Spring security and Oauth

Definitions

• Authentication  
• Who are you? 
  
• Confirming who they say they are (identity is valid) by e.g password
• Authorization or "access control" 
• Authorization is the act of granting an authenticated party permission to do something.
• What are you allowed to do? 
• What resources the employee would have access to?
• Authorities / permissions.
  
• Rights and privileges of a user.

For example, think of a traveller checking into a hotel. When they register at the front desk, they are asked to provide a passport to verify that they are the person whose name is on the reservation. This is an example of authentication.

Once the hotel employee has authenticated the guest, the guest receives a keycard with limited privileges. This is an example of authorization. The guest’s keycard grants them access to their room, the guest elevator, and the pool — but not other guests’ rooms or the service elevator. Hotel employees, on the other hand, are authorized to access more areas of the hotel than guests are.

Authentication verifies a user’s identity, 

Authorization validates if the user has access to perform a specific function.

One-time passcodes (OTP) via SMS
Single sign-on (SSO),

Multi-factor authentication (MFA)

Documentation:

https://docs.spring.io/spring-security/site/docs/5.4.1/api/

Custom filter:

Controller:

@RestController = @Controller + @Responsebody

@Controller - when annotated, loads pages from static/ folder.

public String admin() {        return "admin.html";    }

@Responsebody - added to display "admin.html" as string.

CRSF

Use CSRF protection for any request, that can be processed by browser by normal users.

CSRF Response header from server

Set-Cookie

XSRF-TOKEN=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Set-Cookie

XSRF-TOKEN=947b8dc9-5781-40a8-b349-64c0750b0f94; Path=/

.csfr.disable()

.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())

Basic Auth

Cannot logout.

.httpBasic();

Connection passing username/password each time.

Form Based Auth

Can logout. 

Customising form.

Username and Passwork

.formLogin();

Connection with Session ID in cookies(JSESSIONID).

References: AmigoCode 

OAuth 2

OAuth 2 and Spring Security
A -Authorization server. Provides tokens.
R- Resource server. Uses token.

A - Authorization server 

Provides token.

Grands type:

• password: knows client and Authorization server
  
  
  
  
  
• authorized_code: knows only Authorization server. Redirects to Authorization server to login, and Authorization serve redirects back to Client.
   
  
  
• Implicit grand type - less secured, DEPRECATED. 1 step less.
  

  

  
  .
• client_credentials
  
  
  

Blackbording

Resourse and Authorization server writing on same blackboard (database)

Token implementations

How Resource server knows, access token is correct token?

• opaque
• If you read it it's just a string, no information encoded in string,
  
• Finding more info by checking in /oauth/checktoken endpoint
• JWT
• Information is encoded in token.

SSO

Spring Security - First things you need to understand about SSO

Authorization configuration for endpoints

http.authorizeRequests()

.anyRequest() # Aplied rules to all requests.

.hasAuthority("admin")

.hasAnyAuthority("admin", "manager")

.anyRequest().hasRole("USER") #badge - group of actions searches for ("ROLE_USER") by default

Role and Authority

hasAuthority - Action (WRITE, READ)

hasRole - Badge (ROLE_ADMIN)

ENDPOINT = PATH + HTTP Method

/article + GET
/test + POST

Resources:

https://oidcdebugger.com/ - openID debugger

https://developers.google.com/identity/protocols/oauth2/openid-connect - OpenID Connect

https://jwt.io/ - jwt token decoder

https://github.com/callicoder/spring-boot-react-oauth2-social-login-demo - spring/react SSO demo

https://developers.google.com/identity/protocols/oauth2/openid-connect