Learn the basic concepts of Spring Security OAuth2, API usage, and internal architecture. In addition, you will learn how to integrate and link OAuth2 Client, OAuth2 Resource Server, and Authorization Server, build your own authorization server, and implement OAuth2 services through it.
Understanding Spring Security Core Concepts
OAuth 2.0 Authorization Framework Basics
Java Cryptography Architecture Basics
JWT Basics/Usage
Spring Security OAuth 2.0 Client Theory/Practice/Usage
Spring Security OAuth 2.0 Resource Server Theory/Practice/Usage
Spring Security OAuth 2.0 Authorization Server Theory/Practice/Usage
The best choice for powerful authentication/authorization processing!
Learning Spring Security OAuth2 Properly 🔐
Spring Security OAuth2 adopts the OAuth 2.0 Authorization Framework standard technical specifications and provides APIs classified into OAuth2 Client, Resource Server, and Authorization Server groups.
From the past to the present, legacy systems have widely used session/cookie-based authentication and authorization techniques. However, as systems scale and authentication processes across diverse devices, including mobile devices, tablets, PCs, and IoT devices , the existing session-based authentication architecture is recognized to have various problems and limitations, including session sharing issues, server resource burden, security instability, and complex architecture configurations.
Especially now that the MSA-style infrastructure, rather than monolithic, is becoming the trend, it is even more true that session-based authentication is not an efficient alternative.
To address these limitations and issues, the need for token-based authentication/authorization, rather than session-based, emerged, leading to the emergence of authentication technologies like OAuth and JWT. This enabled simpler and more robust authentication/authorization by leveraging OAuth services provided by global companies like Google, Facebook, and GitHub.
This course is designed for beginners who are new to Spring Security OAuth2 knowledge, as well as intermediate to advanced users who have basic knowledge or experience but want to acquire more in-depth knowledge and deeply understand the core principles, internal structure, and operating methods of Spring Security OAuth2 and apply them .
🔑
We don't just teach simple API usage and grammar. We deepen our understanding of core technologies by building on the principles and structure of authorization technology.
🎓
Let's understand the exact flow and principles of how Spring Security OAuth2 works.
🧰
You can develop the ability to customize by extending the basic functionality provided by Spring Security OAuth2.
✅
You will gain a sense of how to practically utilize Spring Security OAuth2 technology.
💡 This lecture focuses on the three axes of OAuth2 Client, Resource Server, and Authorization Server, which are the core concepts of OAuth 2.0 standard technology and Spring Security OAuth2 based on it.
We will examine the overall concepts, principles, and structure of the OAuth 2.0 authorization framework, an RFC standard technology.
Before learning the full-fledged technology of Spring Security OAuth2, you will first understand the basics and fundamental theories of the standard technology of OAuth 2.0, and by familiarizing yourself with the exact concepts through practice, you will be able to follow the contents of Spring Security OAuth2 without difficulty.
As a client module of OAuth 2.0, we will introduce various types of authorization grant types and request APIs that can be used by clients to interact with authorization servers, and learn how to implement access control to resource servers using tokens issued from authorization servers.
We'll also introduce how to implement social login functionality by integrating with OAuth 2.0 Authorization Server service providers like Google, Facebook, GitHub, Naver, and Kakao. We'll also introduce the OpenID Connect authentication protocol and understand the various options and workflows for authentication processing.
As a server protecting user resources, it will serve as an API server. We'll examine how a resource server protects resources, learn how to validate tokens for requests that include access tokens, and understand the flow of control over the authorization system.
We will look at how to extract the scope when the Access Token issued by the OAuth2 service provider is a token generated in JWT format, and learn how the resource server analyzes the scope included in the Access Token to determine whether authorization is granted.
There are a variety of commercial authorization server products and services available, including open source ones. The Spring Security development team discontinued the authorization server framework project, but due to overwhelming requests from developers, the authorization server project was reborn with a completely new design.
This course is based on the Authorization Server project, which has been redesigned with a new architecture. It focuses on providing detailed information on how the Authorization Server functions through integration with the OAuth2 Client and Resource Server, equipping students with the knowledge to build and service their own authorization server.
