Learn Spring Security OAuth

The definitive guide to secure your application with OAuth2

Why Learn About Security?

The Java ecosystem is vast and quite mature, but when it comes to security, right now, in 2024, there’s really no debate. If you’re working on the security of your application, you’re most likely using Spring Security.

Simply put, the framework is able to handle everything you throw at it – from simple scenarios to highly complex, distributed security requirements. There are some OK alternatives, but nothing really comes close.

Should I do OAuth?

There’s a lot of confusion out there around what OAuth actually is.

So, before all the “deep-dives” into the advanced aspects of the standard – we’re starting with the very basics, and we’re building up a clear understanding of the protocol.

It’s critical to learn where OAuth fits well and is great solution, and in what scenarios you actually need to avoid it.

And, once you know you’re doing OAuth – you need to understand exactly how it works – to do it well. This is where this material gets interesting – the deep-dives.

After teaching more than 1900 students security through my “Learn Spring Security” course, I’m finally taking the OAuth material to the next level with this new, fully dedicated course!

The New OAuth2 Stack in Spring Security

About two years ago, the Spring Security core team did something unexpected – they announced they were going to do a full rewrite of the OAuth2 support in the framework. This was big news!

It was also the very first time a core Spring project has made such a bold commitment towards a ground-up, major rewrite in the framework.

The new OAuth2 stack is now moving fast with the Spring Security release out now – and the new functionality is already significantly better than the old stack. 


That’s what I’m focusing on in this new course, with the 2 classes below:

The Master Class

This is the full material – the comprehensive, start-to-finish path from just learning what OAuth is – to having a real-world, solid understanding of how to use it in practice. 

The 7 in-depth modules focus on the new OAuth2 stack in Spring Security with Spring and Boot, today, in 2024, not looking back at the XML days of Spring Security.

The Certification Class

This class is simple – it contains the full material from the Master Class, plus downloads and multiple-choice questions – to help you get the most out of the material. 

When you’re done, you’re going to get a “Certificate of Completion” for the course.

Video in key lessons, along with actual coding practice through a real-world project – is the best way to learn a complex framework like Spring Security

Practice by Coding

Each lesson in the course is either code-focused on a specific OAuth scenario, or theoretical, introducing you to the core concepts. Like all of my courses, the approach is “learn by doing” – or, more specifically, by coding.

I’ve structured the material to show you how to secure very different types of applications, each with their own characteristics, where a specific flow that fits and others that don’t.

I’m Eugen, and I’ll be your instructor through this course.

I’ve been using OAuth extensively in my own consulting practice for many years now. I’ve helped teams implement (most commonly re-implement) security in their systems over a ridiculous number of Spring versions. And I’ve been teaching security throughout most of that time.

The lessons here come out of that experience, with a simple goal – to get you super comfortable with OAuth2, Spring Security and Spring Boot.

To be clear – you can’t get there by just going through the lessons – you’ll need to code, along with me, through the material. The lessons and the multiple-choice questions are your reference to come back to – whenever you need them.

Naturally, if you’re doing OAuth in your own application, you’ll get a lot out of the material here.

But, if you’re focusing on the full Spring Security framework, beyond just OAuth, keep in mind this course is half of the full “Learn Spring Security” course.

The Master Class

The canonical reference for securing a web application with Spring Security and OAuth2.

The 6 modules cover everything from the basics of the OAuth2 flows to a full deep-dive into OpenID, JWT, Spring Boot support.

And, most importantly, the material is focused on the entirely new OAuth2 stack the Spring Security team has been working on since late 2017 now.

Simply put, every possible corner of an OAuth2 implementation with Spring Security.

