Securing Spring APIs with
JSON Web Tokens
Ado Kukic
Developer Evangelist
Auth0
@kukicado
OAuth 2.0
An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
An open standard for access delegation.
@kukicado
OpenID Connect
An authentication layer built on top of OAuth 2.0, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server.
@kukicado
An authentication layer built on top of OAuth 2.0
OAuth 2.0 Roles
Resource Owner
The entity that can grant access to a protected resource. Typically this is the end-user.
Resource Server
The server hosting the protected resources. This is the API you want to access.
Client
The app requesting access to a protected resource on behalf of the Resource Owner.
Authorization Server
The server that authenticates the Resource Owner, and issues tokens.
Tokens
Access Token
An opaque string or JWT that denotes who has authorized which permissions (scopes) to which application.
Id Token
A JWT that contains user profile information (name, email, etc.), represented in the form of claims.
@kukicado
DEMO
Spring API, VueJS, & JWT
@kukicado
Baseline
{ json }
@kukicado
Authentication
Implicit Grant Flow
@kukicado
Authenticated
{ json }
{ json }
@kukicado
Silent Authentication
{ json }
{ json }
@kukicado
Silent Authentication
{ json }
{ json }
iframe
@kukicado
BCP
Auth Code with PKCE
@kukicado
Authentication
{ code_challenge }
code={123}
@kukicado
Authentication
{ code={123} code_verifier }
@kukicado
Authenticated
{ json }
{ json }
@kukicado
Resources
@kukicado
OAuth 2.0 Official Website
https://oauth.net/2/
OAuth 2.0 Complete Guide
http://bit.ly/oauth-complete
OAuth 2.0 Scopes
http://bit.ly/oauth-scopes
Thank You!
@kukicado