OAuth for Java Developers - Codemotion Madrid 2023

Transcript

1. OAuth for Java Developers
   Matt Raible | @mraible
   

   View Slide

2. Father, Husband, Skier, Mountain Biker,
   Whitewater Rafter
   
   
   Bus Lover
   
   
   Web Developer and Java Champion
   
   
   Okta Developer Advocate
   
   
   Blogger on raibledesigns.com and
   auth0.com/blog
   Hi, I’m Matt Raible
   

   View Slide

3. View Slide

4. View Slide

5. View Slide

6. developer.okta.com
   

   View Slide

7. developer.auth0.com
   

   View Slide

8. View Slide

9. 01
   02
   03
   04
   What the Heck is OAuth?
   Java's OAuth 2.0 Support
   OAuth 2.0 in Action
   Java Security Frameworks
   05 OAuth 2.0 Authorization Servers
   Agenda
   

   View Slide

10. What the Heck is OAuth?
    

    View Slide

11. Web Authentication
    GET /index.html HTTP/1.1
    
    
    Host: www.example.com
    
    
    Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
    

    View Slide

12. Federated Identity
    Identity Provider
    (IdP)
    Service Provider
    (SP)
    End User
    Trust
    Obtains Assertion Provides Assertion
    

    View Slide

13. SAML 2.0
    Authentication Request
    Protocol
    Assertion
    

    View Slide

14. SAML 2.0 Authentication Request Protocol
    

    View Slide

15. SAML 2.0 Assertion
    IssueInstant="2004-12-05T09:22:05"
    https://example.okta.com
    ...
    
    
    [email protected]
    
    
    
    
    
    
    https://sp.example.com/saml2/sso
    
    
    
    
    
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    
    
    
    
    
    Matt Raible
    
    
    
    

    View Slide

16. SAML = Web SSO
    

    View Slide

17. View Slide

18. What’s
    Changed
    
    
    Since
    
    
    2005?
    

    View Slide

19. An open standard for authorization; anyone can implement it
    
    
    Provides “secure delegated access” to client applications
    
    
    Works over HTTPS and authorizes:
    
    
    Devices
    
    
    APIs
    
    
    Servers
    
    
    Applications
    
    
    … with access tokens rather than credentials
    What is OAuth?
    

    View Slide

20. Confusion
    

    View Slide

21. Simple login — basic, forms, & cookies
    
    
    Single sign-on across sites — SAML
    
    
    Mobile app login — N/A
    
    
    Delegated authorization — N/A
    Identity Use Cases (circa 2006)
    

    View Slide

22. The Delegated Authorization Problem
    How can you let a website access your data
    
    
    (without giving it your password)?
    

    View Slide

23. Don’t do it this way!
    

    View Slide

24. Have you ever seen one of these?
    

    View Slide

25. View Slide

26. Hotel Key Cards, but for Apps
    

    View Slide

27. Hotel Key Cards, but for Apps
    OAuth Authorization Server Resource (API)
    Access Token
    

    View Slide

28. Delegated Authorization with OAuth 2.0
    I trust Gmail and I kind of
    trust Yelp. I want Yelp to have
    access to my contacts only.
    yelp.com
    Connect with Google
    

    View Slide

29. Delegated Authorization with OAuth 2.0
    yelp.com
    Connect with Google
    accounts.google.com
    Email
    **********
    accounts.google.com
    
    
    

    Allow Yelp to access your public
    profile and contacts?
    No Yes
    contacts.google
    yelp.com/callback
    

    View Slide

30. Actors
    
    
    Clients
    
    
    Authorization Server
    
    
    Resource Server
    
    
    Access Tokens
    
    
    Redirect URIs
    OAuth 2.0 Terminology
    

    View Slide

31. Authorization
    

    Server (AS)
    Resource
    Owner (RO) Client
    Delegates
    Obtains Token
    Uses Token
    Resource
    

    Server (RS)
    Actors
    

    View Slide

32. Authorization
    

    Server (AS)
    Resource
    Owner (RO) Client
    Delegates
    Obtains Token
    Uses Token
    Resource
    

