Spring Security - Lesson 17 - Using symmetric keys with JWT

Thanks again Laurentiu, very helpful indeed.

davidharper

What would be an example, an use case or benefit of having multiple redirect URIs?

thelanelim

Hi Laurentiu, I have 2 questions:

1) for the explanation in 21:52, it is actually something like a HTTP 302 browser redirection of the user from the Authorization Server's website back to the client's domain at a designated client endpoint of the client's choice, isn't it?
From what I understand at 21:52 and at 26:59 I get the impression that the Authorization Server calls by itself the redirect URI and that it isn't in fact a matter of user browser redirection. Or am I not understanding the concept well enough?

2) Given that you had just restarted the Authorization Server and the tokens weren't persisted anywhere at this stage, why does the call work at 54:33 ? I basically expected that the token isn't a known token by the Auth Server who had just got restarted.

BinSlayer

Thank you for the video @laurspilca can you update because Spring Security 6.2.+ is really badly documented. And can you make a scenario where we have a client that calls endpoint on the auth-server (which basically makes it resource server too) using symmetric key.

blacky

Hi Laur, how would I access user details on frontend when a user logs in, so I can show on the navigation bar?

For example in my nodes APIs I would send user details to frontend as soon as the user logs in to display on nav bar. I can also do this in my spring boot API and send a new response object, but Is this a good approach?

abulsyed

I have followed your videos upto this lesson using the old cloud OAuth2 dependency, what else will I need to add in my resource server to print the JWT token?

abulsyed

When you have a separate application for resource server (also in the previous examples as well), could notice that the configuration class of resource server did not extended ResourceServerConfigurerAdapter, But i could see it when you have both the server present in the same application. would like to know the difference between them.

balajikandagaddala

Have you considered using spring dev tools? it should make the restarts of the running app more convenient.

evgeniyas

When we login in on some website like: facebook, we provide the user details but not the client credentials, so how does authorization work without client credentials, is something happening in background?

AmitKumar-hybu

Hello, I have a question
We are making the resource server and auth server in Spring.

But is it correct that you could also do this by for example making the auth server in Spring and using a completely different framework or language for the resource server?

For example, if you like how easy it is to make the auth server in Spring but for some reason prefer to do the resource server in a different language. (Maybe you prefer Python for handling the direct resource data).

Is there a disadvantage in doing it this way outside of needless complexity? An advantage I can think of is that if you are doing it with a small team just as a hobby project, people can work on different things at a time using what they're good at

SophieExMachina

why getRegisteredRedirectUri return multiple, what is the use case of multiple redirect Urls ?

TheGuroguro

Hi Laurentiu, As you mentioned JWT token has 3 parts and last part is Signature. Can't middleman just change body part and keep other two sections (Header and Signature) intact so that when resource server check signature its still same though body is tampered?

prasannakapu

Dear Laurentiu,

The stream of videos you have posted are really nice and easy to understand.

I have below set of questions. Hoping to get answers soon. :-)

1) While using grant type authorization code, we need to provide redirection url.
As per your example, you had provided John as an user, for which it gets redirected to localhost:9090 with (authorization) code value in the url.
Now consider, at the same time we do have other user, Bill, following same process.
At the redirection, how we could determine that the redirection is for John or Bill, since in redirection url, we only receive (authorization) code and no other parameter indicating it is for which user.

2) Consider we do have an application, which is quite older having used MD5 as a Password encoder. If we do want to migrate the application to use Bcrypt password encoder, how can we achieve that if we don't want to force users to reset their passwords.
I saw one artical that it can be achieved by using DelegatingPasswordEncoder, however doesn't find actual implementation regarding this.
It will be nice if you can make one video regarding this and append at the end of this stream.

3) Along with it, in order to be GDPR compliant, how we can achieve this if we are designing application from scratch. For ex, how we can store such information in database keeping it configurable, considering each countries own regulations.
If you can make video on this, it will be really helpful to many of us, as it is a standard which everyone needs to consider nowadays.

4) Finally, if you can make new stream for Dev-Ops culture. How to follow, use and implement.

Once again, thank you for the nice tutorial. Liked the way you showed resilience, experience, knowledge, and thinking.
We all surely love to get more perspective on each topic from you. :-)

Thank you.

Pratik

how the resource server validates the token?

sushantkadav

Hello Sir can you please make a full real app in one video maybe at the end of this stream where you use real world practices as controller service repository layers to create an authentication system for users and create some endpoints to test authorization
It is very nice from you to teach us the pieces of the puzzle but it would be nicer if you teach us how to combine them in a real world app bcz I found it hard to combine business logic with authentication coming from spring security
hope you do this
thanks anyway sir <3

unclesam

In the real world scenario, how does the auth server share the private key with the resource server, if the Auth server is third party?

dilanfernando

Please provide at least one practical example oauth2 with openID connect..

SagirAnsari-bnoj