NFO
Mimir, Keeper of the Well of Wisdom
[NEW] Spring Security 7 + OAuth2 + JWT + Auth0 + Keycloak
https://www.udemy.com/course/code-decode-sprint-security-7/
Year : 2026
Language : English
Level : All Levels
Category : Development
Subcategory : Web Development
Duration : 13h 23m
Lectures : 319
Rating : 5.0/5 (31 reviews)
Students : 220
INSTRUCTOR(S)
HEADLINE
Full Stack Angular + Spring Boot 3 + Microservices Security
OIDC, RBAC Social Login CSRF COSRS Pre/Post Authorize POC's
WHAT YOU'LL LEARN
* MASTER SPRING SECURITY 7 architecture including
Authentication, Authorization, Security Filter Chain, and
internal request flow
* IMPLEMENT USER AUTHENTICATION using UserDetailsService,
PasswordEncoder, and database-backed user management
* UNDERSTAND ROLES vs AUTHORITIES and implement RBAC (Role-
Based
Access Control) & ABAC in real applications
* APPLY ENDPOINT LEVEL SECURITY and METHOD LEVEL SECURITY
using
@PreAuthorize and @PostAuthorize
* UNDERSTAND REQUEST MATCHERS including Ant, MVC, Regex, and
modern Spring Security 6 approaches
* MASTER OAUTH2 FUNDAMENTALS including actors, scopes, flows,
and secure authorization architecture
* IMPLEMENT AUTHORIZATION CODE FLOW and PKCE FLOW used by
modern
web and mobile applications
* IMPLEMENT CLIENT CREDENTIALS FLOW for secure machine-to-
machine communication
* IMPLEMENT REFRESH TOKEN FLOW and understand token lifecycle
and security best practices
* MASTER JWT SECURITY including token structure, claims,
signing, verification, and public/private key cryptography
* IMPLEMENT JWT validation using JwtDecoder and
JwtAuthenticationConverter in Spring Boot
* UNDERSTAND OIDC (OpenID Connect) and how identity layer
works
on top of OAuth2
* IMPLEMENT SSO (Single Sign-On) architecture using OAuth2 and
OIDC
* UNDERSTAND CSRF protection and why Spring Security enables
CSRF by default
* IMPLEMENT CORS configuration and understand cross-origin
security behavior
* IMPLEMENT AUTH0 including Applications, APIs, Audience,
Roles,
and Permissions mapping in JWT
* IMPLEMENT KEYCLOAK including Realm, Clients, Roles, Groups,
and identity provider configuration
* IMPLEMENT SOCIAL LOGIN using Google and GitHub with OAuth2 /
OIDC
* IMPLEMENT RBAC IN MICROSERVICES using roles and permissions
extracted from JWT tokens
* UNDERSTAND JWT vs OPAQUE TOKENS and when each token strategy
should be used
* DESIGN END-TO-END SECURITY ARCHITECTURE used in real
enterprise applications
* BUILD FULL STACK APPLICATION using Angular + Spring Boot
secured with Spring Security
* BUILD FULL STACK AUTH0 POC implementing login, roles,
permissions, and JWT-secured APIs
* BUILD FULL STACK KEYCLOAK POC implementing realm, clients,
roles, and secured microservices
* IMPLEMENT COMPLETE AUTHENTICATION FLOW from frontend login
to
secured backend APIs
* APPLY SECURITY BEST PRACTICES and avoid common mistakes in
production systems
* UNDERSTAND KEYCLOAK vs AUTH0 differences and when to choose
each
REQUIREMENTS
* Basic knowledge of Java and Spring Boot
* Basic understanding of REST APIs and HTTP concepts
* Basic idea of Angular or frontend is helpful but not
mandatory
* No prior knowledge of Spring Security, OAuth2 or JWT
required
* System capable of running Java, IDE and browser
WHO IS THIS COURSE FOR
* Java developers who want to learn Spring Security deeply
* Developers building secure REST APIs using Spring Boot
* Developers preparing for Spring Security interview questions
* Backend or full stack developers working with microservices
* Developers wanting hands-on experience with OAuth2, JWT,