    Server (RS)
    Actors
    

    View Slide

33. Clients
    Public
    
    
    (Client Identification)
    Confidential
    

    (Client Authentication)
    

    View Slide

34. Clients
    

    Client Registration is the DMV of OAuth
    

    View Slide

35. Authorization Server
    Authorize Endpoint
    
    
    (/oauth2/authorize)
    Token Endpoint
    
    
    (/oauth2/token)
    Authorization Server
    Authorization Grant
    Refresh Token
    Access Token
    Introspection Endpoint
    
    
    (/oauth2/introspect)
    Revocation Endpoint
    
    
    (/oauth2/revoke)
    

    View Slide

36. Tokens
    • Short-lived token used by
    Client to access Resource
    Server (API)
    
    
    • Opaque to the Client
    
    
    • No client authentication
    required (Public Clients)
    
    
    • Optimized for scale and
    performance
    
    
    • Revocation is dependent on
    implementation
    Access Token (Required)
    • Long-lived token that is used
    by Client to obtain new
    access tokens from
    Authorization Server
    
    
    • Usually requires
    Confidential Clients with
    authentication
    
    
    • Forces client to rotate
    secrets
    
    
    • Can usually be revoked
    Refresh Token (Optional)
    OAuth doesn’t define the format of a token!
    

    View Slide

37. Self-encoded tokens
    
    
    Protected, time-limited data structure agreed upon between Authorization Server and Resource
    Server that contains metadata and claims about the identity of the user or client over the wire.
    
    
    Resource Server can validate the token locally by checking the signature, expected issuer name
    and expected audience or scope.
    
    
    Commonly implemented as a signed JSON Web Tokens (JWT)
    
    
    Reference tokens (aka opaque tokens)
    
    
    Infeasible-to-guess (secure-random) identifier for a token issued and stored by the OAuth 2.0
    Authorization Server
    
    
    Resource Server must send the identifier via back-channel to the OAuth 2.0 Authorization
    Server’s token introspection endpoint to determine if the token is valid and obtain claims/scopes
    Access Token Types
    

    View Slide

38. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    accounts.google.com
    
    
    

    Allow Yelp to access your public
    profile and contacts?
    No Yes
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI
    
    
    with authorization code
    contacts.google
    Talk to resource server
    
    
    with access token
    Exchange code for
    
    
    access token
    accounts.google.com
    Email
    **********
    Go to authorization server
    
    
    Redirect URI: yelp.com/callback
    
    
    Response type: code
    Authorization Server
    Client
    

    View Slide

39. Scopes
    
    
    Consent
    
    
    Grants
    More OAuth 2.0 Terminology
    

    View Slide

40. Scopes
    Scopes to Deny
    Scopes to Allow
    Additive bundles of permissions asked by client
    when requesting a token
    
    
    

    Decouples authorization policy decisions from
    enforcement
    

    Who owns the data? End user or the target
    service
    

    Who gets to specify the authorization policy?
    End user or application owner
    

    View Slide

41. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI
    
    
    with authorization code
    contacts.google
    Talk to resource server
    
    
    with access token
    Exchange code for
    
    
    access token
    accounts.google.com
    Email
    **********
    Go to authorization server
    
    
    Redirect URI: yelp.com/callback
    
    
    Scope: profile contacts
    Authorization Server
    Client
    accounts.google.com
    
    
    

    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent
    
    
    from resource owner
    

    View Slide

42. Flow Channels
    Resource
    

    Server (RS)
    Authorization
    

    Server (AS)
    Resource
    Owner (RO)
    Client
    Delegates
    Obtains Token
    Uses Token
    Front
    
    
    Channel
    Back
    Channel
    

    View Slide

43. Authorization Request
    HTTP/1.1 302 Found
    

    Location: https://app.example.com/oauth2/callback?
    

    code=MsCeLvIaQm6bTrgtp7&
    

    state=af0ifjsldkj
    Request
    Response
    Note: Parameters are not URL-encoded for example purposes
    GET https://accounts.google.com/o/oauth2/auth?
    

