Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
OAuth 2.0 Cookbook
OAuth 2.0 Cookbook

OAuth 2.0 Cookbook: Protect your web applications using Spring Security

Arrow left icon
Profile Icon Adolfo Eloy Nascimento
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.7 (3 Ratings)
Paperback Oct 2017 420 pages 1st Edition
eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Adolfo Eloy Nascimento
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.7 (3 Ratings)
Paperback Oct 2017 420 pages 1st Edition
eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€20.98 €29.99
Paperback
€36.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

OAuth 2.0 Cookbook

Implementing Your Own OAuth 2.0 Provider

In this chapter, we will cover the following recipes:

  • Protecting resources using the Authorization Code grant type
  • Supporting the Implicit grant type
  • Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration
  • Configuring Client Credentials grant type
  • Adding support for refresh tokens
  • Using a relational database to store tokens and client details
  • Using Redis as a token store
  • Implementing client registration
  • Breaking the OAuth 2.0 Provider in the middle
  • Using Gatling to load test the token validation process using shared databases

Introduction

Nowadays we have scenarios which demand that applications interact with a large number of services and also provide services by themselves distributed as APIs throughout the network. Despite this, it's common to allow users of our applications to grant permissions to third-party applications, where OAuth 2.0 has proven to be a good option.

In this chapter, you will learn how to create, configure, and distribute an OAuth 2.0 Provider covering distinct scenarios using all the grant types described by the OAuth 2.0 specification, as well as how to use different access token management strategies through relational databases and Redis (a NoSQL database). All the recipes in this chapter will be implemented using Spring Security OAuth2, which at the time of writing this book, was at the 2.2.0.RELEASE version (check the official documentation for Spring Security OAuth2...

Protecting resources using the Authorization Code grant type

This recipe shows you how to configure the most well-known OAuth 2.0 grant type, which is the Authorization Code grant type. After configuring an OAuth 2.0 Provider comprised of an Authorization Server and a Resource Server, the application built through this recipe will provide all the necessary Resource Owner's authorizations for resources usage (resources available through APIs protected by the Resource Server).

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. To run the examples, I recommend you to use the command line tool CURL, or install the application Postman which allows to create HTTP requests...

Supporting the Implicit grant type

This recipe shows you how to configure the Implicit grant type, which is appropriate for web applications which run directly on web browsers (such as JavaScript applications). This recipe will provide everything needed to allow the client to use resources in the name of the Resource Owner by accessing an OAuth 2.0 protected API.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. As this grant type run totally on the web browser, you don't need to run commands to retrieve access tokens as if they were being performed on the server side. Here the access token will be retrieved implicitly when the user grants permissions for third...

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration

This recipe will show you how to configure the Resource Owner Password Credentials, or Password Credentials for short. Although this grant type should be avoided at any cost, because by using it we are asking for the user's credentials (and that's what OAuth 2.0 wants to solve by the user's access delegation), it's important to mention this recipe as a strategy when migrating from a user's credential sharing approach to the OAuth 2.0 approach. In addition, it might be used safely when both the client and the OAuth 2.0 Provider belong to the same solution.

Getting ready

To run this recipe, you can use your...

Configuring the Client Credentials grant type

This recipe shows you how to configure the Client Credentials grant type, which is appropriate when an application needs to access resources for its own benefit instead of accessing the Resource Owner's resources.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. For this recipe, we will be executing some HTTP requests through the usage of CURL commands as we did before. Make sure you have CURL or Postman tools installed before continuing. This recipe will use Spring Security OAuth2 Framework and we will not add any database support. The source code for this recipe can be downloaded from https://github.com/PacktPublishing...

Adding support for refresh tokens

This recipe covers an important feature described by the OAuth 2.0 specification and implemented by Spring Security OAuth2 as well. That's the refresh token grant type, which allows for a better user experience because the Resource Owner does not have to go through all the steps of authentication and authorization against the Authorization Server every time an access token expires.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. As we will add support to refresh tokens for the Authorization Code and Password grant types, now we will interact with the Authorization Server and Resource Server using the already known tools that are...

Introduction


Nowadays we have scenarios which demand that applications interact with a large number of services and also provide services by themselves distributed as APIs throughout the network. Despite this, it's common to allow users of our applications to grant permissions to third-party applications, where OAuth 2.0 has proven to be a good option.

In this chapter, you will learn how to create, configure, and distribute an OAuth 2.0 Provider covering distinct scenarios using all the grant types described by the OAuth 2.0 specification, as well as how to use different access token management strategies through relational databases and Redis (a NoSQL database). All the recipes in this chapter will be implemented using Spring Security OAuth2, which at the time of writing this book, was at the 2.2.0.RELEASE version (check the official documentation for Spring Security OAuth2 at http://projects.spring.io/spring-security-oauth/docs/oauth2.html). It's important learning how to configure your...

Protecting resources using the Authorization Code grant type


This recipe shows you how to configure the most well-known OAuth 2.0 grant type, which is the Authorization Code grant type. After configuring an OAuth 2.0 Provider comprised of an Authorization Server and a Resource Server, the application built through this recipe will provide all the necessary Resource Owner's authorizations for resources usage (resources available through APIs protected by the Resource Server).

