Spring Security OAuth 2 Tutorial - 6 : Microservices Sample Project Setup

Spring Security OAuth 2 Tutorial - 6 : Microservices Sample Project Setup

In the previous articles, we have learned about various OAuth 2.0 / OpenID Connect flows using web browser, cURL and Postman. Now it’s time to put what we have learned into practice. What better way to do that than to build a sample project? While implementing OAuth 2.0 / OpenID Connect based security using a Security framework like Spring Security, many activities are performed by the framework under the hood. It is important to understand what is happening under the hood so that we can use the framework effectively.

Continue reading »
Spring Security OAuth 2 Tutorial - 5 : Implicit & Resource Owner Password Credentials Flows

Spring Security OAuth 2 Tutorial - 5 : Implicit & Resource Owner Password Credentials Flows

In the Part 4: OAuth 2.0 Authorization Code Flow with PKCE, we learned how to acquire access_token using Authorization Code Flow with PKCE. In this article, we will explore how to use Implicit Flow and Resource Owner Password Credentials Flow. IMPORTANT The Implicit Flow and Resource Owner Password Credentials Flow are DEPRECATED. Unless you have a good reason, you shouldn’t be using them. Implicit Flow The Implicit Flow is a kind of shorter version of Authorization Code Flow where you will be directly getting access_token using authorization_endpoint itself.

Continue reading »
Spring Security OAuth 2 Tutorial - 4 : Authorization Code Flow with PKCE

Spring Security OAuth 2 Tutorial - 4 : Authorization Code Flow with PKCE

In the Part 3: OAuth 2.0 Client Credentials Flow, we learned how to acquire access_token using Client Credentials Flow. In this article, we will explore how to use Authorization Code Flow with PKCE. Authorization Code Flow with PKCE The Authorization Code Flow with PKCE is an OpenId Connect flow primarily designed to secure native, mobile applications and Single Page Applications (SPA). The PKCE, typically pronounced as “pixy”, is an acronym for Proof Key for Code Exchange.

Continue reading »
Spring Security OAuth 2 Tutorial - 3 : Client Credentials Flow

Spring Security OAuth 2 Tutorial - 3 : Client Credentials Flow

In the Part 2: OAuth 2.0 Authorization Code Flow, we learned how to authenticate a user using Authorization Code Flow. In this article, we will explore how to use Client Credentials Flow that is typically used for Service-to-Service communication without any user (Resource Owner) context. Client Credentials Flow Sometimes a Resource Server needs to interact with another Resource Server without any user context. For instance, Resource Server A may run a scheduled job that will invoke a secured REST API endpoint on Resource Server B.

Continue reading »
Spring Security OAuth 2 Tutorial - 2 : Authorization Code Flow

Spring Security OAuth 2 Tutorial - 2 : Authorization Code Flow

In the Part 1: Getting familiar with OAuth 2 concepts, we learned how to set up Keycloak, created a realm, a client with Standard flow enabled and a user. In this Part 2, you will learn how to authenticate a user using Authorization Code Flow. First of all, let’s clear up the confusion between Authorization Code Grant Type vs Authorization Code Flow. As I mentioned earlier, OAuth 2.0 spec concern about only Authorization and OpenID Connect spec is added as a layer on top of OAuth 2.

Continue reading »
Spring Security OAuth 2 Tutorial - 1 : Getting familiar with OAuth 2 concepts

Spring Security OAuth 2 Tutorial - 1 : Getting familiar with OAuth 2 concepts

Security is a complex topic to understand in-depth. In addition to that, implementing security for complex microservices based systems using OAuth 2.0 and OpenID Connect specs is even harder. Frameworks and libraries, like Spring Security, help to reduce the complexity, but still there is a steep learning curve to understand how to properly implement security. In this Spring Security OAuth2 Tutorial series, I would like to share my learning on implementing security for a simple microservices based application using Spring Security OAuth2.

Continue reading »
The new JdbcClient Introduced in Spring Framework 6.1

The new JdbcClient Introduced in Spring Framework 6.1

Spring framework 6.1 introduced a new JdbcClient API, which is a wrapper on top of JdbcTemplate, for performing database operations using a fluent API. Spring Boot 3.2 includes Spring framework 6.1, so let’s take a quick look at how we can use JdbcClient to implement various database operations in a simplified manner. First, let’s go to https://start.spring.io/ and create a Spring Boot application by selecting Spring JDBC, PostgreSQL Driver, Flyway Migration, and Testcontainers starters.

Continue reading »
Spring Boot REST API Best Practices - Part 4

Spring Boot REST API Best Practices - Part 4

In this Spring Boot REST API Best Practices series, we have learned how to implement CRUD operations so far. In this Part-4, we will explore how to implement exception handling for our APIs. Spring Boot REST API Best Practices - Part 1 : Implementing Get Collection API Spring Boot REST API Best Practices - Part 2 : Implementing Create and Update APIs Spring Boot REST API Best Practices - Part 3 : Implementing FindById and DeleteById APIs Spring Boot REST API Best Practices - Part 4 : Exception Handling in REST APIs (This article) You can find the sample code for this tutorial in this GitHub repository.

Continue reading »
Spring Boot REST API Best Practices - Part 3

Spring Boot REST API Best Practices - Part 3

In this Spring Boot REST API Best Practices - Part-3, we will see how to implement FindById and DeleteById API endpoints. Spring Boot REST API Best Practices - Part 1 : Implementing Get Collection API Spring Boot REST API Best Practices - Part 2 : Implementing Create and Update APIs Spring Boot REST API Best Practices - Part 3 : Implementing FindById and DeleteById APIs (This article) Spring Boot REST API Best Practices - Part 4 : Exception Handling in REST APIs You can find the sample code for this tutorial in this GitHub repository.

Continue reading »
Spring Boot REST API Best Practices - Part 2

Spring Boot REST API Best Practices - Part 2

In this Spring Boot REST API Best Practices - Part-2, I will explain some of the best practices we should follow while implementing Create and Update API endpoints. Spring Boot REST API Best Practices - Part 1 : Implementing Get Collection API Spring Boot REST API Best Practices - Part 2 : Implementing Create and Update APIs (This article) Spring Boot REST API Best Practices - Part 3 : Implementing FindById and DeleteById APIs Spring Boot REST API Best Practices - Part 4 : Exception Handling in REST APIs This article is a continuation of Spring Boot REST API Best Practices - Part 1.

Continue reading »