Learn about the key classes that handle Authorization Server functionality and how to customize them. You'll also examine the specifications for standard OAuth 2.0 endpoints and learn about the structure and processing of filters configured for each endpoint.
Among Spring Framework projects, Spring Security requires a comprehensive understanding of the internal source-level implementation, including technical architecture, operating principles, and flow.
When you encounter unexpected errors or issues while using a given API, you tend to search Google for solutions. However, resources on Spring Security OAuth2 are limited, and most of the cases you find are repetitive. Without a thorough understanding or analysis of the internal structure and operating principles of Spring Security OAuth2, you'll face significant challenges in operating your service.
Therefore, this course focuses on providing accurate and detailed explanations through various diagrams, flow diagrams, and debugging, going beyond simple API usage and functional examples to fully analyze and understand the structure and flow of Spring Security OAuth2, equipping you with the knowledge to respond flexibly in any situation . This is the pattern and common characteristic of the courses offered by this instructor.
This course focuses on the two core concepts of Spring Security: authentication and authorization. Because understanding the fundamentals of Spring Security is crucial, Part 1 focuses on the core architecture of Spring Security, authentication, and key authentication-related topics. This course is designed to provide a solid understanding of these concepts and provide practical guidance for practical development through examples and hands-on exercises.
By taking Part 1, you will have a solid understanding of Spring Security's overall fundamentals, and will also develop the skills to expand and apply the basic security structure when building a security system.
This course will provide a thorough understanding of the fundamental concepts and workflow of OAuth2, as well as the technologies behind Spring Security's core OAuth2 modules: the OAuth2 Client, Resource Server, and Authorization Server. To successfully navigate Part 2, a thorough understanding of the fundamentals of Part 1 is essential, so please ensure you have acquired this knowledge before taking this course.
In Part 2, we will thoroughly understand the vast concepts of OAuth2, as it is a complex combination of various technologies, and based on this, we will analyze and examine the interconnection process between the client app, resource server, and authorization server in detail and in depth.
Spring Security Fundamentals
We'll explore the core fundamentals of Spring Security. We'll delve into the details and principles of the initialization process, and cover elements like HttpBasic and Cors.
OAuth 2.0 Authorization Framework
Learn the detailed specifications for the OAuth 2.0 standard. First, understand the various terminology used in OAuth 2.0, understand the types of authorization flows, and leverage the open source Keycloak to understand the overall flow of the authorization framework.
OAuth 2.0 Client - oauth2Login()
You will learn how to automate the functions of the client app and how to connect with the authorization server using the Authorization Code method, which is a type of authorization flow. You will also learn about the internal structure and the entire process from user approval and approval to receiving an Access Token and processing authentication/authorization.
OAuth 2.0 Client - oauth2Client()
In addition to the Authorization Code type, which is the type of authorization flow provided by the oauth2Login() API, we will look at how to connect to the authorization server using the Resource Owner Password and Client Credentials types, and learn how to use DefaultOAuth2AuthorizedClientManager and @RegisteredOAuth2AuthorizedClient to understand the client authorization flow.
OAuth 2.0 Client - OAuth 2.0 Social Login
OAuth2 service providers include Google, Facebook, GitHub, Naver, and Kakao. We will look at how to use Google, Naver, and KeyCloak to authenticate logins and implement follow-up processing after authentication.
OAuth 2.0 Resource Server API - jwt()
We'll explore how to configure a resource server and the functionality of JwtDecoder, which handles Access Token requests. We'll also learn about the structure and usage of authentication-related objects created after successful token validation. We'll also examine the MAC and RSA algorithms used to verify Access Token validity and the verification process.
OAuth 2.0 Resource Server - Implementing Resource Server Authorization
Learn how to handle Access Token requests with filters and how to convert the Scope extracted by JwtDecoder into permissions and control access to resources with the converted permissions.
OAuth 2.0 Resource Server - opaque()
Learn how to determine whether an Access Token is active by communicating directly with the authorization server as a remote token validation process.
Spring Authorization Server - Key Domain Classes
You will learn about the types, concepts, and roles of the main domain classes that make up the authorization server, and how these classes can be referenced and utilized in Spring MVC.
