oAuth = Authorization between services
only giving other service with limited credential.
once user permit different service to access google OAuth gives a token with limited access authorites written. token is JWT
Terminology
Resource Server has burden of security.
flow 1
1. log to photo printing service and say "my picture is in google drive can you access there and fetch my picture and print it?
2. client send request to authrization server
3. authorization server ask resource owner if it is okay to access specific client (print) ? ( list of what client what to do)
4. resource owner says okay
5. authrization sever gives authorization token
6. client use this authorization token to get access token from authorization sever
7. clien use access token to access resource server
8. resource server verify access token with authorization server
9. provides resource to client
flow 2 Implicit Flow (less secure)
1. resource owner make request to client (print app)
2. client ask authorization sever
3. authroization server ask resource owner
4. resource owner says okay
5. authrization server sends access token directly
6. client use access token to access resource server and do its jobs
Usecase , flow3
authorization between microservices
client credential flow = when the client is well trusted
1. provide certain key (that proves i am microservice 1) to Auth Server. microservice 1 only need to access certain info not all.
2. auth server gives access token ( have limited authorities that microservice1 need )
3. micro1 use access token to micro2 and micro2 gives what micro1 want.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
you can go google it about facebook or github and make your own app for login
spring:
security:
oauth2:
client:
registration:
facebook:
client-id: YOUR CLIENT ID GOES HERE
client-secret: YOUR CLIENT SECRET GOES HERE
'WEB > Security' 카테고리의 다른 글
Transport Layer Security, TLS 1.2 and 1.3 (0) | 2022.02.06 |
---|---|
OAuth 2.0 and OpenID Connect (OAtuh 2.0 in depth) (0) | 2021.12.19 |
[java brains] JWT+ Spring Security (0) | 2021.04.18 |
[java brains] JWT (0) | 2021.04.15 |
[java brains] JPA authentication (0) | 2021.04.14 |