Managing Microservices with Kong and Springboot — Part 3 ( Authentication with Oauth 2.0 Plugin)
So far we have integrated RESTfull API with Kong, now its time to add bit of security with OAuth2.
Kong API Gateway support for configurable plugins, to get what is Kong and basic tutorial to install and setup KONG and install basic service you could go to tutorial 1 and tutorial 2
As In the previous tutorial 2 we need to setup our REST services created using Spring Boot again.
As I already created my container and because I restarted my PC I start the container again, but its giving me a error
An invalid response was received from the upstream server
Its not your fault, when I check the docket networks using
docker network inspect kong-net
I found that my little container ip of my little micro service api has change. So I DELETE my previous services and re-created it again
Yes all working again
Enabling the plugin on a Service
So, we enable this temperature service to Oauth2 plugin by API method call POST for add service to plugin:
curl -X POST http://localhost:8001/services/temperature/plugins --data "name=oauth2" --data "config.scopes=read" --data "config.scopes=write" --data "config.mandatory_scope=true" --data "config.enable_password_grant=true" --data "config.accept_http_if_already_terminated=true" --data "config.token_expiration=180" --data "config.global_credentials=true"
Here is the response
{
"created_at": 1589489802,
"config": {
"refresh_token_ttl": 1209600,
"enable_client_credentials": false,
"mandatory_scope": true,
"provision_key": "kfpsOjcTiWRhxF12OiyeURccWFDWYcd0",
"accept_http_if_already_terminated": true,
"hide_credentials": false,
"enable_implicit_grant": false,
"global_credentials": true,
"enable_authorization_code": false,
"enable_password_grant": true,
"scopes": [
"read",
"write"
],
"anonymous": null,
"token_expiration": 180,
"auth_header_name": "authorization"
},
"id": "3686ec11-76df-463d-8ee2-4de93d5e9bfb",
"service": {
"id": "bf1049ee-62d8-486a-aa88-73d56a0b5963"
},
"enabled": true,
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"name": "oauth2",
"consumer": null,
"route": null,
"tags": null
}
Create a Consumer
You need to associate a credential to an existing Consumer object. To create a Consumer, you can execute the following request:
curl -X POST http://localhost:8001/consumers/ --data "username=suraj.kong@gmail.com" --data "custom_id=100001"
And the response is
{
"custom_id": "100001",
"created_at": 1589489940,
"id": "e01f604b-5811-4de1-b8b5-3d194a43f7a5",
"tags": null,
"username": "suraj.kong@gmail.com"
}
Create an Application
Then you can finally provision new Oauth2 credential by making the following hit API POST, as follow:
curl -X POST http://localhost:8001/consumers/suraj.kong@gmail.com/oauth2 --data "name=My First Kong" --data "client_id=CLIENT_ID_100001" --data "client_secret=CLIENT_SECRET_100001" --data "redirect_uris=http://localhost:8806/tp"
And the response is
{
"redirect_uris": [
"http://localhost:8806/tp"
],
"created_at": 1589490072,
"consumer": {
"id": "e01f604b-5811-4de1-b8b5-3d194a43f7a5"
},
"id": "ed4e33c1-6050-4b96-b314-21d5aefdc5b3",
"tags": null,
"name": "My First Kong",
"client_secret": "CLIENT_SECRET_100001",
"client_id": "CLIENT_ID_100001"
}
Once we have activated service temperature Oauth2, we could not access the API without Authorisation, let’s try again hit API customer:
Provision Access Tokens
We have add consumer and create application for specific consumer that is test.kong@gmail.com to OAuth plugin service temperature-v1. Now we need to simulate to get token and refresh token as part of OAuth 2.0 Flows to access API that has been protected Oauth2.
POST https://localhost:8443/temperature-v1/oauth2/token
(this should be https), if your using postman, check SSL certificate verification set to OFF
POST Request Body with Content Type application/json in Headers
{
“client_id”: “CLIENT_ID_100001”,
“client_secret”: “CLIENT_SECRET_100001”,
“grant_type”: “password”,
“provision_key”: “kfpsOjcTiWRhxF12OiyeURccWFDWYcd0”,
“authenticated_userid”: “suraj.kong@gmail.com”,
“scope”: “read”
}
Response
{
"refresh_token": "9RgcGQ7eAD5twHI1txi7R6q8NAwSDwA7",
"token_type": "bearer",
"access_token": "jU43tRYP2YoQLTTkKviiA0XS0PV23CXn",
"expires_in": 180
}
Now, we have token (access_token) and put on header key — Authorization: bearer token
{
“error_description”: “The access token is invalid or has expired”,
“error”: “invalid_token”
}
We enable OAuth2 plugin to temperature service, we set token expired for 180 seconds. So after 180 seconds, the token is expired, and need to refresh token, by:
{
“grant_type”: “refresh_token”,
“client_id”: “CLIENT_ID_100001”,
“client_secret”: “CLIENT_SECRET_100001”,
“refresh_token”: “9RgcGQ7eAD5twHI1txi7R6q8NAwSDwA7”
}
GET: localhost:8000/temperature-v1/convert-to-fahrenheit/2000
3632.0
Please find all source in GitHub here
More details on Kons OAuth plugin please visit