Spring Authorization Server - Endpoint Protocol
Learn about the various endpoint protocols that are core to the authorization server. We'll explore the entire process, from the endpoint initiating the authorization request to the endpoint requesting user information, through diagrams and flowcharts.
OAuth 2.0 Client + Resource Server + Authorization Server integration
We will learn how to link and integrate each OAuth2 module provided by Spring Security, and through this, we will look at specific items that perform functions as an OAuth2 service provider through examples.
Who is this course right for?
For those who want to clearly understand the basics and concepts of OAuth 2.0
For those who want to accurately understand the overall basics and principles related to Spring Security OAuth2.
Anyone who wants to implement authentication/authorization function using Spring Security OAuth 2.0
Anyone who wants to build and service an authorization server for OAuth 2.0
Need to know before starting?
Spring Security Basics (Required), Spring Boot & MVC, DB
Lombok
MySQL
9,781
Learners
320
Reviews
1,206
Answers
4.9
Rating
5
Courses
다양한 프로젝트에서 웹/모바일/솔루션 제품 개발과 관련된 업무를 진행해 오고 있으며 분석/설계/개발 Role 을 맡아 오고 있습니다.
공공기간, 교육프로그램, 기업 프로젝트, 쇼핑몰 등의 웹 개발 및 솔루션 프로그램, 프레임워크, 오픈소스 연동 등의 아키텍처 설계 및 구조적 고도화 개선 등을 해 오고 있으며 개발, PL 등의 역할을 맡았습니다.
다양한 Open Source 와 여러 기술적인 경험들을 통해 웹의 전반적인 기술 흐름들을 익혔으며 개발 경험이 거듭될 수록 요구사항의 기능 구현에만 거치지 않고 좀 더 OOP 적인 구조의 소프트웨어로서 안전성과 성능을 고려한 아키텍처링과 튜닝의 기술들을 접목시켜 지속적으로 더 훌륭한 소프트웨어를 완성하기 위한 연구와 개발 실무를 책임감 있게 맡아 오고 있습니다.
All
109 lectures ∙ (44hr 31min)
Course Materials:
All
70 reviews
4.9
70 reviews
Reviews 8
∙
Average Rating 5.0
5
Hello. I listened to the lecture on security and OAUTH2 well. I can feel that the instructor prepared the lecture a lot and is passionate. And he is also a very knowledgeable person. However, I think it would be good if the teaching method was improved a bit. 1. I feel like the explanation is a bit rushed. This is a bit awkward, but I think that calmly leading the lecture can reduce awkwardness. Sometimes, I skipped over the words without knowing what they were because of the pronunciation. 2. The lecture structure is difficult for students to learn proactively. Basically, you have no choice but to follow along. In such a situation, if the instructor and students are not properly synchronized, and the instructor and the students have different contexts, the students become very stressed. I sometimes see emotional posts expressing complaints about this in the community. I understand the feelings a little. This is because most of the students who purchase the lecture start taking the lecture with high expectations. From the instructor's perspective, something that is so obvious (the more years you have and the more knowledge you have, the stronger this tendency becomes), but from the student's perspective, it is often not the case at all. 3. For example, it was good to practice authorization requests with Postman and then move to Spring. Well, since the speed of the speech is fast without any special points, it feels like important stories are flowing by. For example, when requesting authorization for the first time, when you press the login button, the client requests /oauth2/authorization, and when the client requests a temporary code from the authorization server, it goes down to /oauth2/authorize, but since this just happens, I couldn't recognize it for a while. It was quite confusing and confusing for a long time. So I got used to it by debugging it one by one. I think it may be because the instructor is so familiar with it, but when you are teaching, you say, "This URL may be a bit confusing. The initial login is /oauth2/authorization, and the code request is /oauth2/authorize. In reality, the authorization process starts when the client requests a code, so authorize means granting permission, so /oauth2/authorize is the URL for requesting a code. In this context, it would be good to remember it." If you explain it once, it will be a very helpful point for students. 4. When proceeding with the next chapter lecture, there are many cases where you proceed with new code (from the beginning). I think it is the same reason why someone asked to maintain the code in the course review. It is definitely convenient because Younghan leaves all the code after the first lecture. The process is carried out without editing, so just watching and following it together can be a learning experience, and it is advantageous because students and instructors can be on the same page. You can start from a new branch every time like Suwon Instructor, but I think it would have been good if there had been just one guide at the beginning of the lecture. Each clip or section is managed as a branch unit, so if possible, I ask the students to do the same. There may be some beginners in Git. You only need to show it once. Since you are not going to merge PRs into master, if you just show