Open in app

Sign in

Write

Sign in

Managing Microservices with Kong and Springboot — Part 3 ( Authentication with Oauth 2.0 Plugin)

Suraj Batuwana
4 min readJul 6, 2020

So far we have integrated RESTfull API with Kong, now its time to add bit of security with OAuth2.

Kong API Gateway support for configurable plugins, to get what is Kong and basic tutorial to install and setup KONG and install basic service you could go to tutorial 1 and tutorial 2

As In the previous tutorial 2 we need to setup our REST services created using Spring Boot again.

As I already created my container and because I restarted my PC I start the container again, but its giving me a error

An invalid response was received from the upstream server

Its not your fault, when I check the docket networks using

docker network inspect kong-net

I found that my little container ip of my little micro service api has change. So I DELETE my previous services and re-created it again

Yes all working again

Enabling the plugin on a Service

So, we enable this temperature service to Oauth2 plugin by API method call POST for add service to plugin:

curl -X POST http://localhost:8001/services/temperature/plugins  --data "name=oauth2"  --data "config.scopes=read" --data "config.scopes=write" --data "config.mandatory_scope=true"    --data "config.enable_password_grant=true"  --data "config.accept_http_if_already_terminated=true" --data "config.token_expiration=180" --data "config.global_credentials=true"

Here is the response

{
  "created_at": 1589489802,
  "config": {
    "refresh_token_ttl": 1209600,
    "enable_client_credentials": false,
    "mandatory_scope": true,
    "provision_key": "kfpsOjcTiWRhxF12OiyeURccWFDWYcd0",
    "accept_http_if_already_terminated": true,
    "hide_credentials": false,
    "enable_implicit_grant": false,
    "global_credentials": true,
    "enable_authorization_code": false,
    "enable_password_grant": true,
    "scopes": [
      "read",
      "write"
    ],
    "anonymous": null,
    "token_expiration": 180,
    "auth_header_name": "authorization"
  },
  "id": "3686ec11-76df-463d-8ee2-4de93d5e9bfb",
  "service": {
    "id": "bf1049ee-62d8-486a-aa88-73d56a0b5963"
  },
  "enabled": true,
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "name": "oauth2",
  "consumer": null,
  "route": null,
  "tags": null
}

Create a Consumer

You need to associate a credential to an existing Consumer object. To create a Consumer, you can execute the following request:

curl -X POST http://localhost:8001/consumers/  --data "username=suraj.kong@gmail.com" --data "custom_id=100001"

And the response is

{
  "custom_id": "100001",
  "created_at": 1589489940,
  "id": "e01f604b-5811-4de1-b8b5-3d194a43f7a5",
  "tags": null,
  "username": "suraj.kong@gmail.com"
}

Create an Application

Then you can finally provision new Oauth2 credential by making the following hit API POST, as follow:

curl -X POST http://localhost:8001/consumers/suraj.kong@gmail.com/oauth2 --data "name=My First Kong" --data "client_id=CLIENT_ID_100001" --data "client_secret=CLIENT_SECRET_100001" --data "redirect_uris=http://localhost:8806/tp"

And the response is

{
  "redirect_uris": [
    "http://localhost:8806/tp"
  ],
  "created_at": 1589490072,
  "consumer": {
    "id": "e01f604b-5811-4de1-b8b5-3d194a43f7a5"
  },
  "id": "ed4e33c1-6050-4b96-b314-21d5aefdc5b3",
  "tags": null,
  "name": "My First Kong",
  "client_secret": "CLIENT_SECRET_100001",
  "client_id": "CLIENT_ID_100001"
}

Once we have activated service temperature Oauth2, we could not access the API without Authorisation, let’s try again hit API customer:

Provision Access Tokens

We have add consumer and create application for specific consumer that is test.kong@gmail.com to OAuth plugin service temperature-v1. Now we need to simulate to get token and refresh token as part of OAuth 2.0 Flows to access API that has been protected Oauth2.

POST https://localhost:8443/temperature-v1/oauth2/token

(this should be https), if your using postman, check SSL certificate verification set to OFF

POST Request Body with Content Type application/json in Headers

{
“client_id”: “CLIENT_ID_100001”,
“client_secret”: “CLIENT_SECRET_100001”,
“grant_type”: “password”,
“provision_key”: “kfpsOjcTiWRhxF12OiyeURccWFDWYcd0”,
“authenticated_userid”: “suraj.kong@gmail.com”,
“scope”: “read”
}

Response

{
  "refresh_token": "9RgcGQ7eAD5twHI1txi7R6q8NAwSDwA7",
  "token_type": "bearer",
  "access_token": "jU43tRYP2YoQLTTkKviiA0XS0PV23CXn",
  "expires_in": 180
}

Now, we have token (access_token) and put on header key — Authorization: bearer token

{
 “error_description”: “The access token is invalid or has expired”,
 “error”: “invalid_token”
}

We enable OAuth2 plugin to temperature service, we set token expired for 180 seconds. So after 180 seconds, the token is expired, and need to refresh token, by:

{
 “grant_type”: “refresh_token”,
 “client_id”: “CLIENT_ID_100001”,
 “client_secret”: “CLIENT_SECRET_100001”,
 “refresh_token”: “9RgcGQ7eAD5twHI1txi7R6q8NAwSDwA7”
}

GET: localhost:8000/temperature-v1/convert-to-fahrenheit/2000

3632.0

Please find all source in GitHub here

More details on Kons OAuth plugin please visit

Open-Source API Management and Microservice Management

Add an OAuth 2.0 authentication layer with the Authorization Code Grant, Client Credentials, Implicit Grant or Resource…

docs.konghq.com

Spring Boot
Oauth2
Kong
Java

--

--

Suraj Batuwana

Written by Suraj Batuwana

79 Followers

Technology Evangelist, Technical Blogger with multidisciplinary skills with experience in full spectrum of design, architecture and development

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams