[010] Secure Microservice with oAuth2 Authorization server [Mcroservice in and out - 010]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone how you guys doing I know I'm really sorry I promise to queue a video every single week but ever since last March I couldn't release any video there was a few reasons behind is because I moved to Sri Lanka for some time and in Sri Lanka due to some incidents you may heard already we had social media ban including YouTube so I could not load videos now everything is okay and I'm promised I'm going to give the videos again we are going to continue with the cause and first thank you so much everyone who put the coming likes and also who reach me in the Twitter and sometimes even in a direct mail and everyone was asking we are waiting we are waiting we are waiting and I understand I am really really sorry again but this is not going to happen again I'm going to continue as usual and as promised you can stay so in the last video I promise next video would be JWT toka JWT base authorization server but since we are little behind and since you guys really waiting to use this when you're looking at the comments and also the males have the Twitter I can understand you guys are waiting to put do something in real so I'm going to push back JWT authorization server a little bit and before that I'm going to use OAuth base or authorization server and continue some production ready some production grade service stack right including the configuration server and service discovery API gateway and soo Netflix circuit breaker all those things and meantime in the middle I'm going to cover the JWT based authorization server as well so bear with me today I'm not going to do the JWT based authorization server rather than I'm going to do the resource server and to show you guys how you can how you can use this auth token and before that I had to tell something in the last video there was a few commands I go when we verify the token the token become null sorry username become null the problem was I was not implementing the serializable interface for the user class and role and the permission so if you check my github commit so I fixed that bug and I pushed the new code so now the current codes are working fine so and now if you take if you look into where we stopped so we have a profile service and we have a config server and also we have a authorization server so first I'm going to start authorization service to see everything is there where as we left right so now authorizing service being starting so I'm going to obtain the token okay so let's say access token okay I got new token so I'm going to verify the token to make sure it's a bug is fixed right in the last time you could see some of token okay so now you can see the username me using it comes here so now that's up so if you check profile server provides a basic won't work because of the config server right so we'll see it will break for sure yeah it broken and now I'm going to start the config server right so until it gets done if you were staying this course from the beginning you remember we are going a journey where we put everything in the real production grade services right so we are going to implement all real good production practices so as a part of that we separated configuration to configure so that is why we need to start the convict server before we start the our service so so now I think convicts have started so now I should be able to start the profile service okay so it's being starting and now we should be able to fetch profile service okay so if you go back here and if you are going to fit your profile so it's working fetch profile by ID it's working ID by one and I did too so now everything is in the back as we have we left so now what you're going to do today we are going to make this profile service secure so now you can see anyone can call profile service and get their get the results or create the record but we are going to restrict it we are going to stop people being called this profile service if they don't have an authorization to do this if you are not authorized if they are not authorized to do this so before that so since we are going a continuous journey if you depending on convict server we may need to push configuration time to time to the config server alright so you guys need to understand this in the real production scenario everything is worked like this you have to have a separate config server and you have to serve a separate authsub and so and so forth but for easiness of use these tutorials I'm going to disc decouple the config server from our services that mean I'm going to take the config back into the server itself so why I am doing this otherwise when we need to do these configuration changes we need to every time pushing to the github and you guys may little confused with that process so I'm going to move the convict server decoupled the config server from the codebase right now and you guys need to understand but in the real production you are not doing it in the real production you have to have in the exact way what we have today and if you are don't if you if you cannot understand this you may need to go back and the start from the video number one I think this is a video number ten up to one two tens and then you will have a good understanding about this so how we can decouple so what I'm going to do is I'm going to stop convict server right so then obviously my profile server won't work so if I'm trying to start the profiles of now the profile server won't work so if I go here if I go to SRC main resources I can see application Yammer I don't have anything from that so what I'm going to do is so this is in my github so the convicts configuration what we're using for this project so I'm going to copy and put that configuration here right so I'm going to add that configurations here so and after that I'm going to add this existing configuration a spring application name and is profile and also DDL to none right so I'm going to set DTL Auto to not okay so now I don't need these two alright so now my service should start again without config server right so now so starting but still you can see it's trying to fetch from localhost 8191 because of this one so I'm going to remove this boost up your camel file and you guys feel free to use the configure server if you want but for majority and the easy of understanding from the maturity people I'm going to remove this okay so now still it's trying to see from eight eight eight eight that's a default port for configuration so that because we have a config dependency in our pom file so I'm going to remove that as well right so you can have it that's fine but I'm going to remove so now it's removed so now profiles we should start as usual without any additional phage okay so now you can see there is no profile so no configuration fetching and the configuration itself in within my service okay so now however my port is 81-81 because that is the port my profile service is running now okay so so what I'm going to do is here make it make this my profile service secure alright so right now since my profile service is running even without the config service now we don't have a config server we can close this project right so we don't need that anymore so we close that project so now since profile server is we need only profile service an authorization service so now if we fetch record from the profile service its booking all right so it's working so now what I'm going to do is I'm going to make this secure first to secure it I need to add dependencies to this project right so I'm going to add this dependencies here so the easiest way is you can put authorization server and copy and paste the dependencies from the authorization server okay so you need to get these two dependencies right so cloud start to and start to security okay so now I added my dependencies to my project and now I'm going to make me want to import it I disable auto import so I am going to import it manually so these are the two dependencies you need to use right so spring tout start oath to and spring tout started security right so now if I restart this service you will notice something right if I restart the service you will notice something so service start usual way but there is something new into the service so you can see here it says using generated security password so just after we add the dependencies for security dependencies what it does is it generate password automatically to this service right so now you just added this user info sorry you just added these security dependencies now your service itself see here right if you are trying to invoke the your service as usual it won't work right so it won't well we haven't done anything other than add in dependencies but adding dependencies is enough even to secure your service so now the problem is how we can so now you can see here you are getting a different error all right so you see it's a timestamp status for zero one unauthorized but so now what I'm going to do I go back to my profile service and I go back to my profile service project okay here and I'm adding one single annotation here that annotation is enable resource server enable resource server that's it I just added one single annotation enable resource server and I'm going to restart this if you want you can consume this service even right now using this password because generated password right I'm not going to demonstrate that you can find enough where you use an article's how you can do this you can take this password and send us a past basic password here and it will work so now remember this format of this oats this error message and all that I said I message so now I'm going to execute one more time now you can see it's changed the error message change now it says full authentication is required to access this resource so now it is time to go back if you don't remember go back and understand how or towards how old to works or to has a resource owner is the person and the resource is protected by the resource server and so now you have authorization server now what we have done is we mark our service as a resource server so now it is responsibility to protect the services protect the resources now we are trying to access the resource this profile ratios but it says no you cannot access this because these are protected so now we need to make sure we can access it ok so now it's very simple what you need to do is you need to go back here and you need to tell the service where the service can be validate the to come it's very simple you need to tell where the service can validate the token so this is how you are going to do it so we need to tell security or to resource token in for you are right so where my service is running so localhost 91 91 slash check token or slash check token so this is the via you need to validate the token and you need to do this to do this you need to have a client ID right so my client ID is mobile so this is the same client ID but we have given in to our server if you don't remember this you need to go back and check this mobile and pink client ID and secret okay so now I'm done so I'm going to run this again and you may remember even we configure the authorization server we had option to configure the check token endpoint we can permit all without authorizing to check the token right so if you don't remember that you can go back and check that video again so okay so now we go back and we run this still it says unauthorized so now what we're going to do is we are going to get the token right so we happy to get a token and you're going to copy this token I think I missed to copy one line okay so you go back here put header authorization header this is a bearer token and I think I did right okay so now let's try to access the resource again so now you get it back right so you can see here if you disable the token it fair if you enable the token it's working if you disable the token it's fail if you enable the token it's working so now if you put the next service call this one that's also fail now because it doesn't have authorization header so you can add authorization header and you can add bearer token oops sorry so you can add authorization header and at the bear token now it's also working so now as a recap okay so what we have done here is a simple configuration we gave the security oath to resource token into you are right this is the configuration to tear this service this resource server this is the authorization server you need to validate the token you will have you will get a token from the request please go ahead and validate this token from this authorization server and this is the client ID and a secret you need to use to validate the token right in the authorization server side we learn we can enable users to check the token without even having logging into the authorization server right I hope you remember that we add the configuration confirm it all so now this that's it right it's very simple this is how we can use token you use token to authorize to access the resource server again very small recap so we in earth world or to world we have a four entities right so we have authorization server that is me already implemented we have to have a resource server to protect the resources right so that is why we convert this profile service as a resource so right and that is that resource server is expecting a token from the client to access the resource on behalf of the resource owner so now this is a very basic point if you have a token you can go anywhere within the service in the next video I'm going to show you how you can limit particular methods depend on the user roles in other voice role based permission and I promise next video board takes a long time as what happened again I'm really sorry what happened I couldn't upload the video for last two to three months I'm really sorry and that's not going to happen again I'm going to continue this course and thank you very much being staying with me even when I'm not uploading videos thank you for every comment every single like you put into the video I read all those things though I may not reply I didn't have time to reply but I'm going to person read each and every comment so if you have a time if you watch this video please take some time to comment on a video because it would be really really nice encouragement to me and also if you think you have audience too we have this type of videos will be interesting please do share so then a lot of people will get a benefit of having this type of thing and next video let's talk about how to wear how to control methods based on the user roles then stay safe take care see you again

Info

Channel: Krish Dinesh

Views: 18,623

Rating: undefined out of 5

Keywords: microservices, microservice architecture, Spring boot, java microservices example, microservice example, microservices tutorial, Krish, Krish java, Krish Din, Krishantha Dinesh, Krishantha, building microservices java, microservice java, aws microservices, microservices best practices, creating microservices, springboot, springboot 2.0, spring cloud, microservices course, microservices for beginners, microservices complete

Id: hj-NP09h4uo

Channel Id: undefined

Length: 19min 8sec (1148 seconds)

Published: Tue Jun 18 2019