them how to create a new branch, the students will be on the same page as you. 5. Lastly, I think it would have been better to explain Filter -> Manager -> Provider -> before the actual lecture started. They mentioned it in the latter half of the lecture. I realized that the pattern was set while listening to the lecture, but it would have been easier if I had known the pattern at the beginning. It may be less so in other lectures, but Security has so many classes and the depth is so deep that it is a bit confusing to follow the lecture, and I get lost even while following the lecture. Of course, the instructor explains the flow with class diagrams at the beginning, but when the screen is filled with classes with long names that I have never seen before... the flow is not immediately apparent. Of course it helps, but I still don't think I'm on the same page as the students. 6. Oh, and you clearly said that you would save it in the database during the final practice instead of saving it in memory, but I was a little disappointed that you forgot and ended the practice with in-memory. This is a small thing, but it would have been better if you had named the resource server as ResourceServerPhoto instead of 1, 2 during the final practice. When I was taking a C++ class in the past, the instructor said, "It might be boring or not fun because it's the same example every time (the example was written by putting the name, age, and a few other pieces of information in the Person class), but since you have a lot to learn in the future, the hurdle for newness in this area should be low so that it's easy to learn." I remember that. I like what Einstein said, that when explaining, you should make it so that even a grandmother without relevant knowledge can understand, so I wrote down a lot of thoughts about teaching methods. Nevertheless, students, Security and this lecture are great guides for understanding the in-depth inside of the security framework. I now know almost everything about where and how to set breakpoints when debugging. If the breakpoints don't go where I thought they would, I can figure out the right flow by looking around more. Security and OAUTH2 are definitely not easy lectures, but I think they are lectures that you can gain a lot from if you put in the effort. I'm learning well. Thank you.
I am so touched that you have given me such a thorough lecture evaluation. And I am so grateful for your sincere advice. I will do my best to refer to the items you mentioned when creating the lecture. However, I would appreciate it if you could be generous and understand that there may be shortcomings in various ways, even though I said that habits are scary. Regardless of career or years of experience, I always try to look at myself with a humble attitude, thinking that there are many more excellent developers in the world than you think. Although I am an instructor at Inferun, I do not think that instructors are in a position to teach because they are better or more capable than their students. Of course, it is natural that instructors should try to provide the best quality to students, but it is not necessarily because they have more outstanding skills or abilities, but because there are people who need the knowledge that instructors know, and I always prepare the lecture with the thought that there will be developers among the students who are better than the instructor. I still do not have many of the requirements of a professional instructor, so there are many areas that are lacking or need improvement, so I always think about them and make efforts to improve them when creating the lecture. Once again, thank you for your sincere advice and support. I will always strive to be an instructor who prioritizes my students so that they will never be disappointed, rather than prioritizing personal interests. Thank you.
Reviews 1
∙
Average Rating 5.0
5
It is definitely a really good lecture. I am listening to everything from Spring Batch > Security > OAuth2. Since everyone else has mentioned the advantages, I would like to tell you about my suggestions(?) or regrets. I thought it would be helpful to check all the source code levels of Spring in debugging mode. Of course, the instructor checks by setting breakpoints in advance, but it doesn't seem easy to follow the screen that passes by quickly. Of course, if you say that you have to know everything to use a certain technology!!, I have nothing to say, but I think the lecture would be more compact and cost-effective if the instructor explains the theory part and ends by quoting some source code. It is definitely a good lecture, but it takes a lot of time to learn everything, including the debugging process, and if you take this lecture to use it in practice right away, you might think that you should postpone applying it to practice. I am leaving a review in the hope that the instructor will continue to make better lectures in the future.
