11 Security: Authentication and SPA

This chapter covers:

Understanding the Spring Security fundamentals
Managing user accounts with Keycloak
Working with OpenID Connect, JWT, and Keycloak
Authenticating users with Spring Security and OpenID Connect
Testing Spring Security and OpenID Connect

Security is one of the most critical aspects of web applications and probably the one with the most catastrophic effects when done wrong. For educational purposes, I’m introducing this topic only now. In a real-world scenario, my recommendation is to consider security from the very beginning of each new project or feature and never let it go until the application is retired.

Access control systems allow users access to resources only when their identity has been proven and have the required permissions. To accomplish that, we need to follow three pivotal steps: identification, authentication, and authorization.

11.1 Understanding the Spring Security fundamentals

11.2 Managing user accounts with Keycloak

11.2.1 Defining a security realm

11.2.2 Managing users and roles

11.3 Authentication with OpenID Connect, JWT, and Keycloak

11.3.1 Authenticating users with OpenID Connect

11.3.2 Exchanging user information with JWT

11.3.3 Registering an application in Keycloak

11.4 Authenticating users with Spring Security and OpenID Connect

11.4.1 Adding the new dependencies

11.4.2 Configuring the integration between Spring Security and Keycloak

11.4.3 Basic Spring Security configuration

11.4.4 Inspecting the authenticated user context

11.4.5 Configuring user logout in Spring Security and Keycloak

11.5 Integrating Spring Security with SPAs

11.5.1 Running an Angular application

11.5.2 Controlling the authentication flow

11.5.3 Protecting against Cross-Site Request Forgery

11.6 Testing Spring Security and OpenID Connect