    scope=gmail.insert gmail.send&
    

    redirect_uri=https://app.example.com/oauth2/callback&
    

    response_type=code&
    

    client_id=812741506391&
    

    state=af0ifjsldkj
    
    
    

    View Slide

44. Token Request
    Note: Parameters are not URL-encoded for example purposes
    POST /oauth2/v3/token HTTP/1.1
    
    
    Host: www.googleapis.com
    
    
    Content-Type: application/x-www-form-urlencoded
    
    
    code=MsCeLvIaQm6bTrgtp7&
    
    
    client_id=812741506391&
    
    
    client_secret={client_secret}&
    
    
    redirect_uri=https://app.example.com/oauth2/callback&
    
    
    grant_type=authorization_code
    

    View Slide

45. Token Response
    {
    "access_token": "2YotnFZFEjr1zCsicMWpAA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA"
    }
    

    View Slide

46. Making Protected Resource Requests
    curl -H "Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA" \
    
    
    https://www.googleapis.com/gmail/v1/users/1444587525/messages
    

    View Slide

47. OAuth 2.0 Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI
    
    
    with authorization code
    
    
    (front channel)
    contacts.google
    Talk to resource server
    
    
    (back channel)
    Exchange code for
    
    
    access token (back channel)
    accounts.google.com
    Email
    **********
    Go to authorization server
    
    
    Redirect URI: yelp.com/callback
    
    
    (front channel)
    Authorization Server
    Client
    accounts.google.com
    
    
    

    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent
    
    
    from resource owner
    

    View Slide

48. OAuth 2.0 Grant Types (Flows)
    • Optimized for browser-only
    Public Clients
    
    
    • Access token returned
    directly from authorization
    request (Front-channel only)
    
    
    • Does not support refresh
    tokens
    
    
    • Assumes Resource Owner
    and Public Client are on the
    same device
    
    
    • Most vulnerable to security
    threats
    Implicit
    • Front channel flow used by
    Client to obtain authorization
    code grant
    
    
    • Back channel flow used by
    Client to exchange
    authorization code grant
    for access token and
    optionally refresh token
    
    
    • Assumes Resource Owner
    and Client are on separate
    devices
    
    
    • Most secure flow as tokens
    never passes through user-
    agent
    Authorization Code
    • Optimized for server-only
    Confidential Clients acting
    on behalf of itself or a user
    
    
    • Back-channel only flow to
    obtain an access token
    using the Client’s credentials
    
    
    • Supports shared secrets or
    assertions as Client
    credentials signed with
    either symmetric or
    asymmetric keys
    Client Credential
    

    View Slide

49. OAuth 2.0 Grant Types (Flows)
    • Legacy grant type for native
    username/password apps
    such as desktop apps
    
    
    • Username/password is
    authorization grant to
    obtain access token from
    Authorization Server
    
    
    • Does not support refresh
    tokens
    
    
    • Assumes Resource Owner
    and Public Client or on the
    same device
    
    
    Resource Owner Password
    • Optimized for devices that
    do not have access to web-
    browsers
    
    
    • User code is returned from
    authorization request that
    must be redeemed by
    visiting a URL on a device
    with a browser to authorize
    
    
    • Back channel flow used by
    Client to poll for
    authorization approval for
    access token and optionally
    refresh token
    
    
    Device
    • Allows Authorization Server
    to trust authorization
    grants from third party such
    as SAML IdP (Federation)
    
    
    • Assertion is used to obtain
    access token with token
    request
    
    
    • Does not support refresh
    tokens
    
    
    Assertion
    

    View Slide

50. Six different flows
    
    
    Necessary because of:
    
    
    How you get consent from client?
    
    
    Who is making consent?
    
