https://getkong.org/plugins/oauth2-authentication
我们演示还是用books 的Restful api数据接口,把Kong Gateway - 01范例中PostgresSQL中的kong数据库删掉,
导入一个已经配置好的干干净净的后台数据库kong-20180427.bak(参看安装篇 How to Install kong-community-edition On Cent OS 7)
[root@contoso ~]# pg_dump --help[root@contoso ~]# psql --help
[root@contoso ~]# dropdb --help
[root@contoso ~]# createdb --help
[root@contoso ~]# kong stop # kong 服务必须先停止运行
[root@contoso ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # 删除kong数据库
Password: 123456
[root@contoso ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # 创建kong数据库
Password: 123456
[root@contoso ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # 恢复kong数据库
Password for user postgres: 123456
[root@contoso ~]# kong start
Kong started
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:25:47 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"host": "contoso.com",
"created_at": 1525595147,
"connect_timeout": 60000,
"id": "2d3d56de-02c4-4517-b786-2dc4037bf23d",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525595147,
"retries": 5,
"write_timeout": 60000
}
以下几条命令不必执行,以后会用到 查询已分配了服务名称的路由列表 curl -i -X GET \ --url http://localhost:8001/services/book/routes 查询所有路由列表 curl -i -X GET \ --url http://localhost:8001/routes 根据路由id查询1条路由 curl -i -X GET \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据路由id删除1条路由 curl -i -X DELETE \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede 根据id,hosts修改1条路由,根据同一名称的book服务,配置methods参数无 法用不同的路由来区分控制器方法的权限,故不用设置methods参数; 修改路由的方式无法设置参数的null值,我们只能删掉路由,然后创建路由来实现 curl -i -X PATCH \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \ --data 'hosts[]=contoso.com' \ --data 'paths[]=/v1/books'添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:27:51 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525595271,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525595271,
"paths": [
"/v1/books"
],
"service": {
"id": "2d3d56de-02c4-4517-b786-2dc4037bf23d"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "bacfd048-dbcc-453a-bbce-a29e8d3f86b7"
}通过Kong在8000端口暴露出来的服务地址获得所有的书籍
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sun, 06 May 2018 16:28:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 49
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins
为book服务启用OAuth 2.0 Authentication插件,并激活授权码模式
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=oauth2" \
--data "config.scopes=email,phone,address" \
--data "config.mandatory_scope=true" \
--data "config.enable_authorization_code=true"
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:30:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525624193000,
"config": {
"refresh_token_ttl": 1209600,
"scopes": [
"email",
"phone",
"address"
],
"mandatory_scope": true,
"provision_key": "5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe",
"hide_credentials": false,
"enable_authorization_code": true,
"enable_implicit_grant": false,
"global_credentials": false,
"accept_http_if_already_terminated": false,
"enable_password_grant": false,
"enable_client_credentials": false,
"anonymous": "",
"token_expiration": 7200,
"auth_header_name": "authorization"
},
"id": "acacd3e0-1c16-4301-8572-51221b46e997",
"enabled": true,
"service_id": "2d3d56de-02c4-4517-b786-2dc4037bf23d",
"name": "oauth2"
}添加1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:33:14 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525624395000,
"username": "jack",
"id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}为消费者jack创建1个名称为Book App的应用,redirect_uri参数定义发送code和state的回调地址
参数{client_id}和{client_secret}可自定义,省略时由系统随机生成
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/oauth2/ \
--data "name=Book App" \
--data "redirect_uri=http://getkong.org/"
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:34:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4",
"created_at": 1525624457000,
"id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17",
"redirect_uri": [
"http://getkong.org/"
],
"name": "Book App",
"client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV",
"consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}根据{client_id}查询消费者的应用程序信息
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/oauth2 \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4"
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:35:17 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 1,
"data": [
{
"created_at": 1525624457000,
"client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4",
