I’m a Senior Software Engineer specialized in building modern, cloud native, robust, and secure enterprise applications. I’m the author of “Cloud Native Spring in Action”, published by Manning. I develop enterprise software solutions at Systematic, Denmark, supporting home care, social services, and help to citizens. I have led the development of features to ensure a high degree of security and data privacy in our products and worked on modernizing our platforms and applications for the cloud-native world. I have an MSc in Computer Engineering specializing in software from the Polytechnic University of Turin (Italy). I’m a Red Hat Certified Enterprise Application Developer and Pivotal Certified Spring Professional. I’ve been building Java applications for more than five years, using Spring and Java EE/Jakarta EE. I like contributing to open source projects like Spring Security, Spring Cloud, and Keycloak, and I write articles about application security, cloud development, and JVM languages and frameworks on my blog: https://www.thomasvitale.com.
Managing authentication and authorization is a critical task in every well-designed web application or service. OAuth2 and OpenID Connect are a popular way of handling those security concerns in a distributed system like microservices, and Spring Security provides native support for it.
In this session, I'll present how Spring Security implements OAuth2 and OpenID Connect, both for imperative and reactive applications (clients and resource servers). I'll cover different patterns for authentication and authorization in a microservices architecture, highlighting the differences when using SPAs like Angular or backend template engines like Thymeleaf. As the authorization server I'll use Keycloak, and I'll show you how to integrate with Spring Boot.