This project demonstrates how to authenticate the API user as well as to enable OAuth 2.0 authorization for all OAuth protected APIs in the Storefront application. The Spring Authorization Server is used as an OAuth provider; the Storefront application delegates authentication and authorization to this component, which verifies credentials using the Auth Microservice.
- When a client wishes to acquire an OAuth token to call a protected API, it calls the OAuth Provider (Authorization microservice) token endpoint with the
username/passwordof the user and requests a token with scope
- Authorization microservice will call the Customer microservice to get the credentials and perform the validation.
- If the
HTTP 200is returned, along with a JWT (signed using a HS256 shared secret) in the JSON response under
access_tokenwhich contains the auth ID of the user passed in the
- The client uses the JWT in the
Authorizationheader as a bearer token to call other Resource Servers that have OAuth protected API (such as the Orders microservice).
- The service implementing the REST API verifies that the JWT is valid and signed using the shared secret, then extracts the
user_nameclaim from the JWT to identify the caller.
- The JWT is encoded with scope
blueand the the expiry time in
exp; once the token is generated, there is no additional interaction between the Resource Server and the OAuth server.
|Get authorization token|
|post authorization token|
- Leverage Spring Boot framework to build a Microservices application.
- Uses Spring Security OAuth.
- Return a signed JWT Bearer token back to caller for identity propagation and authorization
- MicroProfile based Authorization Server application that handles user authentication and authorization.
- Uses OpenID Connect and acts as a provider to validate login credentials.
- Return a mpJwt Bearer token back to caller for identity propagation and authorization.
For quarkus based implementation of storefront, we are using Keycloak as an alternative to this service.
For more details, refer this link.