In this blog post we will create a secure API for external access, using OAuth 2.0, to the microservices we created inPart 1 and Part 2.

For information about OAuth 2.0 either see introductory material Parecki - OAuth 2 Simplified and Jenkov - OAuth 2.0 Tutorial or the specification IETF RFC 6749.

We will add a new microservice, product-api, that will act as the external API (a Resource Server in OAuth terminology) and we will expose its services through the edge server that we introduced in Part 1 acting as a token relay, i.e. forwarding OAuth access tokens from the client to the resource server. We will also add an OAuth Authorization Server and an OAuth client, i.e. service consumer, we will continue to use cURL.

The system landscape from Part 2 will be complemented with the new OAuth components (marked with a red line):

We will demonstrate how a client can use any of the four standard authorization grant flows to get an access token from the authorization server and then use the access token to make a secure request to the resource server, i.e. the API.

NOTES:

  • Protecting external API’s is nothing specific to microservices, so this blog post is applicable to any architecture where there is a need to secure external API’s using OAuth 2.0!

  • We will provide a lightweight OAuth authorization server only useful for development and testing. In a real world usage it needs to be replaced, e.g. by an API platform or by delegating the sign in and authorization process to social networks such as Facebook or Twitter.

  • We are on purpose only using HTTP in this blog post to reduce complexity. In any real world usage of OAuth all traffic should be protected using TLS, i.e. HTTPS!

  • As in the previous posts we emphasize the differences between microservices and monolithic applications by running each service in a separate microservice, i.e. in separate processes.

  1. BUILD FROM SOURCE

As in Part 2 we use Java SE 8, Git and Gradle. So, to access the source code and build it perform:

git clone https://github.com/callistaenterprise/blog-microservices.git
cd blog-microservices
git checkout -b B3 M3.1
./build-all.sh

If you are on Windows you can execute the corresponding bat-file build-all.bat!

Two new source code components have been added since Part 2, an OAuth Authorization Server, auth-server, and the OAuth Resource Server, product-api-service:

The build should result in ten log messages that all says:

BUILD SUCCESSFUL

  1. SOURCE CODE WALKTHROUGH

Let’s look into how the two new components are implemented and how the edge server is updated to be able to relay the OAuth access tokens. We will also change the URL for the API to make it a bit more convenient to use.

2.1 GRADLE DEPENDENCIES

To be able to use OAuth 2.0 we will bring in the open source projects spring-cloud-security and spring-security-oauth2 with the following dependencies.

For the auth-server:

    compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.security.oauth:spring-security-oauth2:2.0.6.RELEASE")

For full source code see auth-server/build.gradle.

For the product-api-service:

    compile("org.springframework.cloud:spring-cloud-starter-security:1.0.0.RELEASE")
compile("org.springframework.security.oauth:spring-security-oauth2:2.0.6.RELEASE")

For full source code see product-api-service/build.gradle.

2.2 AUTH-SERVER

The implementation of the authorization server is straight forward. It is brought to life using an annotation, @EnableAuthorizationServer. Then we use a configuration class to register (in-memory only) the approved client applications, specifying client-id, client-secret, allowed grant flows and scopes:

  @EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("acme")
.secret("acmesecret")
.authorizedGrantTypes("authorization_code", "refresh_token", "implicit", "password", "client_credentials")
.scopes("webshop");
}
}

This approach obviously only works for development and test to simulate a client application registration process provided by real world OAuth Authorization Servers, e.g. LinkedIn or GitHub.

For full source code see AuthserverApplication.java.

Registration of users (Resource Owner in OAuth terminology), simulating a real world Identity Provider (IdP), is done by adding one line per user in the file application.properties, e.g.:

security.user.password=password

For full source code see application.properties.

The implementation also comes with two simple web based user interfaces for user authentication and user consent, see the source code for details.

2.3 PRODUCT-API-SERVICE

To make our API-implementation act as a OAuth Resource Server we only need to annotate the main-method with the @EnableOAuth2Resource-annotation:

@EnableOAuth2Resource
public class ProductApiServiceApplication { For full source code see ProductApiServiceApplication.java. The implementation of the API-service is very similar to the composite service in Part 2. To be able to verify that OAuth works we have added logging of the user-id and the access token: @RequestMapping("/{productId}")
@HystrixCommand(fallbackMethod = "defaultProductComposite")
public ResponseEntity<String> getProductComposite(
@PathVariable int productId,
@RequestHeader(value="Authorization") String authorizationHeader,
Principal currentUser) { LOG.info("ProductApi: User={}, Auth={}, called with productId={}",
currentUser.getName(), authorizationHeader, productId);
...

NOTES:

  • Spring MVC will fill in the extra parameters for the current user and the authorization header automatically.

  • We have removed the uri /product from the @RequestMapping to be able to get a more compact URL when using the edge server since it will add a /product prefix to the url to be able to route the request to the correct service.

  • Writing access tokens to the log is probably not to recommend from a security perspective in a real world application.

