Tanzu Tuesdays 79: Secure Production with Spring Authorization Server and SPIFFE/SPIRE w/Joe Grandja
The Spring Authorization Server project provides support for OAuth 2.1 Authorization Framework, OpenID Connect Core 1.0 and the numerous extension specifications. SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate (e.g. Mutual TLS) wherever they are running. SPIRE is a production-ready implementation of the SPIFFE APIs that performs node and workload attestation in order to securely issue identities to workloads and verify identities of other workloads. The primary goal of this talk is to demonstrate how to securely configure Spring Authorization Server, Client and Resource Server with SPIRE for the purpose of issuing identities via SVIDs (SPIFFE Verifiable Identity Document). The following will be discussed and demonstrated: Configure SPIRE Integrate Spring Authorization Server, Client and Resource Server with SPIRE Configure Mutual TLS communication between Spring Authorization Server, Client and Resource Server Configure OAuth 2.0 Mutual-TLS Client Authentication Configure OAuth 2.0 Certificate-Bound Access Tokens The sample that will be demonstrated provides a reference implementation of RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. --- Joe Grandja is a core committer on the Spring Security team. He has been leading the efforts in building the next generation of OAuth 2 and OpenID Connect support in Spring Security and Spring Authorization Server. With over 25 years of industry experience, his job roles have covered Solution Architect, Software Engineer, Team Lead and Consultant. His past experience has been mainly focused in the Financial Services sector in the Toronto, Canada area. He has designed, built and delivered enterprise grade banking applications/platforms in the Personal/Commercial and Brokerage/Investing divisions. He has worked closely with the InfoSec teams within the banks to ensure security and regulatory compliance.
