3

I am in the process of spinning up a microservices system with a central Authorization Server that grants tokens with different scopes for accessing individual micro-service.

Here is the picture explaining the various service calls. The numbers marked are requests made in the chronological order.

enter image description here

1) In a nut-shell, I want the auth Server to return access-token with a User identifer (id) and scope when controller makes a login call. just like the following example taken from spring tutorial (but this is missing id). how can I have the id retured with the token returned?. I prefer not to make another REST call as proposed in the tutorial.

$ curl acme:acmesecret@localhost:9999/uaa/oauth/token  \
-d grant_type=authorization_code -d client_id=acme     \
-d redirect_uri=http://example.com -d code=jYWioI
{"access_token":"2219199c-966e-4466-8b7e-12bb9038c9bb","token_type":"bearer","refresh_token":"d193caf4-5643-4988-9a4a-1c03c9d657aa","expires_in":43199,"scope":"openid"}

2) How does the photo Service which receives the access token in the "Authorization bearer" header checks with Auth Server to see the token is valid and it has the scope required to access the photo. (for example, if Auth Server responds back with list of scopes this token is eligible for, Post service can check among the list of scopes, if it can provide access).

3) on a side note, I see the -d code=jYWioI is passed in above the request, but not sure why it is passed and whats the purpose of it?

brain storm
  • 30,124
  • 69
  • 225
  • 393

1 Answers1

0

Here are the answers to your questions.

  1. how can I have the id retured with the token returned?

You need a TokenEnhancer to this job. Here is the relevant stackoverflow questio for an example - can I include user information while issuing an access token?

  1. How does the PhotoService checks with AuthServer for validity and required scopes?

It doesn't. That is the whole beauty of this architecture. The scopes and the validity are part of the token itself. The Photo Service receives the token and decodes the information from it. Unless otherwise, you may very well be using Jwt tokens. If you go to the website, you will see an example of the token and its decoded value side by side. Here is the screenshot for quick reference. enter image description here

  1. Why is -d code=jYWioI passed?

I am not sure. -d parameter of curl(man page here) is used to send data to server. I am quite sure there is a mistake with that parameter and it is additional to this request and hence, the server just ignore it. You should be fine, it you removed it.

divinedragon
  • 5,105
  • 13
  • 50
  • 97