"id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17",
"redirect_uri": [
"http://getkong.org/"
],
"name": "Book App",
"client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV",
"consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}
]
}通过Kong在8000端口暴露出来的服务地址读一条书籍记录,实际上是通过Kong在转
发我的请求,不管是读1条记录还读所有书籍记录,我们都无权获得数据
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header 'Host: contoso.com'
HTTP/1.1 401 Unauthorized
Date: Sun, 06 May 2018 16:35:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
WWW-Authenticate: Bearer realm="service"
{
"error_description": "The access token is missing",
"error": "invalid_request"
}
很显然,命令中没有提供访问令牌,此命令已经无法访问书籍接口了,键-值对{username:password}字符串 [email protected]:123456
它的Base64编码值等于amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==
curl http://localhost:8001/consumers/jack/oauth2
你的Web应用终端将验证由客户端发送的username和password,
如果验证成功此客户端将发送由参数{client_id},{response_type},
{scope},{provision_key},{authenticated_userid},{state}
构成的POST请求获得一个code值,必须带上header头参数Authorization
{state}客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值
{scope}表示申请的权限范围
{authenticated_userid}已授予权限的终端登录用户userid
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/authorize \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==" \
--header 'Host: contoso.com' \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "response_type=code" \
--data "scope=email%20address" \
--data "provision_key=5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe" \
--data "authenticated_userid=1206" \
--data "state=xyz" --insecure
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:40:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{"redirect_uri":"http:\/\/getkong.org\/?code=QEdYs44He66RewGGE4KVDxp2nm0mgweS&state=xyz"}客户继续发送第2个由参数{grant_type},{client_id},{client_secret},{code}
构成的POST请求去申请一个访问令牌和刷新令牌
{code}值获得令牌后立即失效,即{code}值只能用一次
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/token \
--header "Host: contoso.com" \
--data "grant_type=authorization_code" \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "client_secret=YhCHW7xISxmTPd41qJFkjDkcsurVADUV" \
--data "code=QEdYs44He66RewGGE4KVDxp2nm0mgweS" --insecure
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:41:32 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{
"refresh_token": "Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv",
"token_type": "bearer",
"access_token": "90zG0QVO9m921iS51dLAFGMJnNky7IgK",
"expires_in": 7200
}现在我们已经用一个随机的code交换获得了一个访问令牌和一个刷新令牌
这样就有可以访问书籍这个接口了
[root@contoso ~]# curl -i -X GET \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer 90zG0QVO9m921iS51dLAFGMJnNky7IgK" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sun, 06 May 2018 16:43:22 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 44
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
][root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Bearer 90zG0QVO9m921iS51dLAFGMJnNky7IgK" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Sun, 06 May 2018 16:44:18 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 27
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
}
]
使用一个刷新令牌去获得一个新的访问令牌和一个更新的刷新令牌,前面的刷新令牌与访问令牌就立即作废了
[root@contoso ~]# curl -i -X POST https://localhost:8443/v1/books/oauth2/token \
--header 'Host: contoso.com' \--data "grant_type=refresh_token" \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "client_secret=YhCHW7xISxmTPd41qJFkjDkcsurVADUV" \
--data "refresh_token=Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv" --insecure
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:45:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{
"refresh_token": "0mKdeGqC4LZRzNNwlhNj5OyaAZXRajZp",
"token_type": "bearer",
"access_token": "XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET",
"expires_in": 7200
}
用更新的访问令牌去删除一条书籍数据
[root@contoso ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/2 \--header "Authorization: Bearer XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 34
Connection: keep-alive
Date: Sun, 06 May 2018 16:48:07 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 32
X-Kong-Proxy-Latency: 3
Via: kong/0.13.1
{"message":"deleted successfully"}用更新的访问令牌去新增一条书籍数据
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET" \
--header 'Host: contoso.com' \
--data 'title=TiDB in Action' \
--data 'author=Tomson' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: keep-alive
Date: Sun, 06 May 2018 16:48:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
{"message":"inserted successfully"}