[NEW] Spring Security 7 + OAuth2 + JWT + Auth0 + Keycloak | Udemy

What are we going to cover

Spring Security Basics

• Master Security
• Security in Spring Boot & Microservices
• Why Security for your spring boot app?
• What is Spring Security?
• Key Spring Security Concepts
• Authentication
• Authorization
• Servlet Filters
• What are its alternatives?
• Security Implementation – Who’s responsibility
• Let’s get started !
• Why 401 ?
• Summary
• Spring Security: Convention-over-Configuration
• Key Participants in Authentication Framework
• Flow of Authentication in Spring Security
• Spring Security Auto-configured Beans
• UserDetailsService
• PasswordEncoder

Spring Security Configuration

• Introduction to POC 2
• Overriding Default Configurations
• Customizing Spring Security Configuration
• Why Authentication Fails Now
• Fixing Authentication Step by Step
• Define User Credentials
• Adding User to InMemoryUserDetailsManager
• Defining a PasswordEncoder Bean
• Why Avoid HTTP Basic Authentication?

User Management

• User Management
• User Management Components
• UserDetails
• UserDetailsManager
• User
• Customising User Details Service
• POC 3
• Creating User & Authority Table
• Mapping User & Authorities table
• Why Authorities are eagerly fetched
• Fetch saved Authorities from SecurityContext

Authorization

• Authorization
• How Authorization works
• What are we going to learn
• GrantedAuthority
• Difference between Authorities and Roles
• Authorization implementations level
• Endpoint Level Authorization

Security Filter Chain

• Security Filter Chain
• Defining a Filter Chain
• Modifying Filter chain
• Why still 403 ?
• anyRequest().authenticated()
• anyRequest().permitAll()
• anyRequest().hasAuthority()
• anyRequest().hasAnyAuthority()
• Role
• anyRequest().hasRole()
• anyRequest().hasAnyRole()
• 401 VS 403
• anyRequest().access()
• Advantage of anyRequest().access()
• Disadvantage of anyRequest().access()
• anyRequest().denyAll()

Request Matchers

• Matcher Methods
• List of All Matcher Methods
• Request Matcher
• Request Matcher Methods
• Real-life analogy
• How requestMatchers() works in this setting
• Code Block

Types of Matchers

• Ant Matcher
• ANT Matcher Methods
• Why it was popular
• Example in Spring Security 5.x
• Why Deprecated in Spring Security 6+
• MVC Matcher
• MVC Matcher Methods
• Why it was used
• Regex Matcher
• regexMatchers()
• Why use it
• Dispatcher Type Matcher
• Purpose – What is DispatcherType
• Servlet Path Matcher
• Purpose
• Is it any relevant in spring boot app?
• Combining all Matcher methods

Method Level Security

• Authorization at the method level
• Where do we stand now?
• Can Spring Security Be Used in Non-Web Applications?
• Where Can You Apply Method Security?
• Why Use Method Security?
• Role of Authentication in Enabling Method Security
• Why Not Use permitAll() with Method Security
• Code snippet
• Enabling method security
• New way of enabling Method level Authorization
• What Happens Behind the Scenes
• Why Called “Aspect Behind the Scene”?
• Prevent GOD class with Method level Authorization?
• Best Practice
• Priority of Rules: Security Config vs Method-Level Authorization
• Performance Consideration: Method-Level vs Filter-Level Authorization
• How Method-Level Security Goes Beyond Filters
• Multi-line @PreAuthorize for Complex Security Rules
• Disadvantages of Multi-line rules
• Moving Beyond SpEL: Bean-Based Security Checks
• Post Authorize
• Difference Between @PreAuthorize and @PostAuthorize

Filters in Method Security

• Pre filter
• Pre filter – Key Pointers
• Postfilter – Key Pointers
• Post Filter Pitfalls
• PreFilter VS PostFilter
• @Pre/@PostAuthorize VS @Pre/@PostFilter

OAuth 2 & OIDC Basics

• OAuth 2 & OIDC
• Basics
• Actors/Roles in OAuth2
• OAuth 2 Flow
• The OAuth 2.0 Solution
• Why this is powerful
• Steps in OAuth 2
• How to get the token?
• Heart of how OAuth2 + Spring Security works
• Grant types
• Types of Grant types
• Deprecated Grant types
• OAuth’s Main Security Principle
• Why Password Grant Type Is Deprecated
• Modern Replacement
• Why Implicit Grant Type Is Deprecated
• Summary