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. To run the examples, I recommend you to use the command line tool CURL, or install the application Postman which allows to create HTTP requests in an intuitively manner. If you want to use Postman, the installation file can be download from https://www.getpostman.com/. This recipe will use Spring Security OAuth2 Framework and to keep it as possible, we will not add any database support at moment; that is, we will...

Supporting the Implicit grant type


This recipe shows you how to configure the Implicit grant type, which is appropriate for web applications which run directly on web browsers (such as JavaScript applications). This recipe will provide everything needed to allow the client to use resources in the name of the Resource Owner by accessing an OAuth 2.0 protected API.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. As this grant type run totally on the web browser, you don't need to run commands to retrieve access tokens as if they were being performed on the server side. Here the access token will be retrieved implicitly when the user grants permissions for third-party applications. This recipe will use Spring Security OAuth2 Framework and, to keep it as straight as possible, we will not add any database support. The source code for this recipe can be downloaded from https://github.com/PacktPublishing/OAuth-2.0-Cookbook/tree/master/Chapter02...

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration


This recipe will show you how to configure the Resource Owner Password Credentials, or Password Credentials for short. Although this grant type should be avoided at any cost, because by using it we are asking for the user's credentials (and that's what OAuth 2.0 wants to solve by the user's access delegation), it's important to mention this recipe as a strategy when migrating from a user's credential sharing approach to the OAuth 2.0 approach. In addition, it might be used safely when both the client and the OAuth 2.0 Provider belong to the same solution.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. It's also recommended to have CURL or Postman installed, because we will interact with the Authorization Server and Resource Server automatically without actually using any client. By running this recipe, your OAuth 2.0 Provider will be able...

Configuring the Client Credentials grant type


This recipe shows you how to configure the Client Credentials grant type, which is appropriate when an application needs to access resources for its own benefit instead of accessing the Resource Owner's resources.

Getting ready

To run this recipe, you can use your preferred IDE and must have Java 8 and Maven installed. For this recipe, we will be executing some HTTP requests through the usage of CURL commands as we did before. Make sure you have CURL or Postman tools installed before continuing. This recipe will use Spring Security OAuth2 Framework and we will not add any database support. The source code for this recipe can be downloaded from https://github.com/PacktPublishing/OAuth-2.0-Cookbook/tree/master/Chapter02/client-credentials-server.

How to do it...

The following steps will guide you to configure an Authorization Server and a Resource Server using Spring Security OAuth2:

  1. Create the initial project using Spring Initializr, as we did for...
Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • •Interact with public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google.
  • •Use Spring Security and Spring Security OAuth2 to implement your own OAuth 2.0 provider
  • •Learn how to implement OAuth 2.0 native mobile clients for Android applications

Description

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Who is this book for?

This book targets software engineers and security experts who are looking to develop their skills in API security and OAuth 2.0. Prior programming knowledge and a basic understanding of developing web applications are necessary. As this book's recipes mostly use Spring Security and Spring Security OAuth2, some prior experience with Spring Framework will be helpful.

What you will learn

  • •Use Redis and relational databases to store issued access tokens and refresh tokens
  • •Access resources protected by the OAuth2 Provider using Spring Security
  • •Implement a web application that dynamically registers itself to the Authorization Server
  • •Improve the safety of your mobile client using dynamic client registration
  • •Protect your Android client with Proof Key for Code Exchange
  • •Protect the Authorization Server from invalid redirection

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Oct 18, 2017
Length: 420 pages
Edition : 1st
Language : English
ISBN-13 : 9781788295963
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Oct 18, 2017
Length: 420 pages
Edition : 1st
Language : English
ISBN-13 : 9781788295963
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 122.97
OAuth 2.0 Cookbook
€36.99
Mastering OAuth 2.0
€36.99
Spring Security
€48.99
Total 122.97 Stars icon

Table of Contents

8 Chapters
OAuth 2.0 Foundations Chevron down icon Chevron up icon
Implementing Your Own OAuth 2.0 Provider Chevron down icon Chevron up icon
Using OAuth 2.0 Protected APIs Chevron down icon Chevron up icon
OAuth 2.0 Profiles Chevron down icon Chevron up icon
Self Contained Tokens with JWT Chevron down icon Chevron up icon
OpenID Connect for Authentication Chevron down icon Chevron up icon
Implementing Mobile Clients Chevron down icon Chevron up icon
Avoiding Common Vulnerabilities Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.7
(3 Ratings)
5 star 33.3%
4 star 33.3%
3 star 0%
2 star 33.3%
1 star 0%
Dmitry Jun 11, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
TBH, I like this book. I got everything I was needed
Amazon Verified review Amazon
Cristiana Dec 15, 2017
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
This book is very helpful. It goes through the steps in a simple and efficient manner. I would strongly recommend 'OAuth 2.0 Cookbook' if you want to get started or improve your knowledge in OAuth 2.0.
Amazon Verified review Amazon
Nobody Dec 11, 2017
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
Gross. Unless you plan to deploy with this java Spring framework I doubt you'll find much generally useful here.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.