Springcloud Oauth2 HA

This is the 26th day of my participation in Gwen Challenge.

In a brief discussion on micro service security architecture design article, introduced based on Springcloud combined with Oauth2 analysis of its various modes of authentication authentication, today mainly analyzes how to combine K8S to achieve high availability of authentication.

Suppose we have several modules in our project:

Authentication center: Oauth2 Service order system: client A User management system: client BCopy the code

In the above system, the coupling between each service is low, but there are frequent calls, which involve frequent traffic interactions between the UI and the service. To do this, we introduce k8S Service method:

In the Spring Cloud Kubernetes combat Service registration and discovery article, explains the K8S Service way to create a Service, and then can deploy multiple pod, combined with Spring Cloud Kubernetes combat Gateway Gateway to achieve LB, Similar to resolving its services by domain name and LB according to the defined rules. Similarly, this paper is based on Oauth2, combining these to achieve the LB of microservices. At the same time, K8S is used for the main processing. If it is a client service of other languages (Python, Go, Rust, etc.), it can control its authentication and obtain traffic through logic.

Note: Since microservices interact with the authentication center, the authentication center needs to provide THE HA service. That is, add @EnableDiscoveryClient to the startup class and then LoadBalanced to implement the LB authentication center when the bean is injected.

@EnableOAuth2Sso @Configuration @EnableAutoConfiguration @ComponentScan(basePackages = {"com.damon"}) @ EnableDiscoveryClient # @ EnableConfigurationProperties (EnvConfig. Class) for LB node authentication center public class AdminApp {public static void main(String[] args) { SpringApplication.run(AdminApp.class, args); }}Copy the code

In the client project module, LB needs to be implemented when the authentication center is called:

@Configuration public class BeansConfig { @Resource private Environment env; @LoadBalanced @Bean public RestTemplate restTemplate() { SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory(); requestFactory.setReadTimeout(env.getProperty("client.http.request.readTimeout", Integer.class, 15000)); requestFactory.setConnectTimeout(env.getProperty("client.http.request.connectTimeout", Integer.class, 3000)); RestTemplate rt = new RestTemplate(requestFactory); return rt; }}Copy the code

In addition, when configuring interaction, you need to add domain names and other forms to achieve LB, which uses the K8S Service to achieve.

Security: oauth2: # cas-server-url: http://cas-server-service admin-web client-secret: admin-web-123 user-authorization-uri: ${cas-server-URL}/oauth/authorize # specifies the access-tok-URI required for authorization code authentication. Resource: loadBalanced: true ID: admin-web user-info-uri: ${cas-server-url}/oauth/token # ${cas-server-url}/oauth/token # ${cas-server-url}/ API /user # prefer-token-info: falseCopy the code

In this way, a client about authentication core is so, also need to consumer client in the form of service to provide UI, at this time need to use Spring Cloud Kubernetes combat Gateway Gateway and nginx proxy service, let’s test: curl -X POST -d “username=admin&password=123456&grant_type=password&client_id=admin-web&client_secret=admin-web-123” http://192.168.8.10:5556/cas-server/oauth/token

See the results:

{"access_token":"5a7892b0-7483-4f60-89fd-44255a429ff6","token_type":"bearer","refresh_token":"23f2e8ea-f091-4ab0-822c-f2 8bebc4ec08","expires_in":3599,"scope":"all"}Copy the code

Curl -h “Accept: curl -h “Accept: application/json” -H “Authorization:bearer 5a7892b0-7483-4f60-89fd-44255a429ff6” -X GET http://192.168.8.10:5556/admin-web/api/user/getCurrentUser

Output result:

{" authorities ": [{" authority" : "admin"}], "details" : {" remoteAddress ":" 10.244.0.196 ", "sessionId" : null, "tokenValue" : "5 a7892b0 -7483-4f60-89fd-44255a429ff6","tokenType":"bearer","decodedDetails":null},"authenticated":true,"userAuthentication":{"au Thorities ": [{" authority" : "admin"}], "details" : {" authorities ": [{" authority" : "admin"}], "details" : {" remoteAddress ":" 10.244.0 .201","sessionId":null,"tokenValue":"5a7892b0-7483-4f60-89fd-44255a429ff6","tokenType":"Bearer","decodedDetails":null}," authenticated":true,"userAuthentication":{"authorities":[{"authority":"admin"}],"details":{"client_secret":"admin-web-12 3","grant_type":"password","client_id":"admin-web","username":"admin"},"authenticated":true,"principal":{"password":null ,"username":"admin","authorities":[{"authority":"admin"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsN onExpired":true,"enabled":true},"credentials":null,"name":"admin"},"oauth2Request":{"clientId":"admin-web","scope":["all "],"requestParameters":{"grant_type":"password","client_id":"admin-web","username":"admin"},"resourceIds":[],"authoritie s":[],"approved":true,"refresh":false,"redirectUri":null,"responseTypes":[],"extensions":{},"grantType":"password","refr EshTokenRequest ": null}......Copy the code

Finally, the high availability authentication uses k8S service to access the authentication center in default polling mode. If the authentication center uses redis or JWT to manage tokens, it is ok.

Related Posts

Leetcode104- Maximum depth of binary tree | brush problem clocking

Two years after graduation, I got the offer from Tencent and byte, which is the core knowledge point of interview summarized by this BAT

Common Application deployments for Docker