https://github.com/amponsemmichael/oauth

Implement OAuth 2.0 and OpenID Connect for authorization.
https://github.com/amponsemmichael/oauth

authentication-backend oauth2 openid restful-api session-management spring-boot spring-security tokens

Last synced: 24 days ago
JSON representation

Implement OAuth 2.0 and OpenID Connect for authorization.

• Host: GitHub
• URL: https://github.com/amponsemmichael/oauth
• Owner: amponsemmichael
• Created: 2024-08-25T05:12:36.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2024-08-25T12:10:08.000Z (4 months ago)
• Last Synced: 2024-08-26T06:40:00.317Z (4 months ago)
• Topics: authentication-backend, oauth2, openid, restful-api, session-management, spring-boot, spring-security, tokens
• Homepage:
• Size: 20.5 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        


```markdown

# Security Requirements Document

## Overview

This document outlines the security requirements for the application as implemented using Spring Security. It details the necessary configurations for CSRF protection, OAuth 2.0 authentication, OpenID Connect integration, and session management.

## Requirements

### 1. CSRF (Cross-Site Request Forgery) Protection

**Requirement:**

- The application must be protected against CSRF attacks to prevent unauthorized actions performed on behalf of authenticated users.

**Implementation Details:**

- **CSRF Protection**: Enabled by default in Spring Security.

- **Configuration:**

  ```java

  .csrf(csrfConfigurer -> csrfConfigurer

          .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))

  ```

  - **CSRF Token Repository**: Use `CookieCsrfTokenRepository` to store the CSRF token in cookies. This allows the token to be accessible by JavaScript, facilitating integration with client-side frameworks.

### 2. OAuth 2.0 Authentication

**Requirement:**

- The application must support OAuth 2.0 authentication to allow users to log in using external providers.

**Implementation Details:**

- **OAuth 2.0 Login**: Use default OAuth 2.0 login configuration.

- **Configuration:**

  ```java

  .oauth2Login(Customizer.withDefaults())

  ```

  - **Default Configuration**: Utilizes Spring Security's default settings for OAuth 2.0 login, enabling easy integration with various OAuth 2.0 providers.

### 3. OpenID Connect Integration

**Requirement:**

- The application must integrate with OpenID Connect for authentication, providing a standardized way to verify user identities.

**Implementation Details:**

- **Integration**: OpenID Connect is supported as part of the OAuth 2.0 login functionality in Spring Security.

### 4. Session Management

**Requirement:**

- The application must manage user sessions effectively, including session creation, invalidation, and logout processes.

**Implementation Details:**

- **Session Creation Policy**: Sessions should be created only if required.

- **Configuration:**

  ```java

  .sessionManagement(sessionManagementConfigurer -> sessionManagementConfigurer

          .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)

          .invalidSessionUrl("/login?invalid-session=true")

          .maximumSessions(1)

          .maxSessionsPreventsLogin(true))

  ```

  - **Session Creation Policy**: Set to `IF_REQUIRED`, which means sessions are created as needed.

  - **Invalid Session URL**: Redirect users to `/login?invalid-session=true` if their session is invalid.

  - **Maximum Sessions**: Limit users to a single session at a time (`maximumSessions(1)`).

  - **Prevent Additional Sessions**: Ensure no additional sessions are created if the maximum is reached (`maxSessionsPreventsLogin(true)`).

- **Logout Configuration:**

  ```java

  .logout(logoutConfigurer -> logoutConfigurer

          .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))

          .logoutSuccessUrl("/login?logout")

          .deleteCookies("JSESSIONID", "XSRF-TOKEN")

          .invalidateHttpSession(true))

  ```

  - **Logout Request Matcher**: Define the logout URL using `AntPathRequestMatcher("/logout")`.

  - **Logout Success URL**: Redirect users to `/login?logout` upon successful logout.

  - **Delete Cookies**: Remove `JSESSIONID` and `XSRF-TOKEN` cookies on logout.

  - **Invalidate Session**: Ensure the HTTP session is invalidated upon logout (`invalidateHttpSession(true)`).

## Dependencies

- Spring Security

- Spring Boot

## Notes

- Ensure that the application complies with security best practices and standards.

- Regularly review and update security configurations to address new vulnerabilities and threats.

```