OAuth 2.0 Cookbook Protect your web applications using Spring Security Adolfo Eloy Nascimento BIRMINGHAM - MUMBAI OAuth 2.0 Cookbook Copyright © 2017 Packt Publishing All rights reserved No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews Every effort has been made in the preparation of this book to ensure the accuracy of the information presented However, the information contained in this book is sold without warranty, either express or implied Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals However, Packt Publishing cannot guarantee the accuracy of this information First published: October 2017 Production reference: 2271117 Published by Packt Publishing Ltd Livery Place 35 Livery Street Birmingham B3 2PB, UK ISBN 978-1-78829-596-3 www.packtpub.com Credits Author Adolfo Eloy Nascimento Copy Editors Juliana Nair Stuti Srivastava Reviewer Rafael Monteiro e Pereira Project Coordinator Judie Jose Commissioning Editor Vijin Boricha Proofreader Safis Editing Acquisition Editor Rahul Nair Indexer Francy Puthiry Content Development Editor Nikita Pawar Graphics Kirk D'Penha Technical Editor Prachi Sawant Production Coordinator Nilesh Mohite About the Author Adolfo Eloy Nascimento is a software engineer at Elo7, he has a Bachelors degree in Computer Science, and has been working with software development since 1999 In around 2003, he started working with web development implementing applications using ASP, PHP4/5, JavaScript, and Java (sometimes he still does some maintenance for a Ruby on Rails application) He started using OAuth 2.0 two years ago, when designing applications using microservice architectures, as well as modeling and interacting with public APIs As a tech enthusiast, Adolfo also likes to read and learn about programming languages and new technologies He also believes that besides creating new applications, it is also important to share the knowledge he has acquired, which is what he does by writing for his personal blog, writing articles for Java Magazine in Brazil, and also writing tech books I would like to thank Janine for all her support and understanding during the writing of this book Without her support it wouldn't have been possible In addition, I would like to thank my parents who gave me great support in education I would also like to thank Rafael Monteiro for accepting the reviewing of this book and improving the quality of each chapter Finally, I would like to thank the Packt team, especially Rahul and Nikita, for helping me during the whole process of writing this book About the Reviewer Rafael Monteiro e Pereira is a graduate in Computer Science from Mackenzie University in São Paulo, Brazil He has always liked developing mission-critical and high-performance software He also likes software security, especially playing with Kali Linux and its amazing set of tools There is always a new vulnerability out there waiting to be discovered; this is what he believes He worked for the startup Elo7 as a big data/search software engineer and for companies in the finance/banking sector, such as BM&F Bovespa, developing their trading platform, and for Itaú-Unibanco as a lead software engineer on their new big data platform www.PacktPub.com For support files and downloads related to your book, please visit www.PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy Get in touch with us at service@packtpub.com for more details At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks https://www.packtpub.com/mapt Get the most in-demand software skills with Mapt Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career Why subscribe? Fully searchable across every book published by Packt Copy and paste, print, and bookmark content On demand and accessible via a web browser Customer Feedback Thanks for purchasing this Packt book At Packt, quality is at the heart of our editorial process To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/178829596X If you'd like to join our team of regular reviewers, you can e-mail us at customerreviews@packtpub.com We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback Help us be relentless in improving our products! Table of Contents Preface Chapter 1: OAuth 2.0 Foundations Introduction Preparing the environment Getting ready How to it See also How it works There's more See also Reading the user's contacts from Facebook on the client side Getting ready How to it How it works There's more See also Reading the user's contacts from Facebook on the server side Getting ready How to it How it works There's more See also Accessing OAuth 2.0 LinkedIn protected resources Getting ready How to it How it works There's more See also Accessing OAuth 2.0 Google protected resources bound to the user's session Getting ready How to it How it works There's more 7 9 10 12 13 13 14 14 14 14 23 25 25 25 26 26 34 35 37 37 37 37 43 45 46 46 46 46 58 61 Table of Contents See also 61 Chapter 2: Implementing Your Own OAuth 2.0 Provider Introduction Protecting resources using the Authorization Code grant type Getting ready How to it How it works There's more Supporting the Implicit grant type Getting ready How to it How it works There's more See also Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration Getting ready How to it How it works There's more See also Configuring the Client Credentials grant type Getting ready How to it How it works There's more See also Adding support for refresh tokens Getting ready How to it How it works There's more See also Using a relational database to store tokens and client details Getting ready How to it How it works There's more See also [ ii ] 62 62 63 63 64 67 71 71 71 71 73 75 75 76 76 76 79 80 80 80 81 81 84 85 86 86 86 87 89 91 92 92 92 92 97 98 99 ... together with Spring Security [ vi ] 23 5 23 9 24 0 24 0 24 0 24 0 24 7 24 8 24 8 24 9 24 9 24 9 25 7 25 7 25 8 25 8 25 9 25 9 26 0 27 2 27 3 27 3 27 3 27 4 27 7 27 8 27 9 27 9 27 9 28 0 28 9 28 9 29 0 29 0 29 1 29 5 29 6 29 6 Table... 21 0 21 1 21 1 21 1 21 2 21 4 21 5 21 5 21 6 21 6 21 6 22 0 22 0 22 1 22 1 22 1 22 4 22 5 22 5 22 5 22 5 22 7 22 7 22 8 22 8 22 8 23 3 23 4 23 4 23 4 Table of Contents How to it How it works See also Using proof-of-possession... works See also [ vii ] 303 303 304 304 305 306 307 307 308 319 3 20 3 20 321 321 322 329 3 30 331 331 3 32 339 339 339 3 40 3 40 3 50 351 351 351 3 52 3 52 356 356 Table of Contents Using dynamic client