When I heard the news that I would be getting a ticket to attend the deep dives at Devoxx 2023, I was ecstatic. As a young developer it’s always nice to get the opportunity to learn new skills. In a landscape with so many options it’s easy to get lost, so Devoxx is a great place to get an overview of what currently lives in the Java world.
The deep dives are three-hour long sessions where you get the chance to zoom in on certain concepts. It was a bit difficult to make a decision about which talks I would be attending, but in the end my Devoxx visit turned out to be mostly about security, authentication and authorization.
In my opinion, these concepts are vague to a lot of young and even experienced developers. I think it might be because there are so many things to learn in software development and security just gets pushed to the side a bit, I have to admit that this was the case for me as well. That is why I made security my focus on this 20th edition of Devoxx.
My focus in this blog post will be on these two deep dives:
- Introduction to OAuth 2.0 and OpenID Connect – Philippe De Ryck
- Deep diving in Spring Security (with the latest trends and additions) – Laurentiu Spilca
Introduction to OAuth 2.0 and OpenID Connect
Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security consulting to companies worldwide. His online course platform allows anyone to learn complex security topics at their own pace. Philippe is a Google Developer Expert and an Auth0 Ambassador for his community contributions on the security of web applications and APIs. (Source: Devoxx website)
One of the most important things I took away from this presentation was the difference between OpenID Connect and OAuth 2.0. I remember implementing OAuth 2.0 in one of the first projects I’ve worked on as a developer, not really knowing the ins and outs of how it works.
OpenID Connect
This is when an application wants to authenticate users, using an external identity provider, for example Google. The client that wants to authenticate the user needs an identity token.
OAuth 2.0
An application wants to use an API on behalf of the user. The client needs an access token to make requests to an API.
OpenID Connect and OAuth 2.0 combined
An application authenticates a user and then accesses an API on their behalf. The client needs an identity token and an access token.
Another thing I’ve learned in this talk is how an authorization code flow works. When I was implementing OAuth 2.0 for that application in the past, I remember it being very cumbersome and confusing. I have to send a request to this endpoint and then I get a code, I need that code to get another code, etc… Online articles weren’t very helpful either.
I’m very grateful to Philippe De Ryck for visualizing this flow in a very nice schema. The authorization code flow supports both OAuth and OpenID Connect scenarios.
And last, but not least: PKCE (Proof Key of Code Exchange, pronounced as pixie). It’s a way to secure the authorization code flow. An attacker can steal the authorization code and send a request to the callback with the stolen code. The goal of PKCE is to ensure that the client that exchanges the code in step 8 is the same client instance that initializes the flow in step 2 of the authorization code flow.
If you want to learn even more, you can watch the full session on YouTube.
DEEP DIVING IN SPRING SECURITY (WITH THE LATEST TRENDS AND ADDITIONS)
Laurentiu Spilca is a highly accomplished development lead with a profound passion for Java development. Renowned in the community for their expertise, they have garnered widespread recognition through their influential YouTube channel and their authorship of three acclaimed books: ‘Spring Security in Action,’ ‘String Start Here,’ and ‘Troubleshooting Java.’ With an extensive knowledge of Java and its frameworks, Laurentiu Spilca has emerged as a sought-after speaker, captivating audiences at numerous prestigious events worldwide. Their ability to simplify complex concepts and deliver insightful talks has made them a respected figure in the industry. Join Laurentiu Spilca at the conference to gain valuable insights and discover new dimensions in the world of Java development. (Source: Devoxx website)
Laurentiu Spilca was not a stranger to me, while I was studying for my OCP 17 exam I stumbled upon his YouTube channel. Because I enjoy his content so much, I decided to go to his deep dive on Spring Security.
Spring Security has undergone some significant changes recently. This talk focused on the most recent changes and had some really interesting live coding examples. If you would like to know how to integrate these techniques into your own project, I highly recommend watching the session on YouTube.
This has always been a rather obscure subject to me and I have often found myself fiddling around with things in Spring Security whilst not really knowing what they do. I think we should all educate ourselves further on this topic and security should be at the core of our knowledge, that’s why I decided to purchase Laurentius book Spring Security In Action.
Spring Security In Action: https://www.amazon.com/Spring-Security-Action-Laurentiu-Spilca/dp/1617297739
YouTube channel: https://www.youtube.com/@laurspilca
Conclusion
Devoxx 2023 has inclined me to further explore Spring Security and application security in general. It would be nice to get to a point where I can say that I fully master these concepts and no longer find myself guessing most of the time.
My first steps towards reaching that goal are to rewatch those two deep dives, see which other Devoxx keynote speeches seem interesting and purchase Spring Security in Action.
Bring on Devoxx 2024!
Marieke Hutsebaut
Java Software Crafter
Marieke is a passionate young Java Software Crafter who also has experience with front-end development. Refactoring, best practices, clean code and unit testing are some of her core principles. In her free time she plays shows with her band B O I and lifts heavy weights at the gym.
