Posted on

Learn How to Use Vue and Spring Boot to Create a Single-Page App

In this tutorial, you'll create a single-page application (SPA) with a Spring Boot resource server and a Vue front-end client. You'll learn how to utilize JSON Web Tokens (JWTs) for authentication and authorization, using Spring Boot to configure the JWTs, with Okta as your OAuth 2.0 and OpenID Connect (OIDC) provider. You'll also learn how to use the Vue CLI to bootstrap a Vue client app and how to secure it using the Okta Sign-In Widget.

Okta is a computer security service provider with helpful information for safeguarding online applications. The Okta Sign-In Widget provides protection for front-end apps by letting you quickly add a secure login form that can be configured for single sign-on and social sign-on with external providers like Google, Facebook, and LinkedIn. It includes a PKCE implementation of the OAuth 2.0 authorization code flow (Proof Key for Code Exchange).

Posted on

Dive Into OAuth Grant Types and OpenID Connect Flows

In my last article, you could read about the differences between OAuth, SAML, and OpenID Connect. Today I want to continue the topic. We will dive deeper into the processes of authentication and authorization offered to us by respectively (OpenID Connect) and (OAuth). However, we will start with a few words about the naming conventions in both.

GrantTypes vs Flows — Semantic Difference

In general, both terms are correct and can be used simultaneously. Both of them describe the same thing – a process of obtaining an Access Token. Just keep in mind that the term “Grant Type” is more strongly related to OAuth, while the term “Flow” is more related to OpenID Connect. As a side note, I can add that the term “Flow” rarely occurs in the OAuth specification.

Posted on

Securing Web Apps Using PKCE With Spring Boot

Technology has a way of updating faster than security standards. OAuth 2.0 is the latest and greatest standard for modern applications, but it’s eight years old now! Its contributors are working on the next version as we speak, and in the meantime, they release “guidance” periodically to help developers use OAuth 2.0 with new technology.

Last year, the developers submitted two drafts of important pieces of guidance for OAuth 2.0. OAuth 2.0 Security Best Current Practices gives advice for securing modern apps with OAuth 2.0, and OAuth 2.0 for Browser-Based Apps focuses specifically on web app best practices.