    
    Adds a lot of complexity to OAuth
    OAuth Flows
    

    View Slide

51. OAuth 2.0 Playground https://oauth.com/playground
    

    View Slide

52. Not backward compatible with OAuth
    1.0
    
    
    Interoperability issues exists as its not
    a protocol but rather an authorization
    framework
    
    
    OAuth 2.0 is not an authentication
    protocol
    
    
    OAuth 2.0 alone says absolutely
    nothing about the user
    OAuth 2.0 Facts
    

    View Slide

53. OAuth 2.0 and OpenID Connect
    OpenID Connect
    OAuth 2.0
    HTTP
    OpenID Connect is for authentication
    

    

    OAuth 2.0 is for authorization
    

    View Slide

54. Extends OAuth 2.0 with new signed id_token for the
    Client and UserInfo endpoint to fetch user attributes
    
    
    Provides a standard set of scopes and claims for
    identities
    
    
    profile
    
    
    email
    
    
    address
    
    
    phone
    
    
    Built-in registration, discovery & metadata for dynamic
    federations
    
    
    Bring Your Own Identity (BYOI)
    
    
    Supports high assurance levels and key SAML use
    cases (enterprise)
    OpenID Connect
    OAuth 2.0 + Facebook Connect + SAML 2.0 (good parts)
    

    View Slide

55. Authorization Request
    HTTP/1.1 302 Found
    

    Location: https://app.example.com/oauth2/callback?
    

    code=MsCeLvIaQm6bTrgtp7&
    

    state=af0ifjsldkj
    Request
    Response
    Note: Parameters are not URL-encoded for example purposes
    GET https://accounts.google.com/o/oauth2/auth?
    

    scope=openid email&
    

    redirect_uri=https://app.example.com/oauth2/callback&
    

    response_type=code&
    

    client_id=812741506391&
    

    state=af0ifjsldkj
    
    
    

    View Slide

56. Token Request
    POST /oauth2/v3/token HTTP/1.1
    
    
    Host: www.googleapis.com
    
    
    Content-Type: application/x-www-form-urlencoded
    
    
    code=MsCeLvIaQm6bTrgtp7&
    
    
    client_id=812741506391&
    
    
    client_secret={client_secret}&
    
    
    redirect_uri=https://app.example.com/oauth2/callback&
    
    
    grant_type=authorization_code
    

    View Slide

57. Token Response
    {
    "access_token": "2YotnFZFEjr1zCsicMWpAA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
    
    
    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ..."
    }
    

    View Slide

58. Validate ID
    Token
    Token Endpoint
    Authorization Endpoint
    /.well-known/
    

    openid-configuration
    JWKS Endpoint
    UserInfo Endpoint
    OAuth 2.0 Authorization Server &
    
    
    OpenID Connect Provider (OP)
    OAuth 2.0 Resource Server
    Client
    
    
    (Relying Party) 1
    3
    2
    5
    4
    1 Discover OpenID Provider Metadata
    2 Perform OAuth flow to obtain a ID
    token and/or access token
    3 Get JSON Web Key Set (JWKS)
    for signature keys
    4 Validate ID token
    

    (JSON Web Token)
    5 Get additional user attributes
    with access token from UserInfo
    endpoint
    OpenID Connect
    

    View Slide

59. OIDC Authorization Code Flow
    yelp.com
    Connect with Google
    yelp.com/callback
    Resource owner clicks ^^
    Back to redirect URI
    
    
    with authorization code
    accounts.google
    /userinfo
    Get user info
    

    with access token
    Exchange code for
    
    
    access token and ID token
    accounts.google.com
    Email
    **********
    Go to authorization server
    
    
    Redirect URI: yelp.com/callback
    
    
    Scope: openid profile
    Authorization Server
    Client
    accounts.google.com
    
    
    

    Allow Yelp to access your public
    profile and contacts?
    No Yes
    Request consent
    
    
    from resource owner
    Hello Matt!
    

