Kong Gateway - 03 OAuth2 authentication based on gateway service (OAuth2 Authentication Code Grant authorization code mode)

Others 2022-04-27 21:55:07 views: 0

https://getkong.org/plugins/oauth2-authentication

In our demonstration, we still use the Restful api data interface of books to delete the kong database in PostgresSQL in the example of Kong Gateway - 01.

Import an already configured clean background database kong-20180427.bak

( See the installation article How to Install kong-community-edition On Cent OS 7 )

[root@contoso ~]# pg_dump --help  
[root@contoso ~]# psql --help  
[root@contoso ~]# dropdb --help  
[root@contoso ~]# createdb --help 
[root@contoso ~] # kong stop # The kong service must be stopped first
[root@contoso ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # Delete the kong database  
Password: 123456  
[root@contoso ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # Create kong database  
Password: 123456  
[root@contoso ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # Restore kong database  
Password for user postgres: 123456
[root@contoso ~]# kong start

Kong started

Configure a book service with Kong
After installing and starting Kong, add a service named book using Kong's management API port 8001
[root@contoso ~]# curl -i -X ​​POST \
--url http://localhost: 8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'

HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:25:47 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "host": "contoso.com",
    "created_at": 1525595147,
    "connect_timeout": 60000,
    "id": "2d3d56de-02c4-4517-b786-2dc4037bf23d",
    "protocol": "http",
    "name": "book",
    "read_timeout": 60000,
    "port": 80,
    "path": "/v1/books",
    "updated_at": 1525595147,
    "retries": 5,
    "write_timeout": 60000
}
The following commands do not need to be executed, they will be used later
Query a list of routes that have a service name assigned
curl -i -X GET \
--url http://localhost:8001/services/book/routes

Query all routing lists
curl -i -X GET \
--url http://localhost:8001/routes

Query 1 route based on route id
curl -i -X GET \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede

Delete 1 route based on route id
curl -i -X DELETE \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede
 
Modify 1 route according to id, hosts, according to the book service of the same name, configure the methods parameter without
The method uses different routes to distinguish the permissions of the controller method, so there is no need to set the methods parameter;
The way to modify the route cannot set the null value of the parameter, we can only delete the route, and then create a route to achieve
curl -i -X PATCH \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
Add a route (the value of paths[] must be the same as /v1/books in the book service)
to expose the book service for users to access. There is no need to add multiple routes for the book service.
[root@contoso ~]# curl -i -X ​​POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[ ]=/v1/books' 
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:27:51 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525595271,
    "strip_path": true,
    "hosts": [
        "contoso.com"
    ],
    "preserve_host": false,
    "regex_priority": 0,
    "updated_at": 1525595271,
    "paths": [
        "/v1/books"
    ],
    "service": {
        "id": "2d3d56de-02c4-4517-b786-2dc4037bf23d"
    },
    "methods": null,
    "protocols": [
        "http",
        "https"
    ],
    "id": "bacfd048-dbcc-453a-bbce-a29e8d3f86b7"
}
Get all books through Kong's service address exposed on port 8000
[root@contoso ~]# curl -i -X ​​GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso .com' 
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sun, 06 May 2018 16:28:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 49
Via: kong/0.13.1

[
    {
        "id": 1,
        "title": "Fashion That Changed the World",
        "author": "Jennifer Croll"
    },
    {
        "id": 2,
        "title": "Brigitte Bardot - My Life in Fashion",
        "author": "Henry-Jean Servat and Brigitte Bardot"
    },
    {
        "id": 3,
        "title": "The Fashion Image",
        "author": "Thomas Werner"
    }
]
curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins

Enable OAuth 2.0 Authentication plugin for book service, and activate authorization code mode
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=oauth2" \
--data "config.scopes=email,phone,address" \
--data "config .mandatory_scope=true" \
--data "config.enable_authorization_code=true" 

HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:30:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525624193000,
    "config": {
        "refresh_token_ttl": 1209600,
        "scopes": [
            "email",
            "phone",
            "address"
        ],
        "mandatory_scope": true,
        "provision_key": "5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe",
        "hide_credentials": false,
        "enable_authorization_code": true,
        "enable_implicit_grant": false,
        "global_credentials": false,
        "accept_http_if_already_terminated": false,
        "enable_password_grant": false,
        "enable_client_credentials": false,
        "anonymous": "",
        "token_expiration": 7200,
        "auth_header_name": "authorization"
    },
    "id": "acacd3e0-1c16-4301-8572-51221b46e997",
    "enabled": true,
    "service_id": "2d3d56de-02c4-4517-b786-2dc4037bf23d",
    "name": "oauth2"
}
Add a consumer whose username is jack. The {custom_id} parameter can be omitted. This parameter is a custom unique identifier,
which is used to map the consumer jack to another database
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack" 
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:33:14 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "created_at": 1525624395000,
    "username": "jack",
    "id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}
Create an application named Book App for the consumer jack. The redirect_uri parameter defines the callback address for sending code and state. The
parameters {client_id} and {client_secret} can be customized. When omitted, the system will randomly generate
[root@contoso ~]# curl -i -X ​​POST \
--url http://localhost:8001/consumers/jack/oauth2/ \
--data "name=Book App" \
--data "redirect_uri=http://getkong.org/" 
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:34:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4",
    "created_at": 1525624457000,
    "id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17",
    "redirect_uri": [
        "http://getkong.org/"
    ],
    "name": "Book App",
    "client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV",
    "consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}
Query consumer's application information based on {client_id}
[root@contoso ~]# curl -i -X ​​GET \
--url http://localhost:8001/oauth2 \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" 
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:35:17 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1

{
    "total": 1,
    "data": [
        {
            "created_at": 1525624457000,
            "client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4",
            "id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17",
            "redirect_uri": [
                "http://getkong.org/"
            ],
            "name": "Book App",
            "client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV",
            "consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
        }
    ]
}
Reading a book record through the service address exposed by Kong on port 8000 is actually
forwarding my request through Kong. Whether it is reading 1 record or reading all book records, we have no right to obtain the data
[root@contoso ~ ]# curl -i -X ​​GET \
--url http://localhost:8000/v1/books/2 \
--header 'Host: contoso.com' 
HTTP/1.1 401 Unauthorized
Date: Sun, 06 May 2018 16:35:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
WWW-Authenticate: Bearer realm="service"

{
    "error_description": "The access token is missing",
    "error": "invalid_request"
}
Obviously, there is no access token provided in the command, this command can no longer access the book interface,
key-value pair {username:password} string [email protected]:123456
its Base64 encoded value equals amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==

curl http://localhost:8001/consumers/jack/oauth2

your web application terminal will be authenticated by the client The username and password sent by the client.

If the authentication is successful, the client will send a POST request composed of parameters {client_id}, {response_type},
{scope}, {provision_key}, {authenticated_userid}, {state}
to obtain a code value, which must be Bring the header header parameter Authorization

{state} The current state of the client, you can specify any value, the authentication server will return this value unchanged
{scope} indicates the scope of the application permission
{authenticated_userid} The terminal login user userid

[root] @contoso ~]# curl -i -X ​​POST \
--url https://localhost:8443/v1/books/oauth2/authorize \
--header "Authorization: Basic amFja0Bob3RtYWlsLmNvbSUzQTEyMzQ1Ng==" \
--header 'Host: contoso .com' \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "response_type=code" \
--data "scope=email%20address" \
--data "provision_key=5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe" \
--data "authenticated_userid=1206" \
--data "state=xyz"  --insecure 
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:40:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache

{"redirect_uri":"http:\/\/getkong.org\/?code=QEdYs44He66RewGGE4KVDxp2nm0mgweS&state=xyz"}
The client continues to send the second
POST request consisting of parameters {grant_type}, {client_id}, {client_secret}, {code} to apply for an access token and refresh token
{code} value. After obtaining the token, the value of {code} will be invalid immediately, that is, { code} value can only be used once

[root@contoso ~]# curl -i -X ​​POST \
--url https://localhost:8443/v1/books/oauth2/token \
--header "Host: contoso.com" \
--data "grant_type=authorization_code" \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "client_secret=YhCHW7xISxmTPd41qJFkjDkcsurVADUV" \
--data "code=QEdYs44He66RewGGE4KVDxp2nm0mgweS" --insecure 
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:41:32 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache

{
    "refresh_token": "Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv",
    "token_type": "bearer",
    "access_token": "90zG0QVO9m921iS51dLAFGMJnNky7IgK",
    "expires_in": 7200
}
Now we have obtained an access token and a refresh token in exchange for a random code
so that we can access the book interface
[root@contoso ~]# curl -i -X ​​GET \
--url https:// localhost:8443/v1/books \
--header "Authorization: Bearer 90zG0QVO9m921iS51dLAFGMJnNky7IgK" \
--header 'Host: contoso.com' --insecure 
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sun, 06 May 2018 16:43:22 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 44
Via: kong/0.13.1

[
    {
        "id": 1,
        "title": "Fashion That Changed the World",
        "author": "Jennifer Croll"
    },
    {
        "id": 2,
        "title": "Brigitte Bardot - My Life in Fashion",
        "author": "Henry-Jean Servat and Brigitte Bardot"
    },
    {
        "id": 3,
        "title": "The Fashion Image",
        "author": "Thomas Werner"
    }
]
[root@contoso ~]# curl -i -X GET \
--url http://localhost:8000/v1/books/2 \
--header "Authorization: Bearer 90zG0QVO9m921iS51dLAFGMJnNky7IgK" \
--header 'Host: contoso.com' 
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Sun, 06 May 2018 16:44:18 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 27
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1

[
    {
        "id": 2,
        "title": "Brigitte Bardot - My Life in Fashion",
        "author": "Henry-Jean Servat and Brigitte Bardot"
    }
]

Use a refresh token to obtain a new access token and an updated refresh token, the previous refresh token and access token are immediately invalid

[root@contoso ~]# curl -i -X POST https://localhost:8443/v1/books/oauth2/token \

--header 'Host: contoso.com' \
--data "grant_type=refresh_token" \
--data "client_id=LzFEyMMaQyRIHsSsqfonZfofQIHigOF4" \
--data "client_secret=YhCHW7xISxmTPd41qJFkjDkcsurVADUV" \
--data "refresh_token=Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv" --insecure 
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:45:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache

{
    "refresh_token": "0mKdeGqC4LZRzNNwlhNj5OyaAZXRajZp",
    "token_type": "bearer",
    "access_token": "XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET",
    "expires_in": 7200
}

Use the updated access token to delete a book data

[root@contoso ~]# curl -i -X DELETE \

--url https://localhost:8443/v1/books/2 \
--header "Authorization: Bearer XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET" \
--header 'Host: contoso.com'  --insecure 
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 34
Connection: keep-alive
Date: Sun, 06 May 2018 16:48:07 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 32
X-Kong-Proxy-Latency: 3
Via: kong/0.13.1

{"message":"deleted successfully"}
Use the updated access token to add a new book data
[root@contoso ~]# curl -i -X ​​POST \
--url https://localhost:8443/v1/books \
--header "Authorization: Bearer XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET" \
--header 'Host: contoso.com' \
--data 'title=TiDB in Action' \
--data 'author=Tomson' --insecure 
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: keep-alive
Date: Sun, 06 May 2018 16:48:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1

{"message":"inserted successfully"}

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325865216&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com