Auth0, Keycloak
* Engineers designing secure enterprise applications
DESCRIPTION
What are we going to cover Spring Security Basics Master
Security Security in Spring Boot & Microservices Why Security
for your spring boot app? What is Spring Security? Key Spring
Security Concepts Authentication Authorization Servlet Filters
What are its alternatives? Security Implementation - Who?s
responsibility Let?s get started ! Why 401 ? Summary Spring
Security: Convention-over-Configuration Key Participants in
Authentication Framework Flow of Authentication in Spring
Security Spring Security Auto-configured Beans
UserDetailsService PasswordEncoder Spring Security
Configuration
Introduction to POC 2 Overriding Default Configurations
Customizing Spring Security Configuration Why Authentication
Fails Now Fixing Authentication Step by Step Define User
Credentials Adding User to InMemoryUserDetailsManager Defining
a
PasswordEncoder Bean Why Avoid HTTP Basic Authentication? User
Management User Management User Management Components
UserDetails UserDetailsManager User Customising User Details
Service POC 3 Creating User & Authority Table Mapping User &
Authorities table Why Authorities are eagerly fetched Fetch
saved Authorities from SecurityContext Authorization
Authorization How Authorization works What are we going to
learn
GrantedAuthority Difference between Authorities and Roles
Authorization implementations level Endpoint Level
Authorization
Security Filter Chain Security Filter Chain Defining a Filter
Chain Modifying Filter chain Why still 403 ?
anyRequest().authenticated() anyRequest().permitAll()
anyRequest().hasAuthority() anyRequest().hasAnyAuthority()
Role
anyRequest().hasRole() anyRequest().hasAnyRole() 401 VS 403
anyRequest().access() Advantage of anyRequest().access()
Disadvantage of anyRequest().access() anyRequest().denyAll()
Request Matchers Matcher Methods List of All Matcher Methods
Request Matcher Request Matcher Methods Real-life analogy How
requestMatchers() works in this setting Code Block Types of
Matchers Ant Matcher ANT Matcher Methods Why it was popular
Example in Spring Security 5.x Why Deprecated in Spring
Security
6+ MVC Matcher MVC Matcher Methods Why it was used Regex
Matcher
regexMatchers() Why use it Dispatcher Type Matcher Purpose -
What is DispatcherType Servlet Path Matcher Purpose Is it any
relevant in spring boot app? Combining all Matcher methods
Method Level Security Authorization at the method level Where
do
we stand now? Can Spring Security Be Used in Non-Web
Applications? Where Can You Apply Method Security? Why Use
Method Security? Role of Authentication in Enabling Method
Security Why Not Use permitAll() with Method Security Code
snippet Enabling method security New way of enabling Method
level Authorization What Happens Behind the Scenes Why Called
?Aspect Behind the Scene?? Prevent GOD class with Method level
Authorization? Best Practice Priority of Rules: Security
Config
vs Method-Level Authorization Performance Consideration:
Method-
Level vs Filter-Level Authorization How Method-Level Security
Goes Beyond Filters Multi-line @PreAuthorize for Complex
Security Rules Disadvantages of Multi-line rules Moving Beyond
SpEL: Bean-Based Security Checks Post Authorize Difference
Between @PreAuthorize and @PostAuthorize Filters in Method
Security Pre filter Pre filter - Key Pointers Postfilter - Key
Pointers Post Filter Pitfalls PreFilter VS PostFilter
@Pre/@PostAuthorize VS @Pre/@PostFilter OAuth 2 & OIDC Basics
