Securing an application is a very sensitive topic. It brings complexity, but it can’t be negleted. On this article I give a brief introduction about the concepts. Then on the upcoming parts I will show how to implement an authentication/authorization process with OAuth, Spring Security and Keycloak.
What is OAuth2?
OAuth 2 (RFC 6749) is a process where the authentication is delegated to a third-party application that hosts the user account. Using this process, avoid the need for user’s account password. For example, you can use your Facebook, GitHub or Google account to login a service.
- Resource server is where the user’s resources are helded
- Owner is the user that owns the resources and give permission to the client
- Client is the application that wants to access user’s resources
- Authorization server is responsible for verifying user’s identity and generating the access tokens
On this section flow involved on the OAuth process will be described and a diagram illustrating the requests and responses to each role.
- The client requests the authorization to resource owner. As an alternative, the authorization request can be done using the authorization server as intermediary
- The client receives the authorization grant, which is the resource owner’s authorization and depends on the method used to request the authorization
- The client request an access token using the credential obtained from the previous step
- The authorization server authenticates the client using the authorization grant and if it is all right, issues an access token
- Using the access token received from the authorization server, the client authenticates and request the protected resource, from resource server
- The access token is validated by resource server, and if valid the returns the protected resource
On this project I will use Keycloak as the Identity Manager running on Docker and Spring Security to handle the Authorization Server and Resource Server .
On the next parts I will show how to set up Keycloak and configure it, and how to protect a resource and authenticate using Spring Security. See you on the next parts!