Oauth in Microservices context
-
02-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to implement an oauth2 server to protect the endpoints developed in php. I have some confusions of how would be the flow to protect my endpoints. I understand that my resource server should be my apache server that hosts all my endpoints. And my authorization server validates the credentials, provides an access token to access my endpoints. How do my endpoints know that the coming token is valid? should each endpoint go to the authentication server and validate that the token they receive is valid? what would be the flow for this context?
Solution
TL/DR: There are tokens (e.g. JWT) that allow your service to authenticate the request just by the contents of the token.
Self-encoded tokens provide a way to avoid storing tokens in a database by encoding all of the necessary information in the token string itself. (Emphasis mine, taken from OAuth.com)
Take for example a JWT (JSON web token - see jwt.io for more information about JSON web tokens). A JWT basically contains all the information your service needs to verify that the request is legit. A JWT is compoased of three parts Base64 encoded, separated by dots: A Header, the Payload and the Signature.
The Header
The header holds information about the token itself. Usually what type of token it is and the algorithm used to sign the token.
{
"alg": "HS256",
"typ": "JWT"
}
The Payload
The Payload contains the information you need to know to authorize the request. The JSON is composed of so-called claims, which are fields in the JSON. To avoid collisions, claims may be registered with the IANA, but they don't have to be. Recommended claims are "iss (issuer), exp (expiration time), sub (subject), aud (audience) [...]" (see again jwt.io)
Furthermore you could introduce private claims for finer grained access control, e.g.
"privileges": "UPDATE|INSERT"
(just made something up here, depends on your requirements).
The Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
This is the crucial part. The Header and the Payload can be generated by basically anyone. However, to verify that the token has been issued by your authentication server, you'll have to check the signature against your secret. You may either use an asymmetric or a symmetric algorithm for signature. Validating the signature depends on that very choice. You would either do (pseudocode!)
digest = CalculateDigest(jwt); // this is bacically hashing the header and payload
signature = EncryptDigest(digest, secret);
isValid = CompareSignatures(jwt, signature);
calculatedDigest = CalculateDigest(jwt);
decryptedDigest = GetOriginalDigest(jwt, publicKey);
isValid = CompareDigests(calculatedDigest, decryptedDigest);
The advantage of the latter method (asymmetric) is that you can enable a third party to validate your tokens without providing them the possibility to create them and hence impersonate a user.
