Skip to main content
Senior-Security-Engineer-On-Java-Product-Team

The Auth Layer

The Auth Layer

OAuth2, Tokens, and the Production Identity Problems Nobody Warns You About.

This book targets senior Java developers who have implemented login, copy-pasted a JWT tutorial, and shipped something that worked until it did not. Never explains what HTTP is. Never defines authentication vs authorization from scratch. The reader has a running auth system. This book explains what is wrong with it.

Every chapter uses the same domain: a multi-tenant SaaS platform. A core API, a frontend shell, a mobile client, third-party integrations via OAuth2, and internal microservices. Each component surfaces different auth problems naturally: browser sessions, mobile token storage, service-to-service identity, tenant isolation, and third-party delegation. Attack scenarios, token flows, and Spring Boot code examples all refer to this platform.

Four opinions run through every chapter:

Spring Authorization Server is the right foundation for a custom OAuth2/OIDC server on the JVM. It implements the specs correctly, integrates natively with Spring Security, and gives you control over token customization, key rotation, and storage without writing protocol logic from scratch. Every custom OAuth2 server example in this book uses Spring Authorization Server. Keycloak is referenced as a managed alternative with honest trade-offs, not dismissed.

JWTs are overused. They are the correct choice for stateless resource server validation across service boundaries. They are the wrong choice for user sessions in browser-facing applications where you need instant revocation. The book states this plainly in chapter 1 and reinforces it wherever the token type choice appears.

The auth layer is an attack surface first and a feature second. Every design decision is evaluated against a concrete attack, not just a functional requirement. A token lifecycle design that does not account for replay attacks is not a complete design.

Keycloak is a legitimate managed alternative, not a competitor to understanding. Teams that choose Keycloak still need to understand token lifecycle, key rotation, and attack surfaces. The difference is operational responsibility, not conceptual complexity.

These positions are stated in chapter 1 and referenced when relevant. They are not hedged without a concrete condition and a decision rule.

This book was generated using AI assistance.

15 Chapters
3h 43m total
44,434 words
Start Reading

About This Book

Voice Senior-Security-Engineer-On-Java-Product-Team
Tone Direct, precise about specs, harsh about tutorial advice that is production-unsafe. Write as a senior security engineer embedded in a Java product team who has triaged a token replay incident, debugged a refresh token race condition under load, and explained to a product manager why logout is not a solved problem in a distributed system. When a popular pattern has a known attack, name the attack before explaining the pattern.
Categories
Authentication Authorization OAuth2 Security Java Spring Boot

Table of Contents