OAuth 2 & OIDC Basics Actors/Roles in OAuth2 OAuth 2 Flow The
OAuth 2.0 Solution Why this is powerful Steps in OAuth 2 How
to
get the token? Heart of how OAuth2 + Spring Security works
Grant
types Types of Grant types Deprecated Grant types OAuth?s Main
Security Principle Why Password Grant Type Is Deprecated
Modern
Replacement Why Implicit Grant Type Is Deprecated Summary
Authorization Code Flow Authorization Code Flow What Is the
Authorization Code Grant Type? Step-by-Step Flow Advantages
Disadvantages Authorization Code Flow with PKCE What is PKCE
Why
PKCE was introduced The Players Authorization Code Flow with
PKCE ? Step by Step How PKCE Prevents Attacks How Verifier &
Challenge Work Real-World Analogy: The Locker & Key Summary of
PKCE Flow Authorization Code vs Authorization Code + PKCE
Points
to remember Client Credentials Flow Client Credentials Grant
Type What is Client Credentials grant When to use it The
Actors
Flow (step-by-step) Typical token response Client
authentication
methods with AS How Scopes ? Authorities Mapping Works Scopes
&
authorities Tokens: JWT vs opaque Security considerations /
best
practices Pitfalls & gotchas Refresh Token Flow Refresh Token
Grant Type What is a Refresh Token? Why Refresh Tokens Exist
Who
uses the Refresh Token flow? Refresh Token Grant Type Flow
Static (Reusable) Refresh Tokens Rotating (One-time) Refresh
Tokens How OAuth2 servers decide What clients must do Key
Token
Lifetimes Why Refresh Tokens Are Sensitive Refresh Token Flow
vs
Access Token Flow Tokens What is opaque token? How opaque
token
Works? Introspection response Non-opaque tokens vs opaque
tokens
JWT JWTs What is a JWT? The basic structure of a JWT How JWT
works JWT signing methods Common JWT claims How JWTs are
verified Private and Public keys What is /jwks.json? Why JWTs
are so popular Limitations / Pitfalls OIDC OIDC What is OIDC
Authorization code flow with PKCE Real-world example (Google
Login) Why OIDC exists What OIDC Actually Is Core Components
in
OIDC ID Token Standard Claims in ID Token OIDC Scopes OIDC
Endpoints Benefits of OIDC Common pitfalls Nonce Why Nonce SSO
SSO What is SSO Actors in SSO Steps in SSO Why SSO works
Common
Pitfalls Of SSO Security benefit of SSO SSO Logout Scenarios
Why
OAuth2 + OIDC are REQUIRED for SSO CSRF CSRF What is CSRF Core
browser behavior Why CSRF is dangerous How websites stop CSRF
Why Spring Security enables CSRF by default CORS CORS What is
CORS Why CORS exists What is an origin CORS Rule Spring Boot
CORS config Common CORS mistakes CORS vs CSRF Full Stack POC
Full stack POC Intro to Foodify App UI Of Foodify App POC
Backend Of Foodify App POC Auth0 configurations Spring
Security
Implementation Auth0 What is Auth0 Key Components of Auth0
What
Happens During Login Why Use Auth0 MFA Social Login
Centralized
Identity Developer Productivity When SHOULD you build
yourself?
Roles & Permissions What is Authentication vs Authorization?
What is OAuth2 / OIDC? Architecture for End to end POC with
Auth0 What is Application in Auth0? What is API in Auth0? What
is Audience? What are Roles? What are Permissions? Roles vs
Permissions RBAC Why RBAC is Used Why roles & permissions in
JWT? JWT Processing in Spring Security What is JwtDecoder?
What
is JwtAuthenticationConverter? What is Authority in Spring?
ROLE_ prefix Common Mistakes Implementation Steps Steps to
Implement Spring Security Steps to setup Auth0 Steps to add
Roles in token What happens in backend FINAL FLOW (END-TO-END)
KEY CONCEPTS COMMON MISTAKES Keycloak Keycloak What is
Keycloak?
High Level Architecture Core Terminologies Types of Clients
Role
Types Client Scope Groups Identity Provider (IDP) Flows
Keycloak
vs Auth0 Feature Comparison who should choose Keycloak vs
Auth0
Social Login Social Login What is Social Login How Social
Login
works Benefits of Social Login Configure Identity Providers in
Keycloak Google login Steps Github social login steps
COURSE CONTENT
Chapter 1: Introduction
1. Course Introduction
Chapter 2: Spring Security Basics
2. Why Security for your spring boot app ?
3. What is Spring Security ?
4. Key Spring Security Concepts?
5. What is Authentication ?
6. What is Authorization? ?
7. What are Servlet Filters? ?
8. What are the alternatives of Spring Security ?
9. Spring Security Implementation - Who?s responsibility
Chapter 3: POC 1 : Default Configuration
10. POC implementation
11. Why 401 ?
12. Summary
13. Spring Security : Convention over Configuration
Chapter 4: POC 2 : Authentication
14. Components of Authentication
15. What is UserDetailService ?
16. What is PasswordEncoder
17. POC 2 Implementation
Chapter 5: User Management
18. Components of User Management
19. UserDetails contract
20. UserDetailsManager contract
21. User
22. Summary
Chapter 6: POC 3 : Custom User Details Service
23. Customising User Details Service
24. POC 3 implementation
25. Fetch saved Authentication from Security Context
Chapter 7: Authorization
26. What is Authorization ?
27. How Authorization works ?
28. What are we going to learn ?
29. Granted Authority
30. Difference between Authority and role
31. Different Authorization level
Chapter 8: Endpoint Level Authorization
32. Endpoint level Authorization
33. Security Filter Chain
34. Modify Filter Chain based on business use case
35. Authenticated Rule
36. Permit all Rule
37. Has Authority Rule
38. Has Any Authority Rule
39. Has Role Rule
40. Access Method for Rule evaluation
41. Advantages of access Method
42. Disadvantages of access method
43. Deny All Rule
Chapter 9: Authorization Rules
44. Matcher Methods Introduction
45. List Of All Matcher methods
46. Request Matcher Introduction
47. Real life analogy of request matcher
48. Code example of Request matcher
49. Ant Matcher Intro
50. Why Ant matcher was so popular
51. Code snippet of ant matcher
52. Real time analogy of ant matcher
53. Why was ant matcher deprecated
54. MVC matcher introduction
55. Why MVC matcher was useful ?
56. MVC matcher example code
57. Real life analogy of MVC matcher
58. Why MVC matcher was deprecated ?
59. How request matcher replaces old ant and mvc matcher
Chapter 10: Regex Matcher
60. Introduction to Regex matcher method
61. Why and where to use Regex matcher ?
62. Code example of regex matcher
63. Real life analogy of Regex Matcher
Chapter 11: Dispatcher type Matcher
64. Dispatcher type matcher introduction
65. Code snippet for Dispatcher type matcher
Chapter 12: Servlet path matcher
66. Servlet path matcher Introduction
67. Real life analogy of Servlet path matcher
68. When is Servlet path matcher really useful
69. Code snippet for Servlet path matcher
Chapter 13: All matcher methods summary
70. How to combine different matcher method
71. Summary of all matcher methods
Chapter 14: Method level Authorization
72. Method level authorization Where do we standNow
73. Can we use Spring Security for non web apps
74. Where can we apply method level authorization rules
75. Why use method level security
76. role of authentication
77. code snippet
78. How to enable method level security
79. What happens behind the scene
80. Why called aspect behind the scene
81. Summary of enable method level security annotation
82. Prevent God class
83. Best Practices
84. Who takes priority filter or method level Auth
85. Summary
86. Performance consideration
87. How Method-Level Security Goes Beyond Filters
88. Code Snippet - methodLevelSec
89. Summary-MethodLevelSecurityBeyondFilters
90. Multi-line @PreAuthorize for Complex Security Rules
91. Code Snippet MultiLine @preauthorize
92. Disadvantage of multiline rules
93. Moving Beyond SpEL Bean-Based Security Checks
94. CustomBeanForPreAuthorizeAnnotationWithSPEL Demo
95. Post Authorization
96. Code snippet post authorize
97. Pre vs Post Authorization
98. Use case of post authorization
