https://getkong.org/plugins/oauth2-authentication
In our demonstration, we still use the Restful api data interface of books to delete the kong database in PostgresSQL in the example of Kong Gateway - 01.
Import an already configured clean background database kong-20180427.bak( See the installation article How to Install kong-community-edition On Cent OS 7 )
[root@contoso ~]# pg_dump --help[root@contoso ~]# psql --help
[root@contoso ~]# dropdb --help
[root@contoso ~]# createdb --help
[root@contoso ~] # kong stop # The kong service must be stopped first
[root@contoso ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # Delete the kong database
Password: 123456
[root@contoso ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # Create kong database
Password: 123456
[root@contoso ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # Restore kong database
Password for user postgres: 123456
[root@contoso ~]# kong start
Kong started
Configure a book service with Kong
After installing and starting Kong, add a service named book using Kong's management API port 8001
[root@contoso ~]# curl -i -X POST \
--url http://localhost: 8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created Date: Sun, 06 May 2018 16:25:47 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "host": "contoso.com", "created_at": 1525595147, "connect_timeout": 60000, "id": "2d3d56de-02c4-4517-b786-2dc4037bf23d", "protocol": "http", "name": "book", "read_timeout": 60000, "port": 80, "path": "/v1/books", "updated_at": 1525595147, "retries": 5, "write_timeout": 60000 }
The following commands do not need to be executed, they will be used later Query a list of routes that have a service name assigned curl -i -X GET \ --url http://localhost:8001/services/book/routes Query all routing lists curl -i -X GET \ --url http://localhost:8001/routes Query 1 route based on route id curl -i -X GET \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede Delete 1 route based on route id curl -i -X DELETE \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede Modify 1 route according to id, hosts, according to the book service of the same name, configure the methods parameter without The method uses different routes to distinguish the permissions of the controller method, so there is no need to set the methods parameter; The way to modify the route cannot set the null value of the parameter, we can only delete the route, and then create a route to achieve curl -i -X PATCH \ --url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \ --data 'hosts[]=contoso.com' \ --data 'paths[]=/v1/books'Add a route (the value of paths[] must be the same as /v1/books in the book service)
to expose the book service for users to access. There is no need to add multiple routes for the book service.
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[ ]=/v1/books'
HTTP/1.1 201 Created Date: Sun, 06 May 2018 16:27:51 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525595271, "strip_path": true, "hosts": [ "contoso.com" ], "preserve_host": false, "regex_priority": 0, "updated_at": 1525595271, "paths": [ "/v1/books" ], "service": { "id": "2d3d56de-02c4-4517-b786-2dc4037bf23d" }, "methods": null, "protocols": [ "http", "https" ], "id": "bacfd048-dbcc-453a-bbce-a29e8d3f86b7" }Get all books through Kong's service address exposed on port 8000
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso .com'
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 244 Connection: keep-alive Date: Sun, 06 May 2018 16:28:40 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 29 X-Kong-Proxy-Latency: 49 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ]curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins
Enable OAuth 2.0 Authentication plugin for book service, and activate authorization code mode
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=oauth2" \
--data "config.scopes=email,phone,address" \
--data "config .mandatory_scope=true" \
--data "config.enable_authorization_code=true"
HTTP/1.1 201 Created Date: Sun, 06 May 2018 16:30:11 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525624193000, "config": { "refresh_token_ttl": 1209600, "scopes": [ "email", "phone", "address" ], "mandatory_scope": true, "provision_key": "5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe", "hide_credentials": false, "enable_authorization_code": true, "enable_implicit_grant": false, "global_credentials": false, "accept_http_if_already_terminated": false, "enable_password_grant": false, "enable_client_credentials": false, "anonymous": "", "token_expiration": 7200, "auth_header_name": "authorization" }, "id": "acacd3e0-1c16-4301-8572-51221b46e997", "enabled": true, "service_id": "2d3d56de-02c4-4517-b786-2dc4037bf23d", "name": "oauth2" }Add a consumer whose username is jack. The {custom_id} parameter can be omitted. This parameter is a custom unique identifier,
which is used to map the consumer jack to another database
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created Date: Sun, 06 May 2018 16:33:14 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "created_at": 1525624395000, "username": "jack", "id": "786d2951-2744-4de2-bcf2-448b6b0ac954" }Create an application named Book App for the consumer jack. The redirect_uri parameter defines the callback address for sending code and state. The
parameters {client_id} and {client_secret} can be customized. When omitted, the system will randomly generate
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/oauth2/ \
--data "name=Book App" \
--data "redirect_uri=http://getkong.org/"
HTTP/1.1 201 Created Date: Sun, 06 May 2018 16:34:16 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4", "created_at": 1525624457000, "id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17", "redirect_uri": [ "http://getkong.org/" ], "name": "Book App", "client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV", "consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954" }Query consumer's application information based on {client_id}
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8001/oauth2 \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4"
HTTP/1.1 200 OK Date: Sun, 06 May 2018 16:35:17 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin: * Server: kong/0.13.1 { "total": 1, "data": [ { "created_at": 1525624457000, "client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4", "id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17", "redirect_uri": [ "http://getkong.org/" ], "name": "Book App", "client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV", "consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954" } ] }Reading a book record through the service address exposed by Kong on port 8000 is actually
forwarding my request through Kong. Whether it is reading 1 record or reading all book records, we have no right to obtain the data
[root@contoso ~ ]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header 'Host: contoso.com'
HTTP/1.1 401 Unauthorized Date: Sun, 06 May 2018 16:35:55 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 WWW-Authenticate: Bearer realm="service" { "error_description": "The access token is missing", "error": "invalid_request" } Obviously, there is no access token provided in the command, this command can no longer access the book interface,key-value pair {username:password} string [email protected]:123456
its Base64 encoded value equals amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==
curl http://localhost:8001/consumers/jack/oauth2
your web application terminal will be authenticated by the client The username and password sent by the client.
If the authentication is successful, the client will send a POST request composed of parameters {client_id}, {response_type},
{scope}, {provision_key}, {authenticated_userid}, {state}
to obtain a code value, which must be Bring the header header parameter Authorization
{state} The current state of the client, you can specify any value, the authentication server will return this value unchanged
{scope} indicates the scope of the application permission
{authenticated_userid} The terminal login user userid
[root] @contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/authorize \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==" \
--header 'Host: contoso .com' \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "response_type=code" \
--data "scope=email%20address" \
--data "provision_key=5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe" \
--data "authenticated_userid=1206" \
--data "state=xyz" --insecure
HTTP/1.1 200 OK Date: Sun, 06 May 2018 16:40:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 cache-control: no-store pragma: no-cache {"redirect_uri":"http:\/\/getkong.org\/?code=QEdYs44He66RewGGE4KVDxp2nm0mgweS&state=xyz"}The client continues to send the second
POST request consisting of parameters {grant_type}, {client_id}, {client_secret}, {code} to apply for an access token and refresh token
{code} value. After obtaining the token, the value of {code} will be invalid immediately, that is, { code} value can only be used once
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books/oauth2/token \
--header "Host: contoso.com" \
--data "grant_type=authorization_code" \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "client_secret=YhCHW7xISxmTPd41qJFkjDkcsurVADUV" \
--data "code=QEdYs44He66RewGGE4KVDxp2nm0mgweS" --insecure
HTTP/1.1 200 OK Date: Sun, 06 May 2018 16:41:32 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 cache-control: no-store pragma: no-cache { "refresh_token": "Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv", "token_type": "bearer", "access_token": "90zG0QVO9m921iS51dLAFGMJnNky7IgK", "expires_in": 7200 }Now we have obtained an access token and a refresh token in exchange for a random code
so that we can access the book interface
[root@contoso ~]# curl -i -X GET \
--url https:// localhost:8443/v1/books \
--header "Authorization: Bearer 90zG0QVO9m921iS51dLAFGMJnNky7IgK" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 244 Connection: keep-alive Date: Sun, 06 May 2018 16:43:22 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 25 X-Kong-Proxy-Latency: 44 Via: kong/0.13.1 [ { "id": 1, "title": "Fashion That Changed the World", "author": "Jennifer Croll" }, { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" }, { "id": 3, "title": "The Fashion Image", "author": "Thomas Werner" } ][root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Bearer 90zG0QVO9m921iS51dLAFGMJnNky7IgK" \
--header 'Host: contoso.com'
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 106 Connection: keep-alive Date: Sun, 06 May 2018 16:44:18 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 27 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 [ { "id": 2, "title": "Brigitte Bardot - My Life in Fashion", "author": "Henry-Jean Servat and Brigitte Bardot" } ]
Use a refresh token to obtain a new access token and an updated refresh token, the previous refresh token and access token are immediately invalid
[root@contoso ~]# curl -i -X POST https://localhost:8443/v1/books/oauth2/token \
--header 'Host: contoso.com' \--data "grant_type=refresh_token" \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "client_secret=YhCHW7xISxmTPd41qJFkjDkcsurVADUV" \
--data "refresh_token=Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv" --insecure
HTTP/1.1 200 OK Date: Sun, 06 May 2018 16:45:25 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: kong/0.13.1 cache-control: no-store pragma: no-cache { "refresh_token": "0mKdeGqC4LZRzNNwlhNj5OyaAZXRajZp", "token_type": "bearer", "access_token": "XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET", "expires_in": 7200 }
Use the updated access token to delete a book data
[root@contoso ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/2 \--header "Authorization: Bearer XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET" \
--header 'Host: contoso.com' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 34 Connection: keep-alive Date: Sun, 06 May 2018 16:48:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 32 X-Kong-Proxy-Latency: 3 Via: kong/0.13.1 {"message":"deleted successfully"}Use the updated access token to add a new book data
[root@contoso ~]# curl -i -X POST \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET" \
--header 'Host: contoso.com' \
--data 'title=TiDB in Action' \
--data 'author=Tomson' --insecure
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 35 Connection: keep-alive Date: Sun, 06 May 2018 16:48:47 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13 X-Powered-By: PHP/7.1.13 X-Kong-Upstream-Latency: 29 X-Kong-Proxy-Latency: 0 Via: kong/0.13.1 {"message":"inserted successfully"}