Authorization Code Flow

• Authorization Code Flow
• What Is the Authorization Code Grant Type?
• Step-by-Step Flow
• Advantages
• Disadvantages

Authorization Code Flow with PKCE

• What is PKCE
• Why PKCE was introduced
• The Players
• Authorization Code Flow with PKCE — Step by Step
• How PKCE Prevents Attacks
• How Verifier & Challenge Work
• Real-World Analogy: The Locker & Key
• Summary of PKCE Flow
• Authorization Code vs Authorization Code + PKCE
• Points to remember

Client Credentials Flow

• Client Credentials Grant Type
• What is Client Credentials grant
• When to use it
• The Actors
• Flow (step-by-step)
• Typical token response
• Client authentication methods with AS
• How Scopes → Authorities Mapping Works
• Scopes & authorities
• Tokens: JWT vs opaque
• Security considerations / best practices
• Pitfalls & gotchas

Refresh Token Flow

• Refresh Token Grant Type
• What is a Refresh Token?
• Why Refresh Tokens Exist
• Who uses the Refresh Token flow?
• Refresh Token Grant Type Flow
• Static (Reusable) Refresh Tokens
• Rotating (One-time) Refresh Tokens
• How OAuth2 servers decide
• What clients must do
• Key Token Lifetimes
• Why Refresh Tokens Are Sensitive
• Refresh Token Flow vs Access Token Flow

Tokens

• What is opaque token?
• How opaque token Works?
• Introspection response
• Non-opaque tokens vs opaque tokens

JWT

• JWTs
• What is a JWT?
• The basic structure of a JWT
• How JWT works
• JWT signing methods
• Common JWT claims
• How JWTs are verified
• Private and Public keys
• What is /jwks.json?
• Why JWTs are so popular
• Limitations / Pitfalls

OIDC

• OIDC
• What is OIDC
• Authorization code flow with PKCE
• Real-world example (Google Login)
• Why OIDC exists
• What OIDC Actually Is
• Core Components in OIDC
• ID Token
• Standard Claims in ID Token
• OIDC Scopes
• OIDC Endpoints
• Benefits of OIDC
• Common pitfalls
• Nonce
• Why Nonce

SSO

• SSO
• What is SSO
• Actors in SSO
• Steps in SSO
• Why SSO works
• Common Pitfalls Of SSO
• Security benefit of SSO
• SSO Logout Scenarios
• Why OAuth2 + OIDC are REQUIRED for SSO

CSRF

• CSRF
• What is CSRF
• Core browser behavior
• Why CSRF is dangerous
• How websites stop CSRF
• Why Spring Security enables CSRF by default

CORS

• CORS
• What is CORS
• Why CORS exists
• What is an origin
• CORS Rule
• Spring Boot CORS config
• Common CORS mistakes
• CORS vs CSRF

Full Stack POC

• Full stack POC
• Intro to Foodify App
• UI Of Foodify App POC
• Backend Of Foodify App POC
• Auth0 configurations
• Spring Security Implementation

Auth0

• What is Auth0
• Key Components of Auth0
• What Happens During Login
• Why Use Auth0
• MFA
• Social Login
• Centralized Identity
• Developer Productivity
• When SHOULD you build yourself?

Roles & Permissions

• What is Authentication vs Authorization?
• What is OAuth2 / OIDC?
• Architecture for End to end POC with Auth0
• What is Application in Auth0?
• What is API in Auth0?
• What is Audience?
• What are Roles?
• What are Permissions?
• Roles vs Permissions
• RBAC
• Why RBAC is Used
• Why roles & permissions in JWT?

JWT Processing in Spring Security

• What is JwtDecoder?
• What is JwtAuthenticationConverter?
• What is Authority in Spring?
• ROLE_ prefix
• Common Mistakes

Implementation Steps

• Steps to Implement Spring Security
• Steps to setup Auth0
• Steps to add Roles in token
• What happens in backend
• FINAL FLOW (END-TO-END)
• KEY CONCEPTS
• COMMON MISTAKES

Keycloak

• Keycloak
• What is Keycloak?
• High Level Architecture
• Core Terminologies
• Types of Clients
• Role Types
• Client Scope
• Groups
• Identity Provider (IDP)
• Flows
• Keycloak vs Auth0
• Feature Comparison
• who should choose Keycloak vs Auth0

Social Login

• Social Login
• What is Social Login
• How Social Login works
• Benefits of Social Login
• Configure Identity Providers in Keycloak
• Google login Steps
• Github social login steps