Spring Security - Lesson 26 - Endpoint authorization rules for an OAuth 2 resource server

⭐ Timestamps ⭐
- 4:00 End points Authorization at Authorization Server Implementation
- 28:00 End points Authorization at Resource Server Implementation
- 43:00 End points Authorization at Resource Server (using new DSL server), New DSL vs Legacy Spring Oauth

pinb

Hi Laurentiu, thanks again for these videos.
Is there any chance of you making video on websockets implementation along with security

amanmodi

Hey Laurentiu,
Your course talking about Client to Server Authentication, which is working perfect for me.
Do you have a lessons talking about internal server to server Authentication?
Thanks.

גיאברנע-קמ

why we are used decoder method () instead of Token store in case DSL method resource server approach ? .

arunbandari

Hello Laurentiu, I have watched your security stream recorded. I have a request for you. Can you please make a dedicated video on latest authorization server configuration of Spring?

md.jahidhasan

Hi Laurentiu, thanks again for these videos.
I have an doubt regarding using configure(HttpSecurity http) method.
The question is why in lesson 25, where you presented mvc matchers, you didn't use super.configure(http) after lines where you configure authorizeRequests, but here in the AS after line where you authorize "/demo.**" you did use super.configure(http) ? Is it a possible answer: because on AS you had to use POST call to get the token and you need somehow csrf disabled, or already configured ?
If this is not the answer, why we do not have csrf disabled in AS ?

Thank you!

LE: After looking into super.configure, I think the idea was to already have the endpoint marked with authenticated() and anyRequest().permitAll().
So still not sure why csrf didn;t need to be configured(disabled) on AS ?

dan

This is an off topic question, but how should one manage refresh tokens? Is it possible to extends it's time validity? Getting a new token involves asking user for credencials again and i'd like just to renew token validity time when user requests for an access token so asking for credentials would not be required, except if a long period of time of no use has passed lets say a month or so, is it a way to "renew" this token?

santiagozapata

hi sir, thank for your course . is any way for assign role for an endpoint, dynamically ? . must do some in configure(HttpSecurity http) or any other way ?

hosseinnickseresht

Hi Laurentiu,
From postman it is working for me too but from react app I am getting cors error like following:
--- Note: Then I copied the configure() method from your lesson 10, but still I can't bypass the cors. What should I do for this case ?

kayeshparvez

Hi Laurentiu. Speaking of OAuth, will you also discuss PKCE in a future video?

BinSlayer

Hi laurentiu. it was really interesting that how you create the authentication server and the resource server separately. there is something i did not get yet. when the auth server generates the token for us, how resource server knows if this token is valid or not? because there is no commutation between auth server and resource server in this example so the token can be made somewhere else with same SigningKey.
i think it would be better if the resource server does not know anything about the signing key because its a private thing i suppose.
may you please make a video about creating a resource server which registers itself as a client to the authentication server without knowing the signing key?
and then we can access it through the authentication server. i know its too much but i would very appreciate if you consider this scenario.
thanks a lot again :)

mahdadaioby

Iam trying to implement sso with azure AD, iam able to secure the application with azure credentials but I want to access the rest end from postman can you suggest how to do it ? When I hit a endpoint from postman it’s giving sign in page even I have add authorisation in as header but still not working

saikiranvarala