Spring Security Fundamentals - Lesson 9 - OAuth 2 Fundamentals

i can't speak english well but i want to say. thank you very much for your great content about java and spring (java fundamentals playlist, software architecture playlist, spring security, design patterns, jpa and ...) I watched most of your videos moment by moment. You really helped me a lot. I really thank you from the bottom of my heart

hosseinsoli

Thank you Laur for the content you are providing completely for free. You are amazing and much apprecaited!

andtif

The best lessons about spring security in the web! thank you a lot !

wagnerfaria

As usual, an amazing session! I look forward to watching your next video. Thank you for sharing your knowledge with us.

cristobalnpe

Thanks a lot, Laur! We started a new project today and decided to use OAuth2, but I haven't gotten to the OAuth2 chapter in your book yet ) This video is great for a quick introduction, and what's even better is that part 2 on OAuth starts in about 2 days! Thank you for your wonderful work!

Boyarsskiy

I really enjoyed this lesson which introduces different key concepts which can also be used outside of spring security. Thank you very much for the time you always dedicate in sharing your wide knowledge 🙏

h.

Hello Laurenti, in minute 26:20 there was a question saying that there are two login pages in the process of Authorization code grant type. As we know most client-side applications start with a login page and this is considered the FIRST LOGIN where user enters his/her credentials to be authenticated by backend, and as you described that any request to the resource server(backend) must be redirected to the Authorization server where again the user enters username/password credentials and this is considered the the SECOND LOGIN

jeanmansour-uw

Thanks a lot, Laur for such a detail explanation. It will be a lot of help if you can address my query listed below.

One of the primary reasons for utilizing the authorization code grant type is to ensure that user credentials are not directly shared with the client application. Instead, the user authenticates solely with the authorization server, maintaining a layer of security. However, if we opt to construct our own custom authorization server, the user would still need to share their credentials, but this time with the custom authorization server. In essence, we've shifted the responsibility from the client to another service, but the underlying concern of safeguarding user credentials remains, similar to the issues we aimed to address when avoiding direct sharing with the client.

paavanshah

in context of 16:00 can we have spring cloud gateway as resource server and relieve backend from doing security job ( assumption: only entry point is via gateway port in private network with enforced security rules not to allow other request on other ports )

EjazAhmedMohammad

Very appreciate your information sharing. Great!

user.chuyin

Amazing as usual, I hope you can also talk about how to integrate with third-party OAuth providers (Ex. Google, Facebook, ...)

mahmoudhesham

Thank you very much for your explanations

jhonnysanchez

Thanks for talk! I want to implement an auth server for a set of spring boot microservices. Will be hoping to get more info from the next lessons.

maneshipocrates

can you give an example where we better combine authorization server and resource server together? thanks

nimacode

Hey Laur, thanks for all your tutorials. I was wondering what the best way to configure the transmission of user authorities/roles from an OAuth authorization server to resource server in spring security, perhaps in the JWT or other? Does this require a custom filter on the resource side to update the security context? Thanks.

gianlucapiccirillo

In microservice architecture Can make gateway service as client ?

SagirAnsari-bnoj

Congrats on the lessons! How could I cache opaque tokens?

LucasGomes-sneq

Thanks again for this video. Just one thing not clear though in the authorization code explanantion, you said the login page is provided by the server. I believe the client will forward the request to the server in the first step to get re-direct to a login page in the authorization server, otherwise how will the client know the login page to redirect to? Please clear this up for me cause if the way i think of it is right, who provides the generated challenge and verifier? Is it the client or the server when it sends back the login page redirect? Thank you very much

khajalieubarrie

Does the auth server need a Thymeleaf login view, or can it redirect to this in angular login view? 22:40

Sebastian-zscp

Hi, I've seen your talk at Devoxx dedicated to the new Authorization Server and I have a couple of questions.

The most confusing moment is related to JWK Source.

I understand the idea of asymmetric encryption (but have no practical experience), and it's clear that we need to provide as set public/private key-pairs which would be used to sign the tokens, but the overall process seems to be verbose and convoluted.

I was trying to find some information, and discovered that JWKSource interface is a part of library Nimbus JOSE, and its documentation doesn't provide a lot of details. Can you briefly describe the overall mechanism (maybe with diagrams) in some of the future lessons, or guide to some sources regarding JWK source? Also, you've mentioned that there are some alternatives to JDK's RSAKey, what are they?



The second question is related to the defining multiple SecurityFilterChains.

As I understood, the second filter chain in the Authorization Server is needed to configure the functionality related to communication between the Resource Server and Authorization Server, like token-introspection endpoint. And in the first filter chain we are configuring the functionality related to communication with the Client application and user (if there's one), and therefore need to decouple them. Am I correct?

The question is there are some cases (not related to Authorization Server) when we might need more than one SecurityFilterChain in a Web Application? If yes, can you provide an example.

Thanks.

alexanderivanchenko