oauth2 | The Blog Pros

October 8, 2021

Spring Cloud Gateway : Resource Server With Keycloak RBAC

In this article, we will be exploring how we can integrate a resource server with an API gateway that is integrated with Keycloak and that enables role-based access control (RBAC).

Introduction

In my previous article “Spring Cloud Gateway Keycloak OAuth2 OIDC Integration,” I have shown how we can integrate Keycloak with Spring Cloud Gateway. Now in this article, we will extend this further to integrate a resource server, such that a client (e.g browser) can access a resource only when he has the correct role to access the resource on the server. This is a continuation of the aforementioned article, so I recommend reading it.

October 6, 2021

Dive Into OAuth Grant Types and OpenID Connect Flows

In my last article, you could read about the differences between OAuth, SAML, and OpenID Connect. Today I want to continue the topic. We will dive deeper into the processes of authentication and authorization offered to us by respectively (OpenID Connect) and (OAuth). However, we will start with a few words about the naming conventions in both.

GrantTypes vs Flows — Semantic Difference

In general, both terms are correct and can be used simultaneously. Both of them describe the same thing – a process of obtaining an Access Token. Just keep in mind that the term “Grant Type” is more strongly related to OAuth, while the term “Flow” is more related to OpenID Connect. As a side note, I can add that the term “Flow” rarely occurs in the OAuth specification.

September 17, 2020

How to Implement Oauth2 Security in Microservices

Purpose

I wanted a solution where we can easily captured Oauth2 and Oauth2 client for the secure communication with all of the microservices. Focusing, how to achieve oauth2 full flavor into microservices architecture. User can’t access API without token. The token will be available when user given basic and authentication details to generate token for access API.

All requests will consider one entry point API-Gateway but, service-to-service can communicate. The API-Gateway will dynamic routing using Zuul Netflix OSS component. Every request will check authorization when request will arrived into service and service will request authorization server to verify is either authenticate or not. The entire Meta configuration settled into the central configuration on github (You can manage on any repository).

January 11, 2019

OAuth2 Tips: Token Validation

Bearer Token Types

There are two types of OAuth2 bearer tokens:

General Token that represents a string that has no meaning for the client (e.g., 2YotnFZFEjr1zCsicMWpAA). That type of bearer token cannot be validated by the Resource Server without direct communication with an Authorization Server.
JWT Token represents the JSON object with statements (claims) about the user and token. The JWT token contains three separate parts: header, payload, and signature — each of them are base64-encoded for transferring. JWT tokens are not a part of core OAuth2 specification but mandatory for use with OpenID Connect. JWT token is the most popular way to exchange information about current authentication between microservices. More details can be found here.

Token Validation Methods

OAuth2 tokens can be validated using the following methods: