[New] Spring Security 7 + Oauth2 + Jwt + Auth0 + Keycloak
MP4 | Video: h264, 1920x1080 | Audio: AAC, 44.1 KHz
Language: English | Size: 5.70 GB | Duration: 13h 16m
Full Stack Angular + Spring Boot Microservices security using OIDC and RBAC with real architecture
What you'll learn
MASTER SPRING SECURITY 6 architecture including Authentication, Authorization, Security Filter Chain, and internal request flow
IMPLEMENT USER AUTHENTICATION using UserDetailsService, PasswordEncoder, and database-backed user management
UNDERSTAND ROLES vs AUTHORITIES and implement RBAC (Role-Based Access Control) in real applications
APPLY ENDPOINT LEVEL SECURITY and METHOD LEVEL SECURITY using Buy Premium From My Links To Get Resumable Support and Max SpeedPreAuthorize and Buy Premium From My Links To Get Resumable Support and Max SpeedPostAuthorize
UNDERSTAND REQUEST MATCHERS including Ant, MVC, Regex, and modern Spring Security 6 approaches
MASTER OAUTH2 FUNDAMENTALS including actors, scopes, flows, and secure authorization architecture
IMPLEMENT AUTHORIZATION CODE FLOW and PKCE FLOW used by modern web and mobile applications
IMPLEMENT CLIENT CREDENTIALS FLOW for secure machine-to-machine communication
IMPLEMENT REFRESH TOKEN FLOW and understand token lifecycle and security best practices
MASTER JWT SECURITY including token structure, claims, signing, verification, and public/private key cryptography
IMPLEMENT JWT validation using JwtDecoder and JwtAuthenticationConverter in Spring Boot
UNDERSTAND OIDC (OpenID Connect) and how identity layer works on top of OAuth2
IMPLEMENT SSO (Single Sign-On) architecture using OAuth2 and OIDC
UNDERSTAND CSRF protection and why Spring Security enables CSRF by default
IMPLEMENT CORS configuration and understand cross-origin security behavior
IMPLEMENT AUTH0 including Applications, APIs, Audience, Roles, and Permissions mapping in JWT
IMPLEMENT KEYCLOAK including Realm, Clients, Roles, Groups, and identity provider configuration
IMPLEMENT SOCIAL LOGIN using Google and GitHub with OAuth2 / OIDC
IMPLEMENT RBAC IN MICROSERVICES using roles and permissions extracted from JWT tokens
UNDERSTAND JWT vs OPAQUE TOKENS and when each token strategy should be used
DESIGN END-TO-END SECURITY ARCHITECTURE used in real enterprise applications
BUILD FULL STACK APPLICATION using Angular + Spring Boot secured with Spring Security
BUILD FULL STACK AUTH0 POC implementing login, roles, permissions, and JWT-secured APIs
BUILD FULL STACK KEYCLOAK POC implementing realm, clients, roles, and secured microservices
IMPLEMENT COMPLETE AUTHENTICATION FLOW from frontend login to secured backend APIs
APPLY SECURITY BEST PRACTICES and avoid common mistakes in production systems
UNDERSTAND KEYCLOAK vs AUTH0 differences and when to choose each
Requirements
Basic knowledge of Java and Spring Boot
Basic understanding of REST APIs and HTTP concepts
Basic idea of Angular or frontend is helpful but not mandatory
No prior knowledge of Spring Security, OAuth2 or JWT required
System capable of running Java, IDE and browser
Description
What are we going to coverSpring Security BasicsMaster SecuritySecurity in Spring Boot & MicroservicesWhy Security for your spring boot app?What is Spring Security?Key Spring Security ConceptsAuthenticationAuthorizationServlet FiltersWhat are its alternatives?Security Implementation - Who's responsibilityLet's get started !Why 401 ?SummarySpring Security: Convention-over-ConfigurationKey Participants in Authentication FrameworkFlow of Authentication in Spring SecuritySpring Security Auto-configured BeansUserDetailsServicePasswordEncoderSpring Security ConfigurationIntroduction to POC 2Overriding Default ConfigurationsCustomizing Spring Security ConfigurationWhy Authentication Fails NowFixing Authentication Step by StepDefine User CredentialsAdding User to InMemoryUserDetailsManagerDefining a PasswordEncoder BeanWhy Avoid HTTP Basic Authentication?User ManagementUser ManagementUser Management ComponentsUserDetailsUserDetailsManagerUserCustomising User Details ServicePOC 3Creating User & Authority TableMapping User & Authorities tableWhy Authorities are eagerly fetchedFetch saved Authorities from SecurityContextAuthorizationAuthorizationHow Authorization worksWhat are we going to learnGrantedAuthorityDifference between Authorities and RolesAuthorization implementations levelEndpoint Level AuthorizationSecurity Filter ChainSecurity Filter ChainDefining a Filter ChainModifying Filter chainWhy still 403 ?anyRequest().authenticated()anyRequest().permitAll()anyRequest().hasAuthority()anyRequest().hasAnyAuthority()RoleanyRequest().hasRole()anyRequest().hasAnyRole()401 VS 403anyRequest().access()Advantage of anyRequest().access()Disadvantage of anyRequest().access()anyRequest().denyAll()Request MatchersMatcher MethodsList of All Matcher MethodsRequest MatcherRequest Matcher MethodsReal-life analogyHow requestMatchers() works in this settingCode BlockTypes of MatchersAnt MatcherANT Matcher MethodsWhy it was popularExample in Spring Security 5.xWhy Deprecated in Spring Security 6+MVC MatcherMVC Matcher MethodsWhy it was usedRegex MatcherregexMatchers()Why use itDispatcher Type MatcherPurpose - What is DispatcherTypeServlet Path MatcherPurposeIs it any relevant in spring boot app?Combining all Matcher methodsMethod Level SecurityAuthorization at the method levelWhere do we stand now?Can Spring Security Be Used in Non-Web Applications?Where Can You Apply Method Security?Why Use Method Security?Role of Authentication in Enabling Method SecurityWhy Not Use permitAll() with Method SecurityCode snippetEnabling method securityNew way of enabling Method level AuthorizationWhat Happens Behind the ScenesWhy Called "Aspect Behind the Scene"?Prevent GOD class with Method level Authorization?Best PracticePriority of Rules: Security Config vs Method-Level AuthorizationPerformance Consideration: Method-Level vs Filter-Level AuthorizationHow Method-Level Security Goes Beyond FiltersMulti-line Buy Premium From My Links To Get Resumable Support and Max SpeedPreAuthorize for Complex Security RulesDisadvantages of Multi-line rulesMoving Beyond SpEL: Bean-Based Security ChecksPost AuthorizeDifference Between Buy Premium From My Links To Get Resumable Support and Max SpeedPreAuthorize and Buy Premium From My Links To Get Resumable Support and Max SpeedPostAuthorizeFilters in Method SecurityPre filterPre filter - Key PointersPostfilter - Key PointersPost Filter PitfallsPreFilter VS PostFilterBuy Premium From My Links To Get Resumable Support and Max SpeedPre/Buy Premium From My Links To Get Resumable Support and Max SpeedPostAuthorize VS Buy Premium From My Links To Get Resumable Support and Max SpeedPre/Buy Premium From My Links To Get Resumable Support and Max SpeedPostFilterOAuth 2 & OIDC BasicsOAuth 2 & OIDCBasicsActors/Roles in OAuth2OAuth 2 FlowThe OAuth 2.0 SolutionWhy this is powerfulSteps in OAuth 2How to get the token?Heart of how OAuth2 + Spring Security worksGrant typesTypes of Grant typesDeprecated Grant typesOAuth's Main Security PrincipleWhy Password Grant Type Is DeprecatedModern ReplacementWhy Implicit Grant Type Is DeprecatedSummaryAuthorization Code FlowAuthorization Code FlowWhat Is the Authorization Code Grant Type?Step-by-Step FlowAdvantagesDisadvantagesAuthorization