https://getkong.org/plugins/oauth2-authentication
我们演示还是用books 的Restful api数据接口,把Kong Gateway - 01范例中PostgresSQL中的kong数据库删掉,
导入一个已经配置好的干干净净的后台数据库kong-20180427.bak(参看安装篇 How to Install kong-community-edition On Cent OS 7)
[root@contoso ~]# pg_dump --helpKong started
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[root@contoso ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:25:47 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"host": "contoso.com",
"created_at": 1525595147,
"connect_timeout": 60000,
"id": "2d3d56de-02c4-4517-b786-2dc4037bf23d",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525595147,
"retries": 5,
"write_timeout": 60000
}
以下几条命令不必执行,以后会用到
查询已分配了服务名称的路由列表
curl -i -X GET \
--url http://localhost:8001/services/book/routes
查询所有路由列表
curl -i -X GET \
--url http://localhost:8001/routes
根据路由id查询1条路由
curl -i -X GET \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede
根据路由id删除1条路由
curl -i -X DELETE \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede
根据id,hosts修改1条路由,根据同一名称的book服务,配置methods参数无
法用不同的路由来区分控制器方法的权限,故不用设置methods参数;
修改路由的方式无法设置参数的null值,我们只能删掉路由,然后创建路由来实现
curl -i -X PATCH \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:27:51 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525595271,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525595271,
"paths": [
"/v1/books"
],
"service": {
"id": "2d3d56de-02c4-4517-b786-2dc4037bf23d"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "bacfd048-dbcc-453a-bbce-a29e8d3f86b7"
}
通过Kong在8000端口暴露出来的服务地址获得所有的书籍
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sun, 06 May 2018 16:28:40 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 49
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]
curl http://localhost:8001/services/book
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:30:11 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525624193000,
"config": {
"refresh_token_ttl": 1209600,
"scopes": [
"email",
"phone",
"address"
],
"mandatory_scope": true,
"provision_key": "5o5KnTRlpySbf7ViwYSkWPAZZ4vufSwe",
"hide_credentials": false,
"enable_authorization_code": true,
"enable_implicit_grant": false,
"global_credentials": false,
"accept_http_if_already_terminated": false,
"enable_password_grant": false,
"enable_client_credentials": false,
"anonymous": "",
"token_expiration": 7200,
"auth_header_name": "authorization"
},
"id": "acacd3e0-1c16-4301-8572-51221b46e997",
"enabled": true,
"service_id": "2d3d56de-02c4-4517-b786-2dc4037bf23d",
"name": "oauth2"
}
添加1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:33:14 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525624395000,
"username": "jack",
"id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}
为消费者jack创建1个名称为Book App的应用,redirect_uri参数定义发送code和state的回调地址
HTTP/1.1 201 Created
Date: Sun, 06 May 2018 16:34:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4",
"created_at": 1525624457000,
"id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17",
"redirect_uri": [
"http://getkong.org/"
],
"name": "Book App",
"client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV",
"consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}
根据{client_id}查询消费者的应用程序信息
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:35:17 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 1,
"data": [
{
"created_at": 1525624457000,
"client_id": "LzFEyMMaQyRIHsSsqfonZfofQIHigOF4",
"id": "4858dcb0-9f2b-4d6e-acc5-c76f9ac5ca17",
"redirect_uri": [
"http://getkong.org/"
],
"name": "Book App",
"client_secret": "YhCHW7xISxmTPd41qJFkjDkcsurVADUV",
"consumer_id": "786d2951-2744-4de2-bcf2-448b6b0ac954"
}
]
}
通过Kong在8000端口暴露出来的服务地址读一条书籍记录,实际上是通过Kong在转
HTTP/1.1 401 Unauthorized
Date: Sun, 06 May 2018 16:35:55 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
WWW-Authenticate: Bearer realm="service"
{
"error_description": "The access token is missing",
"error": "invalid_request"
}
很显然,命令中没有提供访问令牌,此命令已经无法访问书籍接口了,
键-值对{username:password}字符串 [email protected]:123456
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:40:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{"redirect_uri":"http:\/\/getkong.org\/?code=QEdYs44He66RewGGE4KVDxp2nm0mgweS&state=xyz"}
客户继续发送第2个由参数{grant_type},{client_id},{client_secret},{code}
HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:41:32 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{
"refresh_token": "Wj51vhdah1Ow9VGl6VTIZZKYqvlln8iv",
"token_type": "bearer",
"access_token": "90zG0QVO9m921iS51dLAFGMJnNky7IgK",
"expires_in": 7200
}
现在我们已经用一个随机的code交换获得了一个访问令牌和一个刷新令牌
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Sun, 06 May 2018 16:43:22 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 44
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]
[root@contoso ~]# curl -i -X GET \
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Sun, 06 May 2018 16:44:18 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 27
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
}
]
使用一个刷新令牌去获得一个新的访问令牌和一个更新的刷新令牌,前面的刷新令牌与访问令牌就立即作废了
[root@contoso ~]# curl -i -X POST https://localhost:8443/v1/books/oauth2/token \
--header 'Host: contoso.com' \HTTP/1.1 200 OK
Date: Sun, 06 May 2018 16:45:25 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
cache-control: no-store
pragma: no-cache
{
"refresh_token": "0mKdeGqC4LZRzNNwlhNj5OyaAZXRajZp",
"token_type": "bearer",
"access_token": "XNURzUlIi4gtwkjZPeWkQrv0QMZnUFET",
"expires_in": 7200
}
用更新的访问令牌去删除一条书籍数据
[root@contoso ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/2 \HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 34
Connection: keep-alive
Date: Sun, 06 May 2018 16:48:07 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 32
X-Kong-Proxy-Latency: 3
Via: kong/0.13.1
{"message":"deleted successfully"}
用更新的访问令牌去新增一条书籍数据
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: keep-alive
Date: Sun, 06 May 2018 16:48:47 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
{"message":"inserted successfully"}