99. All About Pre filter
100. Live demo for pre filter
101. Post filters
102. Post Filter Pitfall
103. Pre vs Post Filter
104. Authorize vs filter(PrePost)
Chapter 15: OAuth2
105. Actors in oauth2
106. What will happen without Oauth2
107. Flow of Oauth2
108. Why is it so powerful
109. Steps of Oauth2
110. Real world analogy
111. Heart of Oauth2 and Spring security
Chapter 16: OAuth 2 & OIDC
112. Oauth Intro
Chapter 17: Grant types
113. What is grant type
114. Types Of Grant Types
115. Oauths Main Security principle
116. What was Password Grant type
117. Why was password grant type bad
118. Mordern replacement of password grant type
119. What is implicit grant type ?
120. Why implicit was bad ?
121. Mordern replacement fro implicit grant type
122. Summary of deprecated Grant types
Chapter 18: Authorization Code flow
123. Intro of Authorization code grant type flow
124. Steps in authorization code grant type flow
125. 1-1 Communication between actors in authorization code
flow
126. Advantages of Authorization code grant type
127. Disadvantages of Authorization code grant type
Chapter 19: PKCE
128. What is PKCE ?
129. Why PKCE ?
130. Actors in PKCE
131. High level PKCE Steps
132. Details of steps in PKCE
133. How PKCE is much more secured and prevent attacks
134. Real time anology
135. How verifier and challenge works
136. Real world anology of verifier and challenger
137. Summary of PKCE
138. Authorization code grant type VS PKCE
139. Points to remember
Chapter 20: Client credentials grant types
140. What is client credential grant type ?
141. When to use client credential grant type
142. Actors in client credential grant type
143. Steps for client credential grant type
144. Flow diagram of client credential grant type
145. Typical token response
146. Authentication methods of client credential grant type
147. How scope and authority works ?
148. JWT VS Opaque tokens
149. Best Practices in client credential grant type
150. Pitfalls in client credential grant type
Chapter 21: Refresh token grant type
151. What is refresh token grant type ?
152. Why refresh token grant type
153. Who can use refresh token grant type
154. Sequence diagram of refresh token grant type flow
155. Step by step flow of refresh token grant type
156. Types of authorization servers policy wrt refresh token
grant type
157. Static reuseable refresh tokens
158. Rotating (1-time) refresh tokens
159. Which Authorization server uses which policy ?
160. Best practices of refresh token grant type
161. Analogy for static vs rotation refresh tokens
162. Life of static vs rotating tokens
163. Why refresh tokens are sensitive ?
164. Security considerations of refresh tokens
165. Access token flow VS refresh token flow
166. Summary of refresh token grant type
Chapter 22: Opaque and Non Opaque tokens
167. What is an Opaque token ?
168. How Opaque Token works ?
169. Steps and response of AS for opaque Token
170. What are non opaque tokens ?
171. How non opaque tokens works ?
172. Types of Non opaque tokens
173. Why use non opaque token ?
174. Drawbacks of non opaque token
175. Opaque vs Non opaque tokens
176. Real time analogy - Boarding pass
Chapter 23: JWTs
177. What is JWT ?
178. Structure of JWT token
179. How JWT token is circulated ?
180. JWT Siggining methods
181. Types of claims in JWT
182. Airlines analogy real time for JWT
183. How JWTs are verified
184. What is private and public key and who owns it ?
185. What is JWKS.json ?
186. Response of jwks.json
187. Analogy of JWKs response
188. Summary of all headers of jwks.json
189. How resource server verifies the JWT token locally
190. Why JWKS is needed ?
191. Teams Jwks example
192. Analogy Of Notary system
193. Why use JWTs
194. Limitations and pitfalls of JWTs
195. Jwk and JWKs
196. JWT usage in Oauth2 and OIDC
197. JWT Teams analogy summary
Chapter 24: OIDC
198. What is OIDC ?
199. Real world example for OIDC
200. Why OIDC if Oauth2 provides authentication
201. Why auth details cant be fetched from acess token
202. Real world analogy why not access token
203. Where authentication happens really
204. Which grant type returns ID token
205. Why OIDC
206. Real world anology of OIDC
207. Core Component of OIDC
208. What does OIDC adds over oauth2
