Securing Microservices with OpenID Connect and Spring Security 5 (Devoxx Belgium 2019 Antwerp)

Have you ever wondered what the heck is OpenID Connect and how it differs from OAuth 2.0?
Are Grant Types, Flows, JOSE, JWT or JWK unknown beings for you? Then this workshop is a great opportunity for you to get to know all these things by getting your hands dirty in code using Spring Security 5.
After a short introduction to the basic concepts of OAuth 2.0 and OpenID Connect 1.0, we will take an existing sample spring boot application to implement authentication with OpenID Connect (OIDC) in several steps.

During the hands-on part we will cover the following parts:

  • Best practices to avoid OWASP Top 10 security risks of broken authentication and access controls
  • Usage of a certified OpenID Connect Provider Server
  • Insights into the authorization code flow of OAuth 2.0/OpenID Connect 1.0
  • Basic implementation of a Resource Server
  • Authorization with automatically mapped OIDC Scopes
  • Custom mapping of OIDC claims to Spring Security roles and authorities
  • Extended validation of JWT’s
  • Realization of an OIDC Login Client
  • Differences in OIDC/OAuth 2.0 support for servlet-based and reactive web stacks (during hands-on we will mainly use the servlet-based web stack)

Slides and Code

Nifty tech tag lists from Wouter Beeftink