假设我们的项目中有几个模块:
鉴权中心:Oauth2服务
订单系统:客户端A
用户管理系统:客户端B
在上面的系统中,每个服务之间的耦合性很低,但是又有着很频繁的调用,这就涉及到UI与其之间的频繁流量交互。如何做到其HA,这里引入k8s的Service方法:
在 Spring Cloud Kubernetes之实战服务注册与发现一文中,就讲解了k8s的Service方式创建服务,然后可以部署多个pod,同时结合 Spring Cloud Kubernetes之实战网关Gateway 来实现LB,类似通过域名来解析其服务,并根据所定义的规则进行LB。同样,本文则是Oauth2的基础上,结合这些来实现微服务的LB。同时此处利用了k8s来作主要处理,如果是其他语言(Python、Go、Rust等)的客户端服务,则自身可以通过逻辑来控制其鉴权以及获取流量的。
注意点:由于各微服务与鉴权中心有交互,故鉴权中心需要提供HA服务,即先在启动类加入@EnableDiscoveryClient ,后续在注入bean时,@LoadBalanced来实现LB鉴权中心。
@EnableOAuth2Sso
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackages = {"com.damon"})
@EnableConfigurationProperties(EnvConfig.class)
@EnableDiscoveryClient #为LB多节点鉴权中心准备
public class AdminApp {
public static void main(String[] args) {
SpringApplication.run(AdminApp.class, args);
}
}在客户端项目模块中,调用鉴权中心时,需要实现LB:
@Configuration
public class BeansConfig {
@Resource
private Environment env;
@LoadBalanced
@Bean
public RestTemplate restTemplate() {
SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
requestFactory.setReadTimeout(env.getProperty("client.http.request.readTimeout", Integer.class, 15000));
requestFactory.setConnectTimeout(env.getProperty("client.http.request.connectTimeout", Integer.class, 3000));
RestTemplate rt = new RestTemplate(requestFactory);
return rt;
}
}另外本身在配置交互的时候,需要加上域名等形式来实现LB,这里利用了k8s的Service来实现。
cas-server-url: http://cas-server-service #这里配置成HA地址
security:
oauth2: #与cas-server对应的配置
client:
client-id: admin-web
client-secret: admin-web-123
user-authorization-uri: ${cas-server-url}/oauth/authorize #是授权码认证方式需要的
access-token-uri: ${cas-server-url}/oauth/token #是密码模式需要用到的获取 token 的接口
resource:
loadBalanced: true
id: admin-web
user-info-uri: ${cas-server-url}/api/user #指定user info的URI
prefer-token-info: false这样,一个客户端关于鉴权的核心就是如此了,同样需要把消费客户端以service形式提供给UI,此时需要借助 [Spring Cloud Kubernetes之实战网关Gateway]() 和nginx代理服务,我们来测试下:curl -X POST -d "username=admin&password=123456&grant_type=password&client_id=admin-web&client_secret=admin-web-123" http://192.168.8.10:5556/cas-server/oauth/token
看到结果:
{"access_token":"5a7892b0-7483-4f60-89fd-44255a429ff6","token_type":"bearer","refresh_token":"23f2e8ea-f091-4ab0-822c-f28bebc4ec08","expires_in":3599,"scope":"all"}通过获取到的access_token来访问对应的客户端:curl -H "Accept: application/json" -H "Authorization:bearer 5a7892b0-7483-4f60-89fd-44255a429ff6" -X GET http://192.168.8.10:5556/admin-web/api/user/getCurrentUser
输出结果:
{"authorities":[{"authority":"admin"}],"details":{"remoteAddress":"10.244.0.196","sessionId":null,"tokenValue":"5a7892b0-7483-4f60-89fd-44255a429ff6","tokenType":"bearer","decodedDetails":null},"authenticated":true,"userAuthentication":{"authorities":[{"authority":"admin"}],"details":{"authorities":[{"authority":"admin"}],"details":{"remoteAddress":"10.244.0.201","sessionId":null,"tokenValue":"5a7892b0-7483-4f60-89fd-44255a429ff6","tokenType":"Bearer","decodedDetails":null},"authenticated":true,"userAuthentication":{"authorities":[{"authority":"admin"}],"details":{"client_secret":"admin-web-123","grant_type":"password","client_id":"admin-web","username":"admin"},"authenticated":true,"principal":{"password":null,"username":"admin","authorities":[{"authority":"admin"}],"accountNonExpired":true,"accountNonLocked":true,"credentialsNonExpired":true,"enabled":true},"credentials":null,"name":"admin"},"oauth2Request":{"clientId":"admin-web","scope":["all"],"requestParameters":{"grant_type":"password","client_id":"admin-web","username":"admin"},"resourceIds":[],"authorities":[],"approved":true,"refresh":false,"redirectUri":null,"responseTypes":[],"extensions":{},"grantType":"password","refreshTokenRequest":null}………最后,这里鉴权的高可用通过k8s的service,进行默认的轮询方式的访问鉴权中心,鉴权中心如果鉴权时不管使用redis还是jwt,来管理token,都是可以的。
