Authentication Service (PART IV)

Christopher Woodward Christopher Woodward
Authentication Service

"The film vault" by Sean_Marshall is licensed under CC BY-NC 2.0

Introduction

In the previous article ( Authentication Service Part III), we completed the discussion of the AuthenticationService implementation and we now have a working AuthenticationService. In this fourth and final article, we will start by updating the API Gateway's routing configuration to include the AuthenticationService. Next we will update our Docker-Compose yml file to include the AuthenticationService, and finish by exercising the service's Swagger web UI.

Requirements

Before you get started, you will need the following:
  • Java
  • Maven
  • Docker
  • Docker-Compose
Refer to the Development Toolbox article if you do not have these installed locally.

UPDATES TO THE API GATEWAY

Once we have the AuthenticationService running we will want to connect it to the API gateway. To accomplish this we will edit the API Gateway's application.yml file to include the routing configuration: 


  routes:
       
    - id: authentication
      uri: lb://AZN-SERVICE 
      predicates:
        - Path= /api/authentication/**
      filters:
        - RewritePath=/api/authentication/(?
  
   .*), /$\{segment}
         
        - name: Hystrix
          args:
            name: HystrixAuthenticationFallback
            fallbackUri: forward:/fallback/authentication
The configuration changes include:

  • id- we set the id to authentication.
  • uri- we use the URI to lb://AZN-SERVICE. This instructs the API gateway to route the calls to an AuthorizationService registered with the DiscoveryService. This allows us to include multiple instances of the AuthenticationService if necessary.
  • predicates- we declare a single path /api/authentication/**. This will serve as the external API root path for all AuthenticationService methods.
  • filters- we will declare a RewritePath filter that will map the API Gateway's AuthenticationService methods prefixed with /api/authentication to the root path / of the target service.

Docker-Compose

We continue the practice of enhancing the previous Docker-Compose file to include the AuthenticationService configuration. 

loading...

Here we configure the service to map to port 7777. We also configuration a number of environment variables that will override the default configuration parameters. This allows us to customize the service's configuration for this deployment.

Authentication Service in Action

We can copy the Docker-Compose file above to your local machine, and run it from the command prompt: 

 docker-compose -f ./dc-08-authentication.yml up -d

Once all the services have started, Point a web browser to http://localhost:7777/swagger-ui.html.

Exercising the service with Swagger web ui client

If we click on the authentication-controller option in our Swagger web client, we can view the listing of our services methods.



In this article, we will only exercise the unsecured methods and those requiring User roles. We will save the administrative features for when we build our AdministrationService.

Register User

We will start by registering a user. To do this, click the /register option. It will expand to display the following form:





Here we supply the new user's first name, middle name,last name, email address, password & confirmation password and click Execute.



The response body JSON contains "success": true indicating that the registration succeeded.

Authenticate User

No that we have created a new user, we can call the /authenticate method with the credentials we supplied for registration.



After clicking the Execute button, check the Responses section.



The response body JSON contains "success": true indicating that the authentication succeeded and "token": with a value of : 

 "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ1c2VyQHRoaW5rbWljcm9zZXJ2aWNlcy5jb20iLCJhY2NvdW50SUQiOiJlMTU0NWZiZi02ZGRkLTQ0