Securing Microservices with OpenID Connect and Spring Security 5

Hands-on Lab

Have you ever wondered what the heck is OpenID Connect and how it differs from OAuth 2.0?

Are Grant Types, Flows, JOSE, JWT or JWK unknown beings for you?

Then this workshop is a great opportunity for you to get to know all these things by getting your hands dirty in code using Spring Security 5.

After a short introduction to the basic concepts of OAuth 2.0 and OpenID Connect 1.0, we will take an existing sample spring boot application to implement authentication with OpenID Connect (OIDC) in several steps.

During the hands-on part we will cover the following parts:

  • Best practices to avoid OWASP Top 10 security risks of broken authentication and access controls
  • Usage of a certified OpenID Connect Provider Server
  • Insights into the authorization code flow of OAuth 2.0/OpenID Connect 1.0
  • Basic implementation of a Resource Server
  • Authorization with automatically mapped OIDC Scopes
  • Custom mapping of OIDC claims to Spring Security roles and authorities
  • Extended validation of JWT’s
  • Realization of an OIDC Login Client
  • Differences in OIDC/OAuth 2.0 support for servlet-based and reactive web stacks (during hands-on we will mainly use the servlet-based web stack)

The workshop will be complemented with current best practices in OIDC & OAuth 2.0 and will end with an outlook on what’s coming with the next Spring Security version.


  • General experience in Java and Spring-Boot is expected.
  • For the Hands-On part, you’ll need a notebook with JDK 8, 9 or 11 and a Java IDE of your choice.

Scheduled on Monday from 13:30 to 16:30 (Europe/Brussels) in BOF 2

OAuth 2.0
Spring Security
OpenID Connect

Andreas Falk

Novatec Consulting GmbH

Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently he is working as managing consultant for Novatec Consulting GmbH located in Germany. In various projects, he has since been around as consultant, architect, coach, developer and tester. His focus is on the agile development of cloud native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look on all aspects of application security as well. Andreas is also a frequent speaker on conferences like Spring I/O, CloudFoundry Summit, JAX and OWASP AppSec Europe.

Talks by tracksTalks by session typesList of SpeakersSchedule