Microservice Protection With WSO2 Identity Server
Download as PPTX, PDF2 likes1,113 views
- The document describes how to secure a Spring Boot microservice with OAuth 2.0 using WSO2 Identity Server as the authorization server. - It involves creating a simple microservice with a protected resource, then configuring WSO2 IS as an OAuth server to issue access tokens. This allows the microservice to validate tokens to secure the resource. - It also covers configuring WSO2 IS to issue JWTs instead of normal tokens, and how to obtain and use a JWT to access the protected microservice resource.
Microservice Protection With WSO2 Identity Server
- 1. Securing Microservices WSO2 Identity Server Anupam Gogoi - Associate Technical Lead
- 2. Pre-requisites • JDK 8 • Maven • Eclipse or IntelliJ • WSO2 Identity Server 5.7.0
- 3. Lab Exercise 1 - Create Microservice Part 1 We are going to create a simple Microservice in Spring Boot. The service contains a resource protected by OAuth2. Part 2 Configure WSO2 Identity Server as OAuth2/OpenID authorization server.
- 4. Solution Lab Exercise 1 Part 1 Creating a Spring Boot microservice. Code repository https://github.com/anupamgogoi-wso2/wso2-summit
- 6. Spring Boot Microservice • Visit the site https://start.spring.io/ and create a project with dependencies Web and Security. • Import the project in Eclipse/IntelliJ and add one more dependency by hand in the pom.xml <dependency> <groupId>org.springframework.security.oauth.boot</groupId> <artifactId>spring-security-oauth2-autoconfigure</artifactId> <version>2.0.6.RELEASE</version> </dependency> • Add your logic. • https://github.com/anupamgogoi-wso2/wso2-summit
- 7. Spring Boot - Configure Auth. Server Note that for client id and client secret you need to use valid username password from WSO2 Identity server.Here i have used default admin username/password.According to this configuration resource server will use OAuth2 introspection API to validate the token. security.oauth2.client.client-id=admin security.oauth2.client.client-secret=admin security.oauth2.client.access-token-uri=https://localhost:9443/oauth2/token security.oauth2.client.user-authorization-uri=https://localhost:9443/oauth2/token/authorize security.oauth2.client.scope=openid security.oauth2.resource.filter-order=3 security.oauth2.resource.user-info-uri=https://localhost:9443/oauth2/userinfo security.oauth2.resource.token-info-uri=https://localhost:9443/oauth2/introspect security.oauth2.resource.prefer-token-info=true
- 8. Spring Boot - Run The important thing is to pass client truststore details while executing the jar file.Spring security will use SSL connection to talk with Authorization server to validate the access token.The spring boot runtime should be provided with certificate store to find out the authorization server certificate authority and trust it. java -Djavax.net.ssl.trustStore=/Users/anupamgogoi/softwares/wso2/is/wso2is- 5.7.0/repository/resources/security/client-truststore.jks -Djavax.net.ssl.trustStorePassword=wso2carbon -jar /Users/anupamgogoi/git/wso2-summit/spring-oauth2-microservice/target/spring-oauth2-microservice- 1.0.0.jar
- 9. Solution Lab Exercise 1 Part 2 Configure WSO2 Identity Server as OAuth2 Authorization Server
- 10. High Level Overview • We will use a simple 3 entity example 1) User, 2) Application server, and 3) Authentication server. • The authentication server will provide the JWT to the user. With the JWT, the user can then safely communicate with the application.
- 11. Configure WSO2 Identity Server • Log into the IS (admin/admin) • Navigate to Service Providers menu and click add.
- 12. Add Service Provider - IS Provide Basic Information for the Service Provider. Eg. Service Provider Name: OAUTH2
- 13. Inbound Authentication Configuration Click Inbound Authentication Configuration and expand OAuth/OpenID Connect Configuration.
- 14. OAuth/OpenID Connect Configuration Configure OAuth2. Choose Token Issuer as Default (OAuth2). Note that we can choose JWT also. (Next lab)
- 15. OAuth/OpenID Connect Configuration Once configuration is saved you will be provided with the Client Key and Client Secret.
- 16. Microservice Resource The Spring Boot microservice contains a resource protected by OAuth2. GET http://localhost:8080/app/products To access this resource, an Access Token must be provided in the Authorization header.
- 17. Generating Access Token - Postman • Token URI of the Identity Server, https://localhost:9443/oauth2/token • Use password grant_type and provide necessary details. Note that the client_id & client_secret are generated while adding the Service Provider in the IS. • Make sure to send the following header, Content-Type: application/x-www-form-urlencoded
- 18. Generating Access Token - CURL curl -u <CLINET_ID>:<CLIENT_SECRET> -k -d "grant_type=password&username=admin&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token Invoke Microservice curl -k http://localhost:8080/app/products -H "Authorization: Bearer <<ACCESS_TOKEN>>
- 19. Lab Exercise 2 Using JWT to access the protected resource of the microservice.
- 20. Solution - Lab Exercise 2 We are going to use the same Spring Boot microservice with the same resource. Only thing we will need to change is in the Identity Server to generate JWT.
- 21. Configure identity.xml - IS ● Open the <IS_HOME>/repository/conf/identity/identity.xml file and set the <Enabled> element (found under the <OAuth>,<AuthorizationContextTokenGeneration> elements) to true as shown in the code block below. ● Add the following property under <OAUTH> section to use the JWT Token Builder instead of the default Token Builder. <IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>
- 22. Configure identity.xml - IS • Configure the “audiences” parameter as mentioned below so that the token includes information about the intended audiences who can use the generated token for authenticating the user. <EnableAudiences>true</EnableAudiences> <Audiences> <Audience>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</Audience> </Audiences> • Configure a meaningful value to the <IDTokenIssuerID> parameter in the identity.xml file <IDTokenIssuerID>my-jwt-token</IDTokenIssuerID> • Start the IS sh wso2server.sh
- 23. Configure Identity Provider - IS Go into Identity-> Identity Providers and click on “Add”.
- 24. Configure Identity Provider - IS Identity Provider Name—This needs to be the same value as the <IDTokenIssuerID> value you configure at the identity.xml file since this value will be the issuer ID of the JWT token. Here the value is given as “apim-idp” to match the above mentioned parameter. Identity Provider Public Certificate—Here you need to upload the public certificate of the WSO2 Identity Server in a pem file format. The Identity Provider Public Certificate is the public certificate belonging to the identity provider. Uploading this is necessary to authenticate the response from the identity provider. This can be any certificate. Since we are using WSO2 Identity Server as the IDP we can generate the certificate using the below mentioned commands.
- 25. Create/Import Certificate • Open your Command Line interface, go to the <IS_HOME>/repository/resources/security/directory. Run the following command. keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon Click Choose File and navigate to this location in order to select and upload this file. • Alias—You need to give the clientID (client key) of the service provider which you will configure in the WSO2 Identity Server here. This will be checked when verifying the JWT token.
- 26. OAuth/OpenID Connect Configuration • Create a new Service Provider e.g JWT • Choose any valid Url in the Callback Url field. • Choose Token Issuer as JWT.
- 27. Get JWT & Invoke Service You need to first get a JWT token from the WSO2 identity server by using the token endpoint with the password grant type. You can use the below mentioned curl command to get a JWT token, curl -u <CLIENT_ID>:<CLIENT_SECRET> -k -d "grant_type=password&username=admin&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token Use the token in Authorization header in the request to access the protected resource of the microservice, curl -k http://localhost:8080/app/products -H "Authorization: Bearer <<JWT_TOKEN>>"