[008] How to Secure Micro services - oAuth2 Server part 01 - [Micro services in and out 008]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone new day new video new chapter so I hope you guys tried previous videos and thank you for the feedback and also the questions and some ideas I'll try to incorporate those for the future videos so today we are going to see how we can secure our micro service because last time if you remember we created micro service to get the profiles but anyone can call that service and get profile information that should not happen right so those are sensitive data those are secure those has to be secured and only authorized people should be able to access those data right so how we can secure micro service so there are multiple ways to do that but I don't want to go round and round and round you can find those information engine internet enough and basic authentication and so many things but the most widely used authentication technique for micro service is dots and o2 so George mean JWT so I I go in a later for those and most commonly use thing is oath so I'm going to teach you how what is odd and how to use odd for secure or micro service but this will not be I had to declare this this will not be a in depth my oath to video right so if you are trying to learn or two from this video no this is not the video for that but I'm going to teach you the basic of all and what it does Plus how you can implement your own oath server right so maybe this give a little inside to you but if you never heard all - then you may need to read some things or watch some other videos to understand what o2 is right so I'm going to give you the very basic principles right so before we begin so let's see what's owed to this right so if you take oath - it's a it's a protocol it's a protocol we used to do the token based authorization so what token based means the whole intention of o2 is not to disclose user name and password for applications and other websites so it's a way of delegate access with sharing traditions right it can grant client to perform certain action behalf of you sir the best example let's say I have some camera installed on my home oh I have the smart bulb right so I need to send those information to Google Drive Oh iCloud right but I don't want to give my username and password into my light bulb or the camera right because if you have a 100 device then my username and password will be in 100 places right so in that case in case I want to change my username password it will be ridiculous right and also if I want to sell some device oh I find to throw some device out right so then my username my password I have to revoke it it's a very cumbersome process so what we can do is we can tell Google Drive hey the smart camera is owned by me or this bulb is owned by me so let it to access Google Drive on behalf of me right so what's the difference between giving a username and password and giving this oath - based token-based authorization the the difference is so whenever you want to revoke for example you can set X expire time right you can tell I am granting this for one week one month or something like that so there are multiple advantages doing that and also when you when you do like if you go to a certain website you can see like log in with Facebook right log in with Google login with LinkedIn log in with github right so what did this is so then they use your credential github financial the Facebook credential to access their system so that bring to a second point authentication versus authorization this is a topic most of people confuse all right even some senior people get confused what is authentication and what is authorization authentication is who you are authorization is what you can do there is simplest way I can think of it can remember what authentication is who you are authorization is what you can do right for example you will see authorized dealers right for an apple they have authorized dealers for all Samsung they have authorized dealers authorized dealers means they are authorized to do it that means they're permitted to do it right so that is the easiest way to understand anyway so back to the topic so technically o is not intend to use as authentication all right so it is not there to authenticate user user has to be ordered authenticated in order to get back to spoken right but most of the time all almost all providers implemented these together so a lot of people confuse or - is an authentication framework no o2 is authorization framework if you need authentication you can use something like open ID but o2 is not there for that however we can implement that both so and also we can have a third party or provider such as Google or Facebook or LinkedIn you know cheat hub in order to get this authorization process so now we know little basic about what is over two part there are few vectors in o2 so first we have a resource owner right and also we have authorization server and also we have a client and also we have but it so server let me explain this in very simple way resource owner is most probably you is a user right user is owned the resource and authorization server is the entity which grant these which handle this authorization process what to do and what can do and what the roles and all those things client is the one probably app right for example let's say you you are you are trying to access Christian TOCOM all right so Christian TOCOM need to login all right so prashanta dot-com is the client now I'm going to use your Google ID or a Facebook ID to authenticate you right so what I'm going to do is login with the Facebook or log in with Google so then authorization service a Google server right so resource owner is you right so now you are giving you through the authorization server you are giving access to the client right to access the resource server the resource server is the place where we keep the resources so now resource server is going to verify the the token you give through the authorization ever back right so this is how this works right so there are certain keywords certain names right so one is access token access to token is there nothing but it's a random string which does not make sense when you just reading it all right so you if you read the OAuth token it doesn't make any sense it is not something reverse string or something doesn't make any sense the Refresh token is Oh token will I mean access token will give you for a certain period of time let's say for one hour right so when one hour is expired then the client can use the Refresh token get a fresh old token right it can keep refreshing right so otherwise everyone now you had to give you user name password to the particular site to authenticate you right so you don't how to do that since you have a refresh token and a client ID and secret so client ID in secret is the way it identifies the app right so when you register app let's say I have old server so you want to authenticate your users or authorize your users through me right so then you have to register on me hey I need to use you then I'm going to give you a client ID and secret to you right so then when the request comes with those client ID then I know ok this user is belongs to this app so scope is allowed permission can be read or write it can be anything it just is you define it so chart otherwise JWT is a widely user mechanism to pass information between a services for example let's say I have authorization server so it's particularly use authorized through me so now I need to give my users permission what user can do and email address or any any other information belongs to you sir I can give those through this chart so dot this includes support for encryption so it's it's very secure generally this is how it's work so you have a client right we discuss client could be a website write client break with resource owner let's say you come to crash and calm so Cassandra come asking hey can I access can access your account right so resource owner so resource owner talk to authorization server and grant this client right so now authorizing server issuer token to the plan right but keep in mind otherwise you can serve it does not disclose your credential to channel outcome right so now what Christian the outcome can do is it can pass this token to those right resource server hey I got a token he's trying to access you the resource server is going to validate this token from the authorization server to ask whether this Valley token is a expire or not and so and so forth right so then when resource of Pateros this is a valid token then resource server release the resources this is how this flow works right so let me explain again in simple way right so let's say client tiny solution.com it's a website right so let's say that come has a separate API cloud right so you are granted to access this API cloud but to share that come need to know who you are and what you can do within this APA cloud right so the Krishna haladki mother was a client otherwise app will asking you hey can you show you authorization right so can you grant me access this API cloud on behalf of you because you are granted to access this APA cloud but I am not granted I can access behalf of you so how you going to do it so then a resource wanna talk to authorization server hey this is my user name and password please grant this client to access this APA cloud so now based on the configuration given with the roles and everything so authorization server will send the token to the client and the client path is token to the authorized resource server their resource server validate this token from the authorization server so this is a very generic flow if you take the specific flow right so there are multiple grant types so for example authorization code client credential implicit password device code but if you take the particular specific flow authorization code flow this is the the widely use flow granted flow with micro services right they send the password credential I will explain what's the difference alright so let's take particular specific flow right so this is the where you can see authentication and authorization separately right so let's get this client fish on the.com right so sending a request to authorization server let's you are going to along with the Google right so then Christian don't come for ask sending a request to authorization server hey I want to access this I want to access particular resources right so then authorization server asking resource owner which is a you the user hey Chris on.com want to access your account will you give the access right so this is now it prompt the small dialog box to enter user and password that is the where you authenticate right so now you authenticate with the resource server right so you say ok I'm allowed to to give the access to Christian that cop right that's why when you go with the login with the Facebook or login with the Google you will see the small text saying Christian that come want to access this these are the permission is going to get redo a count delete your account delete your fire radio file and so and so forth so now resource owner says okay so now now when I was 10 ticketed right so now it's in the code right to the client now client pass that code back to the authorization server and asking a token right because this is just a quote and I need to have a token so now what the rescission server give the token back to the client right so now pyon can pass this token to the resource server so now resource server can validate this token from authorization server right so when the token is upon validation then resource owner going to raise the resources like this is the authorization code flow so now you can see the most important thing here the client or in the case creation.com won't see your username or password right so whenever you give the username when you do because christian thought of what it does is it directed you to the authorization server right so whenever you say logging with Google it directs you to the Google all right so then Google login page comes and your username and