Securing OAuth 2.0 Resources in Spring Security 5
The OAuth 2.0 Authorization Framework is elaborate, with several nuances and subtleties that can make it overwhelming for implementers. Its strength and flexibility, though, have propelled it to an industry standard, and it isn’t uncommon for organizations to look to frameworks to ensure correct implementation.
Spring Security 5 marked the beginning of a long-term mission that the Spring Security team has to simplify Spring’s support for OAuth 2.0. Last year, it began with OAuth 2.0 Login over OpenID Connect 1.0. And this year that journey continues to now include additional OAuth 2.0 Client features and the first release of OAuth 2.0 Resource Server support.
In this talk, we’ll take a look at two insecure applications--one a web application and the other a REST API--and integrate them both with an OAuth 2.0 Authorization Server. The first will feature Spring Security’s most recent OAuth 2.0 Client feature set and the second, its newly-released Resource Server support.
For the web application, we’ll configure the client to use the Authorization Code Grant flow. And for the REST API, we’ll configure the resource server for JWT support, OAuth2-specific authorization expressions, and JWK set resolution. Finally, we’ll put it all together, logging into our application and retrieving a secure resource.