OIDC Logout With AWS Cognito and Spring Security

With one of the previous blog posts, we configured a Thymeleaf Spring Boot application for an OAuth 2 Login with Spring Security and AWS Cognito. While this article focussed on the setup and login mechanism, the logout functionality was only half-way implemented. Our end-users are still logged in at the identity provider. Let’s adjust the

Read More

Thymeleaf OAuth2 Login with Spring Security and AWS Cognito

Securing your frontend application with a login and managing a user pool is something you can either write for yourself or use an external identity provider for. If you want to move fast with your prototype you usually pick the second option and search for an OpenID Connect (OIDC) and OAuth2 compliant identity provider. AWS

Read More

Spring WebClient OAuth2 Integration for Spring Web (Servlet)

In one of my previous blog posts, I gave an example of how to configure the Spring WebClient for OAuth2 using Spring WebFlux. As most of the applications today are using Spring Web (Tomcat) and are not fully reactive, I also want to provide an example for this setup. In most cases, you just add

Read More

Spring WebClient OAuth2 Integration for Spring WebFlux

With OAuth2 being the current de-facto authorization framework, a lot of vendors use it to secure their APIs. Furthermore, you can use OAuth2 to enable social logins (e.g. Google or Facebook) and don’t need your own user management. As the WebClient from Spring WebFlux is the preferred client for Spring applications, I want to provide

Read More

MicroProfile JWT Authentication with Keycloak and React

For securing your enterprise applications you have several choices that require different configuration setups. Lately, the stateless approach is the de-facto standard for securing your microservice-based landscape. With the choice, your applications don’t store session data.  The client mostly sends a JWT token with each request and thus the applications access metadata like groups and

Read More

JAX-RS user-based rate-limiting with JSR-375

Recently I had the requirement for rate-limiting access to specific JAX-RS endpoints and to keep track of the user’s current amount of API calls. To solve this problem I asked Adam Bien (@AdamBien) in his monthly Airhacks Q&A about this requirement and he gave me a hint for a possible solution while using the ContainerRequestFilter interface

Read More