JWT in Spring

Adam Kučera
Jiří Machart

CN group Java Show'n'tell
03/10/2017

Agenda

  • Briefly about OAuth2
  • JWT tokens
  • JWT tokens in Spring Security
  • OAuth with Keycloak

 

Sources: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
http://blah.winsmarts.com/2014-12-OAuth2_for_dummies.aspx
 

OAuth 2.0. in plain words

  • Authorization framework that enables applications to obtain limited access to user accounts on an HTTP service

Huh?

OAuth 2.0. in plain words

  • Authorizes third-party applications to access the user account.
  • Delegates user authentication to the service that hosts the user account
  • Provides different authorization flows for different use cases.

OAuth 2.0. glosary

  • Resource owner: user who authorizes an application to access his account, with a scope
  • Resource server: hosts resources which require authorization
  • Authorization server: verifies user identity, issues access tokens
  • Client: the application that wants to access user's resources.
  • Authorization grant type: how the token is obtained

Basic protocol flow

Authorization code grant type

  • Server-side applications (client secret not exposed)
  • oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read
  • oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=CALLBACK_URL

     

Implicit grant type

  • Mobile / web apps (client secret could be exposed)
  • oauth/authorize?response_type=token&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read
  • The app extracts the token from the redirect URL and saves it
  • Does not use client secret, instead the redirect URI which was registered for the app serves this purpose

Resource Owner Password Credentials grant type

  • Trusted applications (provide username and password)
  • token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID

Client credentials grant type

  • Application login
  • token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

Refresh token flow

 

  • Not a real grant type
  • If refresh tokens are enabled, you obtain a refresh token together with access token.
  • When access token expires, you can use refresh token to get new one without going throug the whole grant type flow

What is JSON Web Token?

  • Standardized in RFC 7519
  • compact and self-contained way for securely transmitting information between parties as a JSON object
  • In OAuth 2 terminology: an access token
     
  • Signed and secured by a secret key, but readable by everyone!
  • The secret key is there to check the token integrity
     

How does it look like?

Source: JWT.io

How can you use it?

  • HTTP Header: Authorization: Bearer <token>

  • There may be two different servers

JWT security concerns

  • Who has the token acts like the logged user!
    • => HTTPS!
    • => Short expiration time + refresh tokens.
  • Refresh token can be revoked.
  • JWT can be read by anyone! => no sensitive data

 

  • Created as an alternative to cookie based sessions, which cannot be securely accessed from SPAs

And now...

JWT with Spring Security


https://github.com/Wrent/jwt-demo-spring-oauth

Made with Slides.com