2.4 UPDATES TO THE EDGE SERVER

Finally we need to make the edge server forward the OAuth access tokens down to the API-service. Fortunately this is actually already the default behavior, so we don’t need to do anything in this case

Spring Cloud OAuth的更多相关文章

  1. [转]Spring Cloud在国内中小型公司能用起来吗?

    原文地址:http://www.cnblogs.com/ityouknow/p/7508306.html 原文地址:https://www.zhihu.com/question/61403505 今天 ...

  2. Building microservices with Spring Cloud and Netflix OSS, part 2

    In Part 1 we used core components in Spring Cloud and Netflix OSS, i.e. Eureka, Ribbon and Zuul, to ...

  3. 基于Spring Cloud和Netflix OSS 构建微服务-Part 1

    前一篇文章<微服务操作模型>中,我们定义了微服务使用的操作模型.这篇文章中,我们将开始使用Spring Cloud和Netflix OSS实现这一模型,包含核心部分:服务发现(Servic ...

  4. 基于Spring Cloud和Netflix OSS构建微服务,Part 2

    在上一篇文章中,我们已使用Spring Cloud和Netflix OSS中的核心组件,如Eureka.Ribbon和Zuul,部分实现了操作模型(operations model),允许单独部署的微 ...

  5. spring cloud+dotnet core搭建微服务架构:Api授权认证(六)

    前言 这篇文章拖太久了,因为最近实在太忙了,加上这篇文章也非常长,所以花了不少时间,给大家说句抱歉.好,进入正题.目前的项目基本都是前后端分离了,前端分Web,Ios,Android...,后端也基本 ...

  6. Securing Spring Cloud Microservices With OAuth2

    From Zero to OAuth2 in Spring cloud Today I am presenting hours of research about a (apparently) sim ...

  7. Spring Cloud下微服务权限方案

    背景从传统的单体应用转型Spring Cloud的朋友都在问我,Spring Cloud下的微服务权限怎么管?怎么设计比较合理?从大层面讲叫服务权限,往小处拆分,分别为三块:用户认证.用户权限.服务校 ...

  8. SpringCloud(10)使用Spring Cloud OAuth2和JWT保护微服务

    采用Spring Security AOuth2 和 JWT 的方式,避免每次请求都需要远程调度 Uaa 服务.采用Spring Security OAuth2 和 JWT 的方式,Uaa 服务只验证 ...

  9. SpringCloud(9)使用Spring Cloud OAuth2保护微服务系统

    一.简介 OAth2是一个标准的授权协议. 在认证与授权的过程中,主要包含以下3种角色. 服务提供方 Authorization Server. 资源持有者 Resource Server. 客户端 ...

随机推荐

  1. UNIX标准化及实现之POSIX标准可选头文件

    POSIX标准定义的可选头文件 头文件 说明 <aio.h> 异步I/O <mqueue.h> 消息队列 <pthread.h> 线程 <sched.h> ...

  2. Jordan Lecture Note-10: Kernel Principal Components Analysis (KPCA).

    Kernel Principal Components Analysis PCA实际上就是对原坐标进行正交变换,使得变换后的坐标之间相互无关,并且尽可能保留多的信息.但PCA所做的是线性变换,对于某些 ...

  3. java_Oralce

    简单范例 create or replace procedure delete_table is i number(10); begin for x in (select * from emp whe ...

  4. JavaFX(三)窗口拖动

    1.问题场景 在上一篇中,我们将窗口的默认标题栏隐藏从而导致鼠标点击窗体无法进行拖动. 2.解决思路 给组件添加鼠标按下事件监听器和鼠标拖动事件监听器. 3.代码实现 代码片段: private do ...

  5. 杂乱无章之javascript(一)

    1.in 要求第一个(左边的)操作数必须是字符串类型或是可以转化成字符串类型的其他类型,而第二(右边的)操作数必须是数组或对象.只有第一个操作数的值是第二个操作数的属性名,才会返回true,否则返回f ...

  6. swift 中异常的处理方法

    swift 中什么时候需要处理异常,在调用系统某个方法的时,该方法最后有一个throws 说明该方法会抛出异常,如果一个方法抛出异常,那么需要对该异常进行处理 swift 异常处理提供了三种方法 方式 ...

  7. python(3)-函数动态参数

    先来看一段代码 def show(*arg): print(arg, type(arg)) if __name__ == "__main__": show(1) show(1,2, ...

  8. linux-redhat5找回root密码

    我在虚拟机里装了个redhat(RedhatEnterpriseLinuxASv5.4-x64),也不经常用,偶尔进去用用吧,又把密码忘记了,哎...脑子不好使啊 不知道像ubuntu是不是一样的,还 ...

  9. IP地址,子网掩码,默认网关,路由,形象生动阐述

    自己的Linux虚拟机已经分配了固定的IP地址(使用无线路由,用的是192.168.1.XX网段),公司的无线网络分配的IP地址是(10.51.174.XX网段) 所以当自己的电脑拿到公司,还想使用桥 ...

  10. css hack 大全 各个浏览器的css

    各个浏览器的css hack区别属性: IE6: _zoom:1; IE6/7: *zoom:1; IE6/7/8/9 :\9 各个浏览器的css hack区别规则 IE6: *html{} IE7: ...