password only see by Google client won't see there's the most important that's why this is the most secure way right so you don't have to disclose your username and password for each and every website's right so you can keep your username and password with the Google or the whatever the provider you decide then so they will only see the access token so it's very secure because and no one sees your username/password other than the you a particular server but that is on the flow called password that it's also using widely right so the password for the difference is client take your username and password and send that username password to authorization server right in that case use of one C authorization server login dialog box but it will see the your app in that case Crisanta come page to enter your username and password then Krishan do not come take it and send it to authorization server that's a difference between oath code flow and the client sorry password flow right so now we know how to deal with how these oath works right let's see how we can implement a very simple oath server right today I'm going to implement a very simple load server but in the next video I am going to implement the real production call it the old server using a database okay so let's implement a simple ode server for this I'm going to use a again other spring project spring boot project so it's very easy to implement a spring oath server in a sprin security over the server using a springboard right so what I'm going to do is my artifact name so as a dependencies I need web dependency and I need cloud security and I need cloud or two right so I need three dependencies okay so let's go to our pom file and see what a villa built right so we have start up web and oath too and the security and we're using the latest version which is the one to point one point two right so this is good so only thing what I need to do is now I have to go here and tell enable or enable authorization so that's it right it's simple now we have authorization server but so we're the users right so we don't know any of these so what you need to do is I'm going to do it in two steps first I am going to implement the authorization server using the the property file then I'm going to move into the code right so then you will see the difference right so and also I'm going to explain you what is the difference they introduced in the latest security spring security right so change is to UML so first I need to set the port let's say I'm going to set the port to 80 to 82 right so then I need to take the username and password the spring dot security dot user dot name so let's say crash password rich one two three and I'm not using this password anyway so you don't have to try this right so I'm going to use two rows admin and user right so now this is okay I have a user for this I'm going to first hard code the user so then I need to set or two properties for that I need to set the client ID it's it ought to apply in tidy let's say mobile and also I need to set the client secret alright so pin and I'm going to use talking about it in seconds so let's say my token is valid for one hour also I need to sit otherwise grant type authorize and also I need to set the scope so I'm going to give the read this can be anything so you can write any or in your scope view board right so now I'm ready right so now I have a basic set up so or two words right so remember I explained you right when you register app on earth-2 server it gives you a client ID and a secret in this case I'm going to hard-code right so in the next video I'm going to show you how you can move the things to database right okay so okay so we are ready with the basic setup okay so now I'm okay I'm going to run this application in this case we didn't give any context path so it would be the basic standard context path so let's go to our Chris client and I'm going to create a new request it's a gate request let's say oh token request so my url would be localhost 82 82 right so I didn't give any context path it would be directly token and oath slash token so this is my you are right now if you try to access this it will say for not for not for oh it should be both right so now if you if you say unauthorized right because you are not authorized to access this so I'm going to use the basic to earth here so what you need to put here so whatever you added in this context right so you whatever your client ID and the secret so mobile and the pin right so mobile and pin okay so now I have granted to access now it says method not allowed right so we need to this should be it is supposed to be a was method so now it's a married request so I'm going to step by step so here now I need to add what are the information I need rights of whom you are Len code so my grand type I'm going to access grant type as a password right SHINee twice it's possible to grant type and username is Krish right password fresh one two three right so let's try again so now you will see you get a response rights you have access token you have a token type token type is a bearer token we can talk about later the Refresh token this is the one I - all right the main the access token expired so access token going to expire at thirty five hundred and ninety nine seconds that mean the full one hour right so after its expire we can use the Refresh token to get the new access token all right you can see here I have a Radian right scope right how we get the read and write scope because this client is granted to have read and write scope right but we can set the scope here we can ask hey give me the read scope so now you already see the read scope right access token for the read scope right so let's give the right scope see that access token is starting iterate - so now you get the new access token for the right scope but you will see now it has thirty five hundred and 99 seconds right so now if you remove the scope again so you will see you will get access token expired with thirty five hundred and thirty three seconds why because we sent the same credential and ask in the same Scoob so access this authorization server cache this token for one number right so because is the same user right so if you execute again it will get less s again right so DC thirty five hundred and twelve the reason is they cash this token for one hour because this token is a very right so how we can validate this token now right so what we can do is we can create a new request let's say check token request okay so here you are would be same URL but with the check token end point right so check token and we can pass a token here check Tok equal we can pass a toke check token and token equal we can pass a token here right but the moment you try to pass the token let's say we pass some dummy token so it returns you you are unauthorised right because true so you have a two option for that either you can authorize this one right either you can authorize this one with the same username and password I mean a client is equal to a no credentials right so mobile and the pin all right so in that case it will pass this unauthorized part then now it's a profit from it mean you're you are not allowed to access this resource right so the reason behind this because when it come to the spring later sub-basement security we need to tell here to whom we are going to give the check token URL axis right so check token axis is I'm going to say hey permit o as a permit all mean you can access this resource even without sending a client ID and a secret right so let's try this okay so if we check now so now we will say in very token it's obvious right so we send some dummy token so let's copy this token it's the real token and paste it here right so now you is you will get all this information right so now you can see here so you have it's as active token expired in this time and use an image crash so these are the authorities I have I have a role admin and the role of the user and also this is my client ID and these are the scopes right I didn't granted any permission so these are the informations I have so they is try to this information from here right so now we know how it work right so since I said all right so even with no authorization this should work okay yeah because I said the permit all right so now this is little bit ugly because this is not something like a production ready right so anyway if he's the production ready we have to move into the database this all those details but yeah this is not a very production quality application because anyone can see these property file and anyone can extract this information so let's see how we can move this configure these information into the configurations right so I am going to create a new package just be really quick so I'm going to create a package called conf right for these I'm going to create a class call Oh server configuration okay so I need to annotate this with configuration annotation okay so now here so I'm going to extend this from web security configuration adapter implement from authorization server configure right you can do in a different way right so this interface authorization server configure has the implementation also called authorization server configure adapter so Java don't support for extends from two classes right so therefore we can't accept extend this from two classes so for that what you can you can create a two different configuration class on your project and one extent from the web security configurator another one extend from the authorization configure adapter so why we need to extend from the web security configure adapter here because when it come to the spring security the latest version so we don't have access to authentication manager by default right so authentication manager is comes with the web security configurator so we need to get that authentication manager I'll show you that right so now since we come from the interface it's asking us to implement the methods right so these three methods I'm going to implement ok so what I'm going to do is first I'm going to make these names shorter so that it will be easy to understand all right ok so now I'm going to create my clients here right for this video I am going to create this client in memory how I'm going to do that client dot in memory dot with clients so client is sorry mobile let's say to make sure this is working on from the property five let's give a different client right so secret is web bus scopes read write an authorization grant type I'm going to give just these two alright so I'm ok with this I'm not going to set the validity period so it will take the default budget period alright so server configuration is done so now I need to go for the to go to create the users so I'm going to create a new class call use configuration so again I need candidate with configuration annotation and here I'm going to extend this from global authentication configuration adapter right so then I'm going to override its method call in it okay so here I'm going to create my users right so all dot in-memory authentication dot with user crash password fish pass so now I'm ready with that right so I create one user right so I if you want I can get any view so so what I can do is create an end and again I'm going to copy and paste this right up to here and just change little bit okay so what I'm do is I'm going to use a second name as a stronger write the password days yes you are pass and he's not manager he's a user right so and he can't delete records right so now we have a to users okay so we have to use us now right so we are good so now we configured users and now be configured also servers right so if you're not sure we can delete all those information from this I'm not going to delete but I'm going to instead of the yeah let's do this right so now I'm going to restart this service because we did lot of changes let's restart the service okay so we started so now let's see we can create a token from here all right so now it's not a mobile it's a web right so what was the pass would be given for the web web pass to give this now it says no return for response it's a 4 0 