Introduction
Authenticate the API user as well as to enable OAuth 2.0 authorization for all OAuth protected APIs. The Spring Authorization Server is used as an OAuth provider; trading channel applications can delegates authentication and authorization to this component, which verifies credentials using the Auth Microservice.
Architecture
Interaction with Identity Provider (Auth Microservice)
Interaction with Resource Server API
- When a client wishes to acquire an OAuth token to call a protected API, it
calls the OAuth Provider (Authorization microservice) token endpoint with the
username/passwordof the user and requests a token with scopeblue. - Authorization microservice will call the Customer microservice to get the credentials and perform the validation.
- If the
username/passwordare valid,HTTP 200is returned, along with a JWT (signed using a HS256 shared secret) in the JSON response underaccess_tokenwhich contains the auth ID of the user passed in theuser_nameclaim. - The client uses the JWT in the
Authorizationheader as a bearer token to call other Resource Servers that have OAuth protected API (such as the Orders microservice). - The service implementing the REST API verifies that the JWT is valid and
signed using the shared secret, then extracts the
user_nameclaim from the JWT to identify the caller. - The JWT is encoded with scope
blueand the the expiry time inexp; once the token is generated, there is no additional interaction between the Resource Server and the OAuth server.
APIs
| APIs | Function |
|---|---|
/oauth/authorize | Get authorization token |
/oauth/token | post authorization token |
Frameworks
Project Features
- Leverage Spring Boot framework to build a Microservices application.
- Uses Spring Security OAuth.
- Return a signed JWT Bearer token back to caller for identity propagation and authorization
- Uses Docker to package application binary and its dependencies.
TBD
TBD