관심있는것들

why authorization_code is better than just implicit grant type . isn't it just one more step? implicit -> authorization server delivers access token with no guarantee that receiver will be the right one , client might be not intended client bad guy just can take acces token authorization_code -> having authorization code is not enough bad guy needs client's credenitial. also send auth_code is re..

password grant type client is sending user's id +password , client's credential( client1, secert1) authorization_code grant type now we can avoid sharing user's credential to client client try to get authorization from user client redirect user to authenitcation server -> user logs in authenitcation server now knows it is user -> ask if your gonna allow client2 use resoruce of yours -> client ap..

https://tonylim.tistory.com/280?category=938556 OAuth 2.0 and OpenID Connect (OAtuh 2.0 in depth) https://www.youtube.com/watch?v=996OiexHze0&t=96s&ab_channel=OktaDev History basic security from has some downsides on security and maintenance OAuth 2.0 terminology Resource owner = me , who owns.. tonylim.tistory.com https://tonylim.tistory.com/149?category=938556 [java brains] OAuth2 , Google oAu..

example.com -> example.org (process request) send response -> browser won't allow because domain is different from example.com -> throw error notice method (org) still get called but the response is getting blocked csrf totally blocks method calling even request. it is the difference we can have whitelist and allow some domain(origin) preflight request = test request if endpoint is alive? cors c..

without csrf token -> attacker can make me do action that i didn't intend to do. this is local page which is example of malicious.html -> if user clicks on this it will call our RestController /change because we are already logged in but with crsf token login page is generated by spring security -> put csrf token in the form body we tried to access or request without crsf token -> spring securit..

after 1. username and password login -> get generated otp and store in db 2. username and otp login -> get gernerate token and store in memeory with token -> any request beside "/login" go through tokenFilter we made and therefore spring inject Authentication instance from SecurityContext by using Async thread that set authentication in securitycontext and thread that execute Hello method is dif..

package com.laurentiuspilca.ssc6.security.filters; import com.laurentiuspilca.ssc6.entities.Otp; import com.laurentiuspilca.ssc6.repositories.OtpRepository; import com.laurentiuspilca.ssc6.security.authentications.OtpAuthentication; import com.laurentiuspilca.ssc6.security.authentications.UsernamePasswordAuthentication; import org.springframework.beans.factory.annotation.Autowired; import org.sp..

dotted line means not always needed without spring boot security depdency we will not get default Authentication Filter we need to implement one using OncePerRequestFilter removes some boilerplate , better than impelmenting Filter directly CustomAuthentication is Authentication (container). -> authenticate and result will be fully authenticated authentication in general -> authenticate will thro..

if authentication is not done by username and password we won't need UserDetailService and PasswordEncoder but we always need implementation of Authentication Provider 3cases 1. if request is for authentication -> return fully authenticated Authentication isntance 2. if authenticate fail -> throw any kind of AuthenitcationException 3. if request's authentication object is not supported by this m..

in order to use proper encryption we need to have a way to add user to database userDetailsManager implements userDetailService and has more feature like createUser in this case we are using what spring gave us, and it has it's query hard coded inside class if request come through /user we just permit all so we can add user to repository otherwise do the authentication