Recent Posts
Archives

AI Cybersecurity DefCon32 developer devops Devoxx DevoxxBE2012 DevoxxBE2013 DevoxxFR DevoxxFR2012 DevoxxFR2013 DevoxxFR2014 DotAI2024 Google Hibernate Java JavaScript JetBrains Jonathan Lalou Kotlin KotlinConf Kubernetes Maven Maven 2 Microservices NDCConferences ndcoslo NDCOslo2024 Node NodeCongress NodeCongress2021 NodeJS Oracle OxidizeConf2024 PHP Python recommendation RustLang Scala Security softwaredeveloper SoftwareDevelopment Spring SpringBoot Weblogic

Posts Tagged ‘OAuthTokenExchange’

PostHeaderIcon [SpringIO2025] Modern Authentication Demystified: A Deep Dive into Spring Security’s Latest Innovations @ Spring IO

Author: Jonathan Lalou

Lecturer

Andreas Falk is an Executive Consultant at CGI, specializing in software architecture, application and cloud security, and identity and access management (IAM). As an iSAQB Certified Architect, security expert, trainer, and public speaker, he has over 25 years of experience in enterprise application development. Falk is renowned for his contributions to Spring Security, including workshops on reactive security and presentations on modern authentication mechanisms.

Abstract

This article provides an in-depth analysis of recent advancements in Spring Security, focusing on features introduced from version 6.3 onward. It examines compromised password checking, OAuth token exchange, one-time token login, and passkey authentication, alongside improvements in filter chain management and emerging specifications like Demonstrating Proof of Possession (DPoP). The discussion elucidates implementation strategies, security implications, and best practices for integrating these innovations into Spring-based applications.

Enhancements in Password Management and Token Handling

Spring Security 6.3 introduces compromised password checking, leveraging Troy Hunt’s Have I Been Pwned API to validate passwords against known breaches. Passwords are hashed before transmission, ensuring privacy. This feature integrates into password policies, enforcing minimum lengths (e.g., 12 characters) and maximums (up to 100), while permitting diverse characters, including emojis, to enhance security without undue restrictions.

Implementation involves registering a CompromisedPasswordChecker bean:

@Bean
public CompromisedPasswordChecker compromisedPasswordChecker() {
    return new HaveIBeenPwnedRestApiPasswordChecker();
}

This checker can be invoked in registration endpoints or policy validators, rejecting compromised inputs like “password” while accepting stronger alternatives.

OAuth token exchange addresses scenarios with multiple microservices, reducing attack surfaces by exchanging short-lived JSON Web Tokens (JWTs) for domain-specific ones. A client obtains a JWT, exchanges it at the authorization server for a scoped token, minimizing risks in high-stakes services like payments versus low-risk ones like recommendations.

Advanced Authentication Mechanisms: One-Time Tokens and Passkeys

One-time tokens (OTT) secure sensitive actions, such as password resets or transaction approvals, without persistent sessions. Spring Security supports OTT generation and validation, configurable via beans like OneTimeTokenService. Users receive tokens via email or SMS, granting temporary access.

Passkeys, based on WebAuthn and FIDO2, offer passwordless, phishing-resistant authentication using biometric or hardware keys. Spring Security’s PasskeyAuthenticationProvider integrates seamlessly, supporting registration and authentication flows. Devices like YubiKeys or smartphones generate public-private key pairs, with public keys stored server-side.

Example configuration:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(authz -> authz
            .anyRequest().authenticated()
        )
        .passkey(passkey -> passkey
            .passkeyAuthenticationProvider(passkeyAuthenticationProvider())
        );
    return http.build();
}

This enables biometric logins, eliminating passwords and enhancing usability.

Filter Chain Improvements and Emerging Specifications

Spring Security’s filter chain, often a source of configuration errors, now includes error detection for misordered chains in version 6.3+. Annotations like @Order ensure proper sequencing, preventing silent failures.

Version 6.4 adds OAuth2 support for the RestClient, automatic bearer token inclusion, and OpenSAML 5 for SAML assertions. Kotlin enhancements improve pre/post-filter annotations.

Demonstrating Proof of Possession (DPoP) in 6.5 binds tokens cryptographically to clients, thwarting theft in single-page applications (SPAs). Mutual TLS complements this for server-side frameworks. JWT profiles specify token types (e.g., access tokens), ensuring intended usage.

Pushed Authorization Requests (PAR) secure initial OAuth flows by posting parameters first, receiving a unique link devoid of sensitive data.

Implications for Secure Application Development

These innovations mitigate root causes of breaches—weak passwords and token vulnerabilities—promoting passwordless paradigms. Token exchange and DPoP reduce attack surfaces in microservices architectures. However, developers must address persistence for passkeys (e.g., database storage) and secure actuator endpoints.

Future versions (7.0+) mandate lambda DSL for configurations, removing deprecated code and defaulting to Proof Key for Code Exchange (PKCE) for all clients. Authorization server advancements, like multi-tenancy and backend-for-frontend patterns, facilitate scalable, secure ecosystems.

In conclusion, Spring Security’s evolution empowers developers to build resilient, user-friendly authentication systems, aligning with modern threats and standards.

Links:

Posted in en-US | Tags: , , , , , | No Comments »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.