23.10.2019: Voxxed Days Microservices – Securing Microservices with OpenID Connect and Spring Security 5 (Workshop)
Are you pushing your apps to the cloud using Microservices architecture and ask yourself how to implement secure authentication using OAuth2/OpenID Connect?
As an enthusiastic Spring developer & OWASP member, I want to help to make the software more secure and share my knowledge with you in this Spring Security 5.1 workshop.
Have you ever wondered what the heck is OpenID Connect and how it differs from OAuth 2.0? Are Grant Types, Flows, JOSE, JWT or JWK unknown beings for you?
Then this workshop is a great opportunity for you to get to know all these things by getting your hands dirty in code using Spring Security 5.
After a short introduction to the basic concepts of OAuth 2.0 and OpenID Connect 1.0, we will take an existing sample spring boot application to implement authentication with OpenID Connect (OIDC) in several steps.
During the hands-on part we will cover the following parts:
- Best practices to avoid OWASP Top 10 security risks of broken authentication and access controls
- Usage of a certified OpenID Connect Provider Server
- Insights into the authorization code flow of OAuth 2.0/OpenID Connect 1.0
- Basic implementation of a Resource Server
- Authorization with automatically mapped OIDC Scopes
- Custom mapping of OIDC claims to Spring Security roles and authorities
- Extended validation of JWT’s
- Realization of an OIDC Login Client
- Differences in OIDC/OAuth 2.0 support for servlet-based and reactive web stacks (during hands-on we will mainly use the servlet-based web stack)