OAuth2
- Open Authroization
- Industry standard protocol for authorization
- DelegatedAuthorization framework
- Authorization given to limited amount of data and time
OAuth2 Roles
- Resource Owner
- Resource server-> restful micro service
- Client-> appln accessing data on users behalf
- Authorization server - issues tokens to client
OAuth2 Client Types
- Confidential client
- public client
OAuth2 Access token types
- Identifier -> used to get additional information like scope, user, expiry from db
- Self-contain the authorization information
- Json object with base64 encoded
- Containes - Header section, payload section, signature
OAuth2 and OpenID Connect
- Access token - simple random char string with no information about user
- OpenID connect- Provides access token + ID token(ID token contains identity information
Grant Types
- Way in which applications get access tokens.
- Types
- Authorization code
- Serverside webapp
- Mobile native app
- Client appln should securely save the authorization code.
- how it works
- Client website redirects to authorization server URL with response type parameter as code
- GET /authorize?response_type=code&state=&redirect_uri=&scope=&client_id=
- Authorization server validates data and presents login page
- ones user authenticates with authorization server, server generates authorization code and redirects to the redirect_uri
- POST /authorize/token
?grant_type=authorization_code&code={code}&redirect_uri=&client_id=&client_secret= - authorizaiton server responds with json with access_token and expiry
- Client Credentials
- Serverside script with no UI
- appln-appln requests eg: spring boot micro service to micro service communication
- No user involved to provide user/pwd
- One Micro service sends POST request /authorize/token ?grant_type=client_credentials&client_id=&client_secret=&scope=email
- PKCE Enhanced Authorization code
- Java script single page app
- Mobile native app
- Proof key for code exchange
- This is same as Authorization code with few changes
- Send GET request with addln query params code_challenge=&code_challenge_method=
- flow
- client to generate code_verifier which is alpha numeric string. Base64 encoded
- Code challenge value- It is derived from code_verifier by converting to Hash value with SHA256 algorithm
- Device code
- device
- Password grant
- This should be used only when the appln doesn't support redirect
- This requires absolute trust for your appln
-
- Implicit flow
Refreshing Access token
- To get refresh token that never expires we need to include additional scope offline_access
- send POST request to /token service with grant_type=refresh_token & client credentials along with refreshtoken
- KeyCloak-> Open source Identity and access management server
Resource server behind api gateway
- Spring cloud api gateway
- application.properties
- spring.cloud.gateway.routes[0].id=
- spring.cloud.gateway.routes[0].uri=
- spring.cloud.gateway.routes[0].predicates[0]=path=
- spring.cloud.gateway.routes[0].predicates[0]=method=GET
- spring.cloud.gateway.routes[0].filters[0]
- Spring Cloud Netflix Eureka
- When new instance of microservice starts - it registers itself with Eureka
- No manual configuration required in Eureka
- Create new spring boot project with Eurekha as dependency
- @EnableEurekaServer in main program
- Properties file
- eureka.client.registerwitheureka=false
- eureka.client.fetchRegistry=false
- Register Resource servers as Eureka clients
- pom.xml
- add netflix.eureka.client dependency
- applicartion.java
- @EnableDiscoveryClient
- application.properties
- eureka.client.serviceurl.defaultzone=
Configure API gateway routes
- application.properties
- spring.cloud.gateway.routes[0].id=
- spring.cloud.gateway.routes[0].uri=lb://<micro service name>
- spring.cloud.gateway.routes[0].predicates[0]=path=
- spring.cloud.gateway.routes[0].predicates[0]=method=GET
- spring.cloud.gateway.routes[0].filters[0]
Auth Server
API Gateway - Single entry point for a project
Eureka - Service Registry
Resource Servers
Role based, scope based access
No comments:
Post a Comment