Yes, thank you for your sincere evaluation^^ As you said, showing the source level processing process using debugging in the lecture may not be a necessary element in some sense. The lecture time is relatively longer, and there are also things that are not easy to understand even after seeing the debugging process once. Nevertheless, the reason for including debugging elements in the lecture is to help you clearly understand the internal processing of the framework or library. Of course, you do not need to know the internal processes and flow of all modules and APIs, and you cannot know them. From my perspective, if it is determined that knowing the internal processing process is important when implementing a function, I explain the overall processing process through debugging. Debugging does not mean that it ends with debugging itself. The purpose is to develop the ability to extend or apply the API as I want, beyond simply using it, by clearly understanding the purpose and principles of the design of the API through debugging. Although we did not design or create Spring Security directly, it is a good way to indirectly participate in the design of the core technology through debugging and partially experience the principles of implementation. If this process is repeated and accumulated, not only the basic use of the API but also a deep understanding of the technology will be possible, and complex custom applications will be possible, and you will be able to respond quickly when exceptions or issues occur. However, if you look too closely at the source level, you will miss the whole picture. Because it can be done, you should take the method of analyzing and adjusting it according to your level and understanding ability. I will continue to think about how to incorporate debugging utilization at an appropriate level into the lecture through speed adjustment and develop it. Thank you again for your valuable evaluation^^
Reviews 3
∙
Average Rating 5.0
5
It explains it in great detail. It shows the debugging process, so it's much more memorable. I think I need to do this much to be able to say I've used OAuth 2.0.
If you keep doing it consistently, there will come a moment when even the most difficult things will be solved smoothly. I hope you overcome those hardships well. Thank you for your valuable feedback.^^
Reviews 30
∙
Average Rating 5.0
5
Thank you for the great lecture :) I was trying to listen to Udemy because there were no proper security-related lectures in Korean, and it seems like the perfect lecture came out at the perfect time!! I've only listened to about 1/5 of it so far.. but it's a really informative lecture!! I'm very satisfied :)
This is my first class review^^ Thank you~!! I hope you finish the class even though the lecture time is long.
Reviews 81
∙
Average Rating 5.0
5
I am glad that the long-awaited lecture has been released, so I am happily registering for the class and studying hard. I am taking the class while thinking about the understanding of the OAuth2 standard and how Spring Security implemented the code, and it is very helpful. It is actually a little difficult, but I hope that I can persevere to the end and grow personally. Thank you so much for the great lecture. Stay healthy^^
Yes, thank you^^ As you said, if you learn the technology of Spring Security OAuth2 that complies with the OAuth2.0 standard specification, you will acquire the concept of OAuth2.0 almost like a professional before you know it. This is because the technical perfection of Spring Security's OAuth2.0 is that high. The overall technical difficulty may not be easy, but I hope you complete it to the end and have good results~~
$93.50
Check out other courses by the instructor!
Explore other courses in the same field!
![Spring Security Complete Mastery [6.x Revised Edition]Course Thumbnail](https://cdn.inflearn.com/public/courses/333154/cover/7d446f00-12af-4924-a9cd-7e8c886bde59/333154.png?f=avif&w=420)
![Java Concurrency Programming [Reactive Programming Part.1]Course Thumbnail](https://cdn.inflearn.com/public/courses/332448/cover/b34e2ff1-f670-44cf-8bb3-b3cb3d20905d/332448-eng.png?f=avif&w=420)
![File Upload Vulnerability Advanced Attack Techniques PART2 [Integrated Edition]Course Thumbnail](https://cdn.inflearn.com/public/courses/333012/cover/12bd40e1-1e17-493a-81b9-64ac5fed558e/333012.png?f=avif&w=420)
![[From JSP to Spring Boot] The Unwavering Path to SpringBootCourse Thumbnail](https://cdn.inflearn.com/public/files/courses/334897/cover/01k2j21p3rz09cqh5s0frefaa5?f=avif&w=420)
![3. Web Development Course [Spring Framework + e-Government Standard Framework]Course Thumbnail](https://cdn.inflearn.com/public/courses/324888/course_cover/44f2d353-757a-4835-8935-d5b986674f91/egov-spring-eng.png?f=avif&w=420)
![How to use Redis effectively, based on my experience working at a large company [Practice]Course Thumbnail](https://cdn.inflearn.com/public/courses/335185/cover/c3a4bec6-a4b9-44c9-ab81-f3418d8d6042/335185.jpg?f=avif&w=420)