Code Flow with PKCEWhat is PKCEWhy PKCE was introducedThe PlayersAuthorization Code Flow with PKCE - Step by StepHow PKCE Prevents AttacksHow Verifier & Challenge WorkReal-World Analogy: The Locker & KeySummary of PKCE FlowAuthorization Code vs Authorization Code + PKCEPoints to rememberClient Credentials FlowClient Credentials Grant TypeWhat is Client Credentials grantWhen to use itThe ActorsFlow (step-by-step)Typical token responseClient authentication methods with ASHow Scopes → Authorities Mapping WorksScopes & authoritiesTokens: JWT vs opaqueSecurity considerations / best practicesPitfalls & gotchasRefresh Token FlowRefresh Token Grant TypeWhat is a Refresh Token?Why Refresh Tokens ExistWho uses the Refresh Token flow?Refresh Token Grant Type FlowStatic (Reusable) Refresh TokensRotating (One-time) Refresh TokensHow OAuth2 servers decideWhat clients must doKey Token LifetimesWhy Refresh Tokens Are SensitiveRefresh Token Flow vs Access Token FlowTokensWhat is opaque token?How opaque token Works?Introspection responseNon-opaque tokens vs opaque tokensJWTJWTsWhat is a JWT?The basic structure of a JWTHow JWT worksJWT signing methodsCommon JWT claimsHow JWTs are verifiedPrivate and Public keysWhat is /jwks.json?Why JWTs are so popularLimitations / PitfallsOIDCOIDCWhat is OIDCAuthorization code flow with PKCEReal-world example (Google Login)Why OIDC existsWhat OIDC Actually IsCore Components in OIDCID TokenStandard Claims in ID TokenOIDC ScopesOIDC EndpointsBenefits of OIDCCommon pitfallsNonceWhy NonceSSOSSOWhat is SSOActors in SSOSteps in SSOWhy SSO worksCommon Pitfalls Of SSOSecurity benefit of SSOSSO Logout ScenariosWhy OAuth2 + OIDC are REQUIRED for SSOCSRFCSRFWhat is CSRFCore browser behaviorWhy CSRF is dangerousHow websites stop CSRFWhy Spring Security enables CSRF by defaultCORSCORSWhat is CORSWhy CORS existsWhat is an originCORS RuleSpring Boot CORS configCommon CORS mistakesCORS vs CSRFFull Stack POCFull stack POCIntro to Foodify AppUI Of Foodify App POCBackend Of Foodify App POCAuth0 configurationsSpring Security ImplementationAuth0What is Auth0Key Components of Auth0What Happens During LoginWhy Use Auth0MFASocial LoginCentralized IdentityDeveloper ProductivityWhen SHOULD you build yourself?Roles & PermissionsWhat is Authentication vs Authorization?What is OAuth2 / OIDC?Architecture for End to end POC with Auth0What is Application in Auth0?What is API in Auth0?What is Audience?What are Roles?What are Permissions?Roles vs PermissionsRBACWhy RBAC is UsedWhy roles & permissions in JWT?JWT Processing in Spring SecurityWhat is JwtDecoder?What is JwtAuthenticationConverter?What is Authority in Spring?ROLE_ prefixCommon MistakesImplementation StepsSteps to Implement Spring SecuritySteps to setup Auth0Steps to add Roles in tokenWhat happens in backendFINAL FLOW (END-TO-END)KEY CONCEPTSCOMMON MISTAKESKeycloakKeycloakWhat is Keycloak?High Level ArchitectureCore TerminologiesTypes of ClientsRole TypesClient ScopeGroupsIdentity Provider (IDP)FlowsKeycloak vs Auth0Feature Comparisonwho should choose Keycloak vs Auth0Social LoginSocial LoginWhat is Social LoginHow Social Login worksBenefits of Social LoginConfigure Identity Providers in KeycloakGoogle login StepsGithub social login steps
Java developers who want to learn Spring Security deeply,Developers building secure REST APIs using Spring Boot,Developers preparing for Spring Security interview questions,Backend or full stack developers working with microservices,Developers wanting hands-on experience with OAuth2, JWT, Auth0, Keycloak,Engineers designing secure enterprise applications
Please Login or Register to see this code