Posted on

What D’Hack Is DPoP?

OAuth2.0/OpenID connect is considered the fastest-growing protocol used by many application developers for access delegation and single-sign-on. This is due to its flexibility and high security compared to other protocols in the market. In contrast, the world is full of hackers who are desperately looking for flaws that you make when developing an application. Single Page applications or public clients which do not use MTLS secure transport layers are considered to be the most vulnerable source of an attack. 

Standard Token Flow

Despite the application type, the standard OAuth2.0/OpenID connect flow is similar to the below diagram (Figure 2). There are three actors involved: Client, Resource Server, and Authorization Server. The client will initiate the authorization request. Upon user authentication, the authorization server will issue an access token and refresh token for the user with an expiry time. Then, the client can use these tokens to access the protected resource from the resource server.

Posted on

Authorization Code Grant Flow With Spring Security OAuth 2.0

Introduction

We have learned about OAuth - 2.0 specification in previous articles and how we can implement OAuth - 2.0 client credentials grant flow working with spring's authorization server. In this article, we're going to see how we can implement authorization code grant flow get working with spring security. 

According to the OAuth-2.0 specification, authorization code grant flow is a two-step process mainly used by confidential clients(a web server or secured application that can promise the security of credentials). In the first step, we request the authorize endpoint to get authorization code from the authorization server and then use it to get an access token from the authorization server at the token endpoint.

Posted on

Spring security using OAuth2 with Microsoft AzureAD B2C

Introduction

Microsoft Azure provides the capability to integrate social-logins in the application by using AzureAD B2C. The good thing about that is you’ll have a single Authorization server (Azure) and different IDP like Google, Facebook, GitHub, or any custom IDP.

To achieve this we need to create 1 B2C tenant and configure App Registration, IDP, and create UserFlow. The below video tutorial covers all these steps and guide you on how to integrate Azure B2C with spring security.

Posted on

Implementing MuleSoft as an OAuth Provider for Securing a Mule Application

Introduction

The OAuth2 Provider module allows a Mule runtime engine (Mule) app to be configured as an Authentication Manager in an OAuth2 dance. With this role, the application will be able to authenticate previously registered clients, grant tokens, validate tokens, or register and delete clients, all during the execution of a flow. 

MuleSoft supports various third-party OAuth 2.0 providers, as listed below: