Logo

dev-resources.site

for different kinds of informations.

Open Authorization v2.0 OAuth2 mikro servislar xavfsizligi

Published at
9/16/2024
Categories
java
spring
microservices
oauth2
Author
rustambekov
Categories
4 categories in total
java
open
spring
open
microservices
open
oauth2
open
Author
11 person written this
rustambekov
open
Open Authorization v2.0 OAuth2 mikro servislar xavfsizligi

So'z boshi

Mikroservislardan iborat API-ni taqdim qilishda e'tiborga olish kerak bo'lgan eng muhim jihatlardan biri bu xavfsizlikdir. Springni ba'zi qiziqarli xususiyatlari va frameworklari bor, bu bizning mikroservislarimiz xavfsizligini sozlashni osonlashtiradi. Ushbu maqolada sizga API shlyuzini token orqali himoyalash uchun Spring Cloud va OAuth2dan qanday foydalanishni ko'rsataman.

Nazariya

OAuth2 standarti hozirda umumiy API orqali o'z manbalariga kirishga imkon beradigan barcha yirik veb-saytlar tomonidan qo'llaniladi. Bu foydalanuvchilarga bir sahifada saqlangan shaxsiy manbalarini boshqa sahifaga authenticatsiya xizmatiga o'tmasdan ulashishga imkon beruvchi ochiq avtorizatsiya standarti. OAuth 2 bilan bog'liq asosiy atamalar.

  • Resource Owner - resursga kirishni taqiqlash
  • Resource Server - maxsus token yordamida taqdim etililishi mumkin bo'lgan owner resurslarini saqlaydigan server
  • Authorization Server - keylarni, tokenlarni va boshqa vaqtinchalik resurslarga kirish kodlarini ajratishni boshqaradi. Shuningdek, u tegishli shaxsga ruxsat berilishini ta'minlashi kerak
  • Access Token - manbaga kirishga imkon beruvchi kalit
  • Authorization Grant - kirish uchun ruxsat beradi. Kirish huquqini tasdiqlashning turli xil usullari mavjud: avtorizatsiya kodi, yopiq, manbalar egasining parol ma'lumotlari va mijoz ma'lumotlari

Siz ushbu standart haqida ko'proq ma'lumotni bu erda va bu digitalocean maqolasida o'qishingiz mumkin. Ushbu protokolning ketma-ketligi uchta asosiy bosqichdan iborat. Dastlab avtorizatsiya so'rovi resource ownerga yuboriladi. Resource ownerning javobidan so'ng biz authorization serverga authorization grant so'rovini yuboramiz va access tokenni olamiz. Nihoyat, biz ushbu access tokenni Resource serverga yuboramiz va agar u yaroqli bo'lsa, API resursga ruxsat beriladi.

Yechim

Quyidagi rasmda tizim arxitekturasi ko'rsatilgan. Bizda API Gateway (Zuul) bor, u bizning so'rovlarimizni avtorizatsiya serveriga va ikkita account mikroservisiga taqsimlaydi. Avtorizatsiya serveri - bu OAuth 2 xavfsizlik mexanizmlarini ta'minlaydigan infratuzilma servisi. Shuningdek, bizda discovery servisi (Eureka) mavjud, u yerda bizning barcha mikroservislarimiz ro'yxatdan o'tgan.
Alt Text

Gateway

Ushbu namuna uchun biz API shlyuzida hech qanday xavfsizlikni ta'minlamaymiz. Bu faqat mijozlardan autherization serverga va account micriservislariga so'rovlarni yuborishi kerak. Quyida ko'rinadigan Zuul shlyuzi konfiguratsiyasida, HTTP sarlavhasini avtorizatsiya qilish uchun sensitiveHeaders xususiyatini bo'sh qoldiramiz. Odatiy holda Zuul bu headerni bizning so'rovimizni kerakli APIga yuborishda kesib tashlaydi, chunki servislarimiz gateway ortida basic authentikatsiya talab qiladi.

zuul:
  routes:
    uaa:
      path: /uaa/**
      sensitiveHeaders:
      serviceId: auth-server
    account:
      path: /account/**
      sensitiveHeaders:
      serviceId: account-service
Enter fullscreen mode Exit fullscreen mode

Gatewayning source codi ichidagi asosiy class juda oddiy. Bu faqat Eureka registridan servislarni yig'ish uchun ZuulProxy va DiscoveryClient larni faollashtirish kerak.

@SpringBootApplication
@EnableZuulProxy
@EnableDiscoveryClient
public class GatewayServer {

   public static void main(String[] args) {
      SpringApplication.run(GatewayServer.class, args);
   }

}
Enter fullscreen mode Exit fullscreen mode

Authorization Server

Authorization server maksimal darajada sodda. U standart SpringSecurity konfiguratsiyasiga asoslangan. Mijozlarni avtorizatsiya qilish tafsilotlari in-memoryda saqlanadi. Albatta, production rejimida siz JDBC va TokenStore kabilardan foydalansangiz bo'ladi. Springni avtorizatsiya mexanizmlari haqida qo'shimcha ma'lumotni Spring Security Reference va Spring Boot Security -da o'qishingiz mumkin.
Bu erda application.yml -dan konfiguratsiya namunasi. Namunada user uchun basic authentication ma'lumotlari va /token endpoint uchun basic security ma'lumotlarini sozlangan: client-id va client-secret.

security:
  user:
    name: root
    password: password
  oauth2:
    client:
      client-id: acme
      client-secret: secret
Enter fullscreen mode Exit fullscreen mode

Bu erda autentifikatsiya serveri va @EnableAuthorizationServer annotatsiyasi va account servisi uchun user authentikatsiya tafsilotlari uchun REST endpoint.
Shuningdek Eureka registratori va Discovery clienti faollashtirilgan.

@SpringBootApplication
@EnableAuthorizationServer
@EnableDiscoveryClient
@EnableResourceServer
@RestController
public class AuthServer {

   public static void main(String[] args) {
      SpringApplication.run(AuthServer.class, args);
   }

   @RequestMapping("/user")
   public Principal user(Principal user) {
       return user;
   }

}
Enter fullscreen mode Exit fullscreen mode

Application – account microservisi

Mikroservisimiz faqat bitta @GET endpointga ega, u har doim bir xil accountni qaytaradi. Asosiy klassda resurslar serveri va Eureka discovery faollashtirilgan. Xizmat konfiguratsiyasi ahamiyatsiz. Dastur manba kodining namunasi GitHub -da mavjud.

@SpringBootApplication
@EnableDiscoveryClient
@EnableResourceServer
public class AccountService {

   public static void main(String[] args) {
      SpringApplication.run(AccountService.class, args);
   }

}
Enter fullscreen mode Exit fullscreen mode

Bu yerda account servisi uchun xavfsizli sozlamalari.

security:
  user:
    name: root
    password: password
  oauth2:
    resource:
      loadBalanced: true
      userInfoUri: http://localhost:9999/user
Enter fullscreen mode Exit fullscreen mode

Testlash

Natijani tkshirish uchun browser va rest client kerak bo'ladi.Dastlab resource owner ga authorizatsiya so'rovini yuborishdan boshlasak, browserda Zull gateway orqali OAuth2 authorizatsiya endpointiga so'rov yuborish mumkin.

http://localhost:8765/uaa/oauth/authorize?response_type=token&client_id=acme&redirect_uri=http://example.com&scope=openid&state=48532
Enter fullscreen mode Exit fullscreen mode

Bu so'rov yuborilgandan so'ng biz quyidagi sahifani ko'rishimiz kerak. Tasdiqlash -ni tanlang va avtorizatsiya serveridan so'rovlar va kirish tokenlari uchun Avtorizatsiya -ni bosing. Agar dastur identifikatori tasdiqlangan bo'lsa va ruxsatnoma haqiqiy bo'lsa, HTTP javobida dasturga kirish belgisi qaytarilishi kerak.
Alt Text

Oxirgi qadam access tokendan foydalanib, account ning endpointiga murojaat qilish. Biz uni Authorization headeriga bearer belgisi bilan o'rnatamiz. Xavfsizlik operatsiyalari uchun dasturlarni logging darajasi "TRACE" ga o'rnatilgan, shuning uchun biror narsa noto'g'ri ketganda nima bo'lganini osongina bilib olishingiz mumkin.
Alt Text

Xulosa

Rostini aytsam, men ilovalardagi xavfsizlik muammolari bilan unchalik tanish emasman. Men uchun juda muhim bo'lgan narsa - men foydalanishga qaror qilgan xavfsizlik echimining soddaligi. Spring Security -da bizda deyarli barcha kerakli mexanizmlar mavjud. Bundan tashqari, qo'shimcha talablar uchun osongina kengaytirilishi mumkin bo'lgan komponentlar mavjud. Siz ushbu maqolani Spring Cloud va Spring Security loyihalaridan foydalangan holda yanada ilg'or echimlarga qisqacha kirish sifatida qarashingiz kerak.

oauth2 Article's
30 articles in total
Favicon
OAuth2 Scopes and Claims: Fine-Grained Access Control
Favicon
Defending OAuth2: Advanced Tactics to Block Replay Attacks
Favicon
Understanding the Differences Between OAuth2 and OpenID Connect (OIDC)
Favicon
Demystifying Social Logins: How OAuth2 Powers Seamless Authentication
Favicon
JWT vs Opaque Tokens: A Comprehensive Guide to Choosing Wisely
Favicon
OAuth2 and PKCE: Enhancing Security for Public Clients
Favicon
OAuth2 Authorization Code Grant Type: A Deep Dive
Favicon
OAuth2 in Action: Real-World Use Cases and Examples
Favicon
Advanced OAuth2: Refresh Tokens and Token Expiration Strategies
Favicon
OAuth2 Grant Types Explained: Which One Should You Use?
Favicon
Implementing OAuth2 for Microservices Authentication
Favicon
OAuth2 Client Credentials Grant Type: When and How to Use It
Favicon
OAuth2 vs. OpenID Connect: Understanding the Differences
Favicon
OAuth2: An In-Depth Overview and How It Works
Favicon
Common OAuth2 Misconceptions: Debunking Myths for a Secure Implementation
Favicon
Access Token or ID Token? Which to Use and Why?
Favicon
RFC 9068: The JWT Profile for OAuth2 Access Tokens — A Standard for Seamless Integration
Favicon
OAuth2 Demystified: An Introduction to Secure Authorization
Favicon
Cheat Sheet: Enabling HTTPS on a Fresh Laravel Sail App with MacOS
Favicon
Open Authorization v2.0 OAuth2 mikro servislar xavfsizligi
Favicon
OAuth 2 Token Exchange with Spring Security and Keycloak
Favicon
How to Secure Apache Superset with OAuth2
Favicon
Open Authorization 2.0 (OAuth2.0) - Authorization Code Grant
Favicon
Build a GPT That Talks to Your Database in One Day
Favicon
OpenID Connect Flows: From Implicit to Authorization Code with PKCE & BFF
Favicon
Client assertion in OAuth 2.0 client authentication
Favicon
Python FastAPI: Integrating OAuth2 Security with the Application's Own Authentication Process
Favicon
Call your Azure AD B2C protected API with authenticated HTTP requests from your JetBrains IDE
Favicon
Implementing SSO in React with GitHub OAuth2
Favicon
Securing Azure Functions with OAuth2 Authentication

Featured ones: