Learn how the Backend for Frontend (BFF) architecture helps secure OAuth and OIDC flows in modern apps by safely handling tokens, reducing attack surfaces, and enabling cleaner session management.
Spring Security
11 posts
OAuth 2.0 and OpenID Connect (OIDC) are powerful, flexible, and… surprisingly easy to misconfigure.Note: This article belongs to Part 5.2: App Security Best Practices in our Application Security series. From overly permissive tokens to incorrect redirect URIs and unchecked ID tokens — even mature teams fall into subtle traps. In this final post of […]
Why the Implicit Flow is deprecated and how PKCE (Proof Key for Code Exchange) secures modern Single Page Applications (SPAs) and mobile apps using OAuth 2.0.
Dive into the structure of JSON Web Tokens (JWT), how they're signed and validated, where expiry pitfalls creep in, and best practices for secure token usage in real-world applications.
By now, you know the difference between authentication and authorization. You’ve explored OAuth 2.0, OpenID Connect, and even federated SSO setups across identity providers. So, what’s next? Have you ever heard or Refresh Tokens?Note: This article belongs to Part 4.1: Token Lifecycle & Retry Logic in our Application Security series. Here’s the […]
LDAP is still widely used for centralized authentication and user directories in enterprise systems. This post breaks down how it works, how it compares to modern identity solutions, and how to integrate it as a developer.
SAML powers enterprise SSO for millions of users every day. Learn what it is, how it works, and how to implement it with Spring Security in modern applications.
OpenID Connect adds identity on top of OAuth 2.0. Learn how it works, when to use it, and how to implement secure login flows using Spring Security.
OAuth 2.0 is the backbone of modern authorization. Learn how it works, which flows to use, and how to implement OAuth securely using Spring Security.
Explore the core differences between session-based and token-based authentication. Understand the technical design, implementation trade-offs, and how Spring Security supports both approaches.
Authentication identifies who a user is. Authorization defines what they’re allowed to do. Learn the technical distinctions with Spring Security examples to apply these concepts in your applications.