    View Slide

60. JSON Web Token (JWT)
    eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2V4
    YW1wbGUub2t0YS5jb20iLCJzdWIiOiIwMHVncmVuTWVxd
    llsYTRIVzBnMyIsImF1ZCI6IncyNTVIRVdpU1U0QXVOeE
    VqZWlqIiwiaWF0IjoxNDQ2MzA1MjgyLCJleHAiOjE0NDY
    zMDg4ODIsImFtciI6WyJwd2QiXSwiYXV0aF90aW1lIjox
    NDQ2MzA1MjgyLCJlbWFpbCI6ImthcmxAZXhhbXBsZS5jb
    20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZX0.XcNXs4C7Dq
    p R 2 2 L L t i 7 7 7 A M M V C x M 7 F j E P K Z Q n d -
    AS_Cc6R54wuQ5EApuY6GVFCkIlnfbNmYSbHMkO4H-
    L3uoeXVOPQmcqhNPDLLEChj00jQwZDjhPD9uBoNwGyiZ9
    _YKwsRpzbg9NEeY8xEwXJFIdk6SRktTFrVNHAOIhEQsgm
    8
    {
    
    
    "alg": "RS256”
    

    "kid": "123456789"
    
    
    }
    {
    
    
    "iss": "https://example.okta.com",
    
    
    "sub": "00ugrenMeqvYla4HW0g3",
    
    
    "aud": "w255HEWiSU4AuNxEjeij",
    
    
    "iat": 1446305282,
    
    
    "exp": 1446308882,
    
    
    "amr": [
    
    
    "pwd"
    
    
    ],
    
    
    "auth_time": 1446305282,
    
    
    "email": "[email protected]",
    
    
    "email_verified": true
    
    
    }
    Header Claims
    Signature
    Header
    Claims
    base64url(Header) + “.” + base64url(Claims) + “.” + base64url(Signature)
    

    View Slide

61. jwt.io https://jwt.io
    

    View Slide

62. No. A browser is required.
    
    
    Three options if a user is involved:
    
    
    1. Web app: handle a redirect
    
    
    2. CLI, TV, etc: use the Device Grant
    
    
    3. Native app: use a custom URL handler
    Can you do OAuth without a browser?
    

    View Slide

63. PKCE is required for all clients using the authorization code flow
    
    
    Redirect URIs must be compared using exact string matching
    
    
    The Implicit grant is omitted from this specification
    
    
    The Resource Owner Password Credentials grant is omitted from this specification
    
    
    Bearer token usage omits the use of bearer tokens in the query string of URIs
    
    
    Refresh tokens for public clients must either be sender-constrained or one-time use
    OAuth 2.1
    https://oauth.net/2.1/
    

    View Slide

64. Java's OAuth 2.0 Support
    

    View Slide

65. Java, the language, does not have OAuth support
    
    
    The JDK doesn't contain APIs to write a web app
    
    
    Building blocks are provided by Servlet API and Jakarta EE
    
    
    Jakarta Security 3.0 supports OpenID Connect!
    Java's OAuth 2.0 Support
    

    View Slide

66. OAuth in Java Frameworks
    

    View Slide

67. MicroProfile JWT Authentication
    

    View Slide

68. Quarkus
    

    View Slide

69. Helidon
    

    View Slide

70. Micronaut
    

    View Slide

71. Spring Boot
    

    View Slide

72. What about JSF and Wicket?
    

    View Slide

73. OAuth 2.0 in Action
    

    View Slide

74. https://github.com/oktadev/auth0-java-oauth-examples
    Java OAuth Demos
    

    View Slide

75. Java Security Frameworks
    

    View Slide

76. Java Security Frameworks
    

    View Slide

77. OAuth 2.0 Authorization
    Servers
    

    View Slide

78. Open Source OAuth 2.0 Authorization Servers
    Keycloak Spring Authorization Server WSO2 Identity Server
    

    View Slide

79. What about JavaFX?
    

    View Slide

80. Do Scala and Kotlin support OAuth?
    

    View Slide

81. Learn more about Java and OAuth
    https://developer.okta.com/blog/2022/06/16/oauth-java
    

    View Slide

82. Play with OAuth 2.0 and OpenID Connect
    developer.auth0.com
    

    View Slide

83. Join us as an Auth0 Ambassador!
    auth0.com/ambassador-program
    

    View Slide

84. © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only.
    Thank you!
    Keep in Touch
    
    
    raibledesigns.com
    
    
    @mraible
    
    
    Presentations
    
    
    speakerdeck.com/mraible
    
    
    Code
    
    
    github.com/oktadev
    

    View Slide

85. @oktadev
    

    View Slide