson 12 - Deeply understanding the grant types

Thank you. This is the best on youtube about security applications.

dmitriichabyshev

⭐ Timestamps ⭐
- 5:21 Password Grant type Sequence Diagram
- 14:00 QA on OpenID connect
- 22:00 Authorization Code Grant type Sequence Diagram
- 37:00 Client Credentials Grant type Sequence Diagram
- 44:00 Refresh Token- Solution for expired access_token

cooool

In the end i heard about kubernetes and deployment stream, are you still thinking about it? a small question, On which level we define that our application should be accessed using https; I can't see on the playlist such content? Thanks

momedalhouma

Thank you for this playlist, enjoy learning with it. I have one question. I've seen some applications use grant types related to cookies, is this something supported by services such as Keycloack or any spring libraries? Or is that something that is implemented from scratch? Would be grateful to get reference to any info related to that topic, thank you!

teammdyss

Hi Laurentiu,
what is the difference between "client:secret" and "username:password"?
the user should have "username:password" but what about "client:secret"?
i watched the video and you put "client:secret" in the postman's basic auth fields.
what exactly is that?! and how to generate it?
thanks a lot.

mahdadaioby

Thanks for the awesome video, i got a question when using the authorization code grant type the sole purpose of the redirect uri is sent it to a client which will grab the code parameter and make the further call to get the access token right?

glaze

Let me clarify what I have understood from this video. In simple form based authentication using Spring boot, normally we keep authentication, authorization and resource access all packed in a simple application. But in oauth2 the authentication and authorization parts are done in a separate application which we are calling authorization server and the resource access is done in another application which we are calling resource server. As these two are in different app so oauth2 is providing us a mechanism to make the communications happen in a structured way so that the security contains in the system. And it uses token for that. Am I correct with my concept ?

kayeshparvez

Dear Laurentiu,

1) Whether there is a way to add custom AuthenticationProvider and AuthenticationFilter for clients, similarly as we did for users.

For clients, I am able to find below method to add only "TokenEndpointAuthenticationFilter", unable to found any method to add provider.

public void security)
{

}

2) Also, I saw your implementation for PKCE with newly developed authorization server. You have mentioned there that in order to implement with old implementation some customization needs to be done.

Please help to specify it too.

Thank you.

Pratik

Thanks for another great lesson, but I would like to ask how relevant is it this days, cause from my understanding Oauth2 is deprecated, or the basics / principles still apply for the authorization server?

yaniv

I need to know what is the relation between the authentication filter and authentication provider with "/oauth/token" endpoint ? where are the filters that intercepts the next coming request with the token to check if token is valid

abdullaelsayed

Hi Laurentiu,
Is it possible to use social login wth RESTAPI? I was trying to configure social login with my restapi, using oauth2login provided by spring security. I googled online seeing there are cases people use social login with REST. But I dont think it make sense to use oauth2login out of the box, since it works more closely with form login. So my question is : is it possible to secure your restapi with social login? if yes, can you use oauth2login by spring security or you need more advanced configuration?
Thank you!

peiqiliu

So the authorization server has associated your user information with your auth code? Because when you inspect your access token it will be associated with your user.

rydmerlin

@50:37 Error: Inject
@Autowired
private UserDetailsService inMemoryUserDetailsManager;
in class AuthServerConfig
and add line
in endpoints) method.

shibugeorge

Hi Sir, you mentioned alot that Spring Security started working on new Authorization Server, but why they are writing a new authorization server is there any issue with current implementation ? I might have missed it if you mentioned it in your previous videos

mritunjayyadav

Thanks for you deep explanation on each topic...is there any lession on jwt json web token authentication...

kirankumaralam

hi, when you were explaining authorization code and sending


u didn't put here secret2 i.e didn't provide a password for client2. Could you explain why we don't have clients password here?

kenkaneki

Hi Laurentiu. I've gone over the diagram and I have a question. For authorization code grant type, architecturally, is it the responsibility of the app to know that for calling a specific Resource Server endpoint that it should first redirect the User to the Authorization Server /authorize endpoint, or is it something like the app calls directly the Resource Server endpoint (assuming with no token I guess) and then the Resource Server tells the app to do the redirect of the user to an Authorization Server URL of the Resource Server's choice ? I guess the difference would be in the first scenario the app is going to have some security logic and also have the Auth URL hardcoded.

BinSlayer

Where is the authcode actually generated
How does the authorization server verify the code given by client to it?

What is the logic behind it?

maheshjujjavarapu

With Password grant type one has to pass the header "Authorization: Basic In all the examples that use Postman to showcase the Password grant type casually add the clientSecret in Postman Auth tab. However isn't the clientSecret to be protected? So for example if the frontend app (angular say!) is involved, by definition of Password grant the frontend will ask for username and password, fine, but should the clientSecret be also sent from the frontend app (angular say!). If not where should the "Authorization: Basic bas64(clientId:clientSecret)" header be inserted into the request?

I understand using Password grant is not recommended.

SandipChitale

Thank u but what the diff between implicit and Authorization code form prespective becouse I can'r understand why we need the auth code steps and if u can create full flow with angular and auth server and back-end and thanks

ebrahimmohamedebrahim