Authenticate the API user as well as to enable OAuth 2.0 authorization for all OAuth protected APIs. The Spring Authorization Server is used as an OAuth provider; trading channel applications can delegates authentication and authorization to this component, which verifies credentials using the Auth Microservice.
Interaction with Identity Provider (Auth Microservice)
Interaction with Resource Server API
- When a client wishes to acquire an OAuth token to call a protected API, it
calls the OAuth Provider (Authorization microservice) token endpoint with the
username/passwordof the user and requests a token with scope
- Authorization microservice will call the Customer microservice to get the credentials and perform the validation.
- If the
HTTP 200is returned, along with a JWT (signed using a HS256 shared secret) in the JSON response under
access_tokenwhich contains the auth ID of the user passed in the
- The client uses the JWT in the
Authorizationheader as a bearer token to call other Resource Servers that have OAuth protected API (such as the Orders microservice).
- The service implementing the REST API verifies that the JWT is valid and
signed using the shared secret, then extracts the
user_nameclaim from the JWT to identify the caller.
- The JWT is encoded with scope
blueand the the expiry time in
exp; once the token is generated, there is no additional interaction between the Resource Server and the OAuth server.
|Get authorization token|
|post authorization token|