Need help about Kong and OAuth with self-managed user-database
I need to use Kong and OAuth to build a web app and some other APIs.
Now I have:
- A server for Kong.
- A server storages User Information such as id, username, password. Named it as User-Database.
I need to:
- The web app and some others are going to use APIs with OAuth2.0;
- APIs are provided by Kong only.
According to the document on Kong, I designed out a Resource Owner Password Credential one., and it is like this:
(These APIs are just for getting accessToken, no authentication method)
- User-End post Username&Password to Kong
- Kong routes it to User-Database.
- User-Database verifies the username and password, and post a request to Kong. The request will include username, password, provision_key, autherticated_userid. (*)
- Kong will response a access_token to User-Database, and will also remeber the autherticated_userid, access_token and scope. Kong will remeber them before the access-token expired.
- After User-Database received the response from Kong, it will response too for step 1 & 2, and finally the User-End will get the access-token for future use.
(Got the access-token)
- User-End is going to send request to APIs which need authentication.
There is something I couldn't understand at the step 3.
According to the document on Kong:
$ curl https://your.api.com/oauth2/token \
--header "Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW" \
--data "client_id=XXX" \
--data "client_secret=XXX" \
--data "scope=XXX" \
--data "provision_key=XXX" \
--data "authenticated_userid=XXX" \
--data "username=XXX" \
--data "password=XXX"
The provision_key is the key the plugin has generated when it has been added to the API, while authenticated_userid is the ID of the end user whose username and password belong to.
Should I storage all the users' information to my self-managed user-database and Kong both?
Or is there something I missed or I could optimizate ?
The documentation of Kong is rather misleading in terms of the Resource Owner Password Grant.
This flow still needs you to implement an Authorization Server, of which the task is:
- To authenticate the user, in this case using the provided username and password
- To authorize the user, i.e. decide whether an access token should be issued, and decide on the scope
Please note that both of these things are entirely up to you.
Your Authorization Server in the end implements its own /authorize endpoint which should work like this:
Your client app posts:
client_id=<your client id>&
client_secret=<your client secret>&
username=<...>&
password=<...>&
grant_type=password&
(optional: scope=space delimited scopes)
Your authorization server keeps the provision_key or retrieves it via Kong Admin API (depending on how your architecture looks like and whether you can use the Admin API from your Auth Server).
Then you can assemble the actual call to Kong's /oauth2/token end point using both the data from the Authorization Server (i.e. the authenticated user ID and the authenticated scope), the provision_key and the client credentials from your client application:
POST https://kong:8443/yourapi/oauth2/token
grant_type=password&
client_id=(...)&
client_secret=(...)&
authenticated_userid=(...)&
authenticated_scope=(...)&
provision_key=(...)
Please also note that it's crucial for the web app to be confidential in case you store the client ID and secret inside it, i.e. use the client secret only server side. For non-trusted applications (mobile, SPAs), it's possible to let the Authorization Server retrieve the client secret for use with Kong, via client ID to secret lookup (also using the Kong Admin API).
- How do I get currency exchange rates via an API such as Google Finance?
- How to retrieve pack list with Shippingbo API?
- Exception in main java.lang.ClassCastException:class java.lang.String can't be cast to class
- Verbix: 403 error in Java API but not browser or Postman
- Can't find the reason my app returns Uncaught TypeError: Cannot read properties of undefined
- ASP.NET Core - AggregateException: some services are not able to be constructed
- Understanding Allow and Deny statements in AWS permission policies
- Passing multiple certificates through Curl request using Guzzle
- Understanding the difference between these two python requests POST calls (data vs. json args)
- How to protect Open xpage REST API using Azure OAuth or Azure API Gateway
- JWT payload does not contain the required claims
- Expo React Native post method not including MEDIA on Django rest framework right path
- Use postman to get a token from a request and send it to another
- Assign Json to a string without serilization in c#
- express Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
- Extracting data from Wikipedia API
- Update a monthly payment subscription to a single payment after a failed payment? Or allowing the customer to do so or not
- What is a __cf_bm cookie?
- Steam API Returns blank json
- Facing errors in fetching data from rest API to my front-end
- How can I find telegram user by id
- Calling REST API from controller codeigniter
- How to store complex json data in model class in flutter
- asp.net core mvc 6 No webpage was found for the web address: https://localhost:7168/Event/DeletePost
- Getx , Flutter how to update state of a variable in a listview builder everytime list loads its taking initial index value only?
- Join query shows error in spring boot but the same query gives the result in postgresql
- HTTP POST Request doesn't resolve a response with Next JS 13
- Postman How to check Not Equal to Condition in Postman?
- how to handle error mechanisms in testing API calls using Karate test framework
- When doing API request, returned error message is different from what server is sending