1. Intro to OAuth2 and the OAuth2 Roles

4 LESSONS (2 Video + 2 Text) ~ 2 HOURS

  1. Intro to OAuth2 and the OAuth2 Roles (theory) (text)
  2. Picking the Right OAuth Grant Type/Flow to Use (theory) 
  3. The State of OAuth2 in Spring Security (preview lesson
  4. Setting up the Project (text)

2. The Basics of OAuth2 (New Stack)

5 LESSONS (4 Video + 1 Text) ~ 3 HOURS

  1. The Authorization Code Flow (theory) (preview lesson
  2. The Authorization Server with Keycloak 
  3. The New OAuth2 Client Support (2 parts)
  4. The New Resource Server Support (2 parts)
  5. JWT Support (text)

3. OAuth2 Beyond the Basics - The Resource Server (New Stack)

8 LESSONS (8 Text) ~ 8 HOURS

  1. Basic Authorization with OAuth2 (text)
  2. Verify/Validate Claims from the JWT (text)
  3. Accessing JWT Bearer Token Authentication Attributes (text)
  4. Accessing JWT Bearer Token Authentication Attributes Using SpEL (text)
  5. Custom Authorities From JWT Claims (text)
  6. Custom Validators For JWT Claims (text)
  7. Resource Server Multi-Tenancy Support (text)
  8. Resource Server Testing Support (text)

4. OAuth2 Beyond the Basics - The Client (New Stack)

4 LESSONS (4 Text) ~ 5 HOURS

  1. The Client Configuration Under the Hood (text)
  2. New OAuth2 Social Login (text)
  3. Refreshing a Token (text)
  4. Testing OAuth2 Clients (text)
  5.  The Authorization Code Flow with PKCE (text)

5. OAuth2 Beyond the Basics - Deep-Dives (New Stack)

9 LESSONS (9 Text) ~ 11 HOURS

  1. OAuth2 and SPAs (theory) (text)
  2. OAuth2 and SPAs (implementation) (text)
  3. Exploring JWS with OAuth2 (text)
  4. Testing OAuth2 with REST-assured (text)
  5. OAuth2 and OpenID Connect (text)
  6. Logout with OAuth and OIDC (text)
  7. The Client Credentials Flow (text)
  8. Token Revocation (text)
  9. The Legacy Stack Authorization Server (text)

6. Microservices, Spring Security and OAuth2 (New Stack)

3 LESSONS (3 Text) ~ 4 HOURS

  1. OAuth Security Patterns in a Microservice Application (text)
  2. Sharing Principal Information in Microservices (text)
  3. Exploring Topologies – Gateway API as OAuth2 Client (2 parts) (text)

The Certification Class

This Class contains the same material as the Master Class, but goes beyond the core material with:

  • multiple-choice questions in each lesson to make sure you fully understood the material
  • a Certificate of Completion (example)
  • the download ability for all video lessons – to help you learn offline

Of course, if you have any questions about the material, ping me directly here, on chat, or over email.

Master Class

The canonical reference to secure a web application.
  • All 6 Modules
  • 30 Lessons
  • -
  • -
  • -

Certification Class

This Class includes the Master Class material, exercises, downloads and the Certificate of Completion
  • All 6 Modules
  • 30 Lessons
  • + Exercises in Each Lesson
  • + Full Downloads for All Videos
  • + Certificate of Completion

The Full Learn Spring Security - Certification Class

The canonical reference to secure a web application
  • All 20 Modules
  • 85 Lessons
  • + Exercises in Each Lesson
  • + Full Downloads for All Videos
  • + Certificate of Completion
If you’re looking to get both this course as well as Learn Spring Security Core,
Have a look at the full Learn Spring Security Course →

Do you have a team who would benefit from taking the course?


20-Day Money Back Guarantee

I believe strongly in the quality of the course material to teach you the fundamentals of API design as well as the advanced tactics to take your API into production. I’ve put a lot of work and care into the material and hope you’re going to use it and really make your REST APIs a lot better.

I confidently back all classes with a 20-Day Money Back Guarantee. I want you to dive in deep and experience the full wealth of this resource without hesitation.

If the material isn’t a good fit, just contact me within 20 days of purchase, and ask for a full refund for any single course package.