1 right 4 0 1 mean unauthorized that mean this cannot authorize me ok so we will see if you go to the console and see illegal argumentation there is no password map for the ID null ok so I think I know the reason the reason behind this could be when it come to the spring later security versions and when we access to that spring boot version 2 so they removed no so I think the reason behind this so the password encoded because there's a default password encoder with the latest version but when you do the the plaint password from the your code right in memory authentication when you do the pain password so when you mainly try to verify the password it cannot verify because this is not encoded password right so we need to set the password encoded here probably in the both cases because client ID and the secret sorry secret and the passwords for both cases we need to use the password encoded so what we can do is you can say password encoder pass equal password encode a factorize dot create delegate password encoder so this is the default password encoder for but the problem here we cannot access this because this is a plain password right so we not encoded this password so spring both trying to decode the password because it can decode because this is not an encoded password so what we can do here so password encoded or encode and this one right so I think now it should work but let's fix it here as well in the same time so I don't have to come back ok so I think I'm good now we'll see right so let's try to get the token it says unsupported grant type so that mean we sent the grant type as a password this work before so but it's now it's not working this is the reason I told you because I saw in this documentation they are saying we don't have access to security manage authentication manager from directly has been so up to here up to this latest version so what we could do is we could simply auto either the secure authentication manager but not anymore so what we need to do is that's why I extend the web's configure adapter so what we need to do is we can create a beam here authentication manager right so authentication manager let's say beam also returned super dot authentication manager Japan right and we need to throw an exception okay so now this should be public right so now it's good now we can Auto ID authentication manager right so we good so now here in the endpoint we need to say who is my authentication manager authentication manager is my authentication manager right so now because the problem here they do support password credential this is error little bit misleading it do support password grant type but the problem is there is no one to validate this password right so that's the problem there is no manager to validate this credential it's little bit misleading but it's fine okay so good so now we can it's a very grand because the username and password wrong right so what I give gave is Crispus right yeah so now I have a token right so now I have a token so let's take this token and see will this token supposed to validate I think it is not and even I don't need to copy and paste here yeah it is not valid because the same problem right it's not permitted so what we can do here in the Security section so we can say Security dot check token axis you can give like like last time permit all right so you can give like this in that case you don't need even access token to even you you don't need even client credential and secret to access this but it's a nearly token obvious because we restart the service in memory and you go here and copy the token and paste the token here right so it's give all those information again so as you can see right delete and read so now this is for Krish right so let's try because now I have a read delete sorry write delete and the read/write and let's see if I try with Saranga username Saranga pass right so it cannot grant because I think again I made the mistake here I didn't encode his password yes I didn't include his password so I need to encode it also didn't call it oh thank god days and let's try run again right so remember again so last time I got a read write and delete access right so let's get the token for Saranga in the recurrent bad credential so let's go and see su our pass not the issue are a pass right so now I get the token right again draw your attention here so can read can delete and can write so now when I check this token it will tell you you can't delete right you can delete anymore because you are not granted to delete right so now you see how this works right so this is but I mean the you can deploy this in the production if you have one client and the few set of users because no one can read this information because this is a this is within your code but this is not the right way to do it right the right place we can put these tokens to and everything into the database right my sequel what are the database you're choosing right so the next video would be I'm going to teach you how you can write the production-ready enterprise author authentication server authentication and authorization server using spring security okay so till that subscribe to this channel if you're not subscribed yet and also share this video on your social media so more people will reach this video and more people will learn okay so all this effort to teach people and teach people who you want to learn so share this video then I'll see you in again next video stay safe take care

Info

Channel: CodeLabs

Views: 50,437

Rating: 4.8991594 out of 5

Keywords: microservices, microservice architecture, Spring boot, java microservices example, microservice example, microservices tutorial, Krish, Krish java, Krish Din, Krishantha Dinesh, Krishantha, building microservices java, microservice java, aws microservices, microservices best practices, creating microservices, springboot, springboot 2.0, spring cloud, microservices course, microservices for beginners, microservices complete

Id: NhY8q5B0s-s

Channel Id: undefined

Length: 37min 31sec (2251 seconds)

Published: Thu Feb 07 2019