209. What is ID token ?
210. Standard Claims in ID token
211. OIDC Scopes
212. Endpoints that each OIDC provider must provide
213. Step by step Flow of OIDC
214. Where OIDC fits in With Oauth2
215. Endpoint examples with Microsoft
216. How is OIDC Secured ?
217. Benefits of OIDC
218. Common OIDC providers
219. Without OIDC what breaks
220. Common pitfalls of OIDC
221. Summary of OIDC
222. What is Nonce and Why use it in OIDC fro security
Chapter 25: SSO
223. What is SSO ?
224. Actors in SSO
225. Steps in SSO With real time example
226. Why SSO worked so gracefully
227. Common pitfall of SSO
228. Security benefits of SSO
229. SSO logout scenarios
230. Why Ouath2 and OIDC for SSO
231. SSO Summary
Chapter 26: CSRF
232. What is CSRF ?
233. Core Browser behaviour
234. Real time analogy for CSRF
235. Why CSRF is dangerous
236. Common Misconception about CSRF
237. How websites stops CSRF attacks
238. When CSRF happens
239. Why we are safe from CSRF
240. Does Grant types have any effect on CSRF attacks
241. Why Spring security enables the CSRF by default
242. Final connection map
243. CSRF summary
Chapter 27: CORS
244. What is CORS ?
245. Why CORS exists
246. Real world anology
247. What problem CORS solves
248. What is Origin
249. What happens with and without CORS
250. CORS is not For backend but for browsers
251. CORS Rules applicability
252. How to make our UI call backend without CORS issue
253. Common CORS mistakes
254. CORS vs CSRF
Chapter 28: Foodify App
255. Introduction to Foodify App POC
256. Front end UI setup of Foodify without security
257. Backend Configuration of Microservices and their
wirings
258. Quick Demo
Chapter 29: Auth0
259. What is Auth0
260. Real world anology of Auth0
261. What Problems does Auth0 solves
262. Where does Auth0 fits in our architecture
263. Key Components of Auth0
264. Technical flow of auth0
265. Why use Auth0 instead of building everything by
yourself
266. When you should build by yourself
267. Simple anology
268. Quick recap
269. Architecture with Auth0 in place
270. What is Application in Auth0 term
271. How to Create an Application in auth0
272. What is an API in Auth0 and why we need it
273. How to create an APi and what goes in API
274. How APIs u configured here use the tokens
275. Real world analogy of Api's
276. What is audience and why its important
277. Real world delivery box analogy for audience
278. What are permissions and roles
279. Why permissions and where do we add permissions
280. Roles VS Permissions
281. What is RBAC
282. Core components of RBAC
283. How RBAC works
284. Why RBAC and Its benifits
285. Summary of RBAC
Chapter 30: POC foodify
286. Auth0 FE configurations
287. Security configuration for restaurant API with 200 401
and 403 demo
288. Security Config in menu service poc
289. Why we add roles and permissions to JWT
290. What happens if we dont add Roles to JWT
291. What happens if we add Roles to JWT
292. Summary to add roles in token
293. Why Auth0 dont add roles andpermissions by deafult in
jwt
294. Why JWT Decoder
295. What is JWTAuthenticationConverter
296. Add Custom trigger to get roles
Chapter 31: Keycloak
297. What is Keycloak
298. High level architecture where keycloak fits in
299. Core terminologies
300. Type of Clients
301. Role types in Keycloak
302. Scope and groups in keycloak
303. Support for social logins in keycloak
304. Flow in keycloak
305. Keycloak VS Auth0 Terminologies comparision
306. Keycloak VS Auth0 Feature comparison
307. How to choose between Auth0 and Key-cloak
Chapter 32: Keycloak POC
308. Configure Keycloak with Docker Image
309. Configure Angular UI to integrate with keycloak
310. Configure Restaurant Service For Keycloak
311. Configure Menu Service in Key cloak
Chapter 33: Social Login with Key-cloak
312. What is Social Login
313. How it works
314. Benefits of Social Login
315. What all to change for social login enablement
316. Configure Google social Login in keycloak
317. Github social login in key cloak
Chapter 34: Resources
318. Git urls
Chapter 35: Additional content
319. Why Avoid HTTP Basic Authentication ?
DATES
Published : 2026-04-19
Last Updated : 2026-04-22
If you fear the truth, dont come to my well.
CRC32: db8ab7cabb5da42074c03b0fd3ad847d01a2e254