관심있는것들

created public key accessible from resource server by giving endpoint url with client's credenital set up in Authorization no access token get access token by using user's credential and client's credential now we can access resource server with access token (JWT) security.oauth2.resource.jwt.key-uri=http://localhost:8080/oauth/token_key security.oauth2.client.client-id=rs security.oauth2.client..

in the authorization server since it is authroization_code grant type we need to specify redirect url in ClientDetails public class SecurityClient implements ClientDetails { private final Client client; public SecurityClient(Client client) { this.client = client; } @Override public String getClientId() { return client.getClientId(); } @Override public boolean isSecretRequired() { return true; } ..

just like userDetailService exist for loading User credential Client has ClientDetailService for loading Client crediential to validate user we have user detailService for client authentication notice we are using tokenstore with covnerter -> we are storing access token made of JWT if we don't specifiy tokenStore , just like previous lecture spring security will use default opaque token notice w..

instead of actually going to Authentication Server to validate access token resource server just ask database if this access token is there and check if it is same but sharing database with other service is anti architecture pattern -> not recommended preferred option is for authorization server to persist tokens and resource server to use introspection to authenticate token @Bean public TokenSt..

2 server will be made authencitation server and resource server first withClient is real app client and second withClient is for resource server(faking it , for "isauthenticated()" ) first get access token from authentication server checking access token maunally -> we don't need to do this because resource server has configured this by writing this on application.properties server.port=9090 sec..

why authorization_code is better than just implicit grant type . isn't it just one more step? implicit -> authorization server delivers access token with no guarantee that receiver will be the right one , client might be not intended client bad guy just can take acces token authorization_code -> having authorization code is not enough bad guy needs client's credenitial. also send auth_code is re..

password grant type client is sending user's id +password , client's credential( client1, secert1) authorization_code grant type now we can avoid sharing user's credential to client client try to get authorization from user client redirect user to authenitcation server -> user logs in authenitcation server now knows it is user -> ask if your gonna allow client2 use resoruce of yours -> client ap..

https://tonylim.tistory.com/280?category=938556 OAuth 2.0 and OpenID Connect (OAtuh 2.0 in depth) https://www.youtube.com/watch?v=996OiexHze0&t=96s&ab_channel=OktaDev History basic security from has some downsides on security and maintenance OAuth 2.0 terminology Resource owner = me , who owns.. tonylim.tistory.com https://tonylim.tistory.com/149?category=938556 [java brains] OAuth2 , Google oAu..

example.com -> example.org (process request) send response -> browser won't allow because domain is different from example.com -> throw error notice method (org) still get called but the response is getting blocked csrf totally blocks method calling even request. it is the difference we can have whitelist and allow some domain(origin) preflight request = test request if endpoint is alive? cors c..

without csrf token -> attacker can make me do action that i didn't intend to do. this is local page which is example of malicious.html -> if user clicks on this it will call our RestController /change because we are already logged in but with crsf token login page is generated by spring security -> put csrf token in the form body we tried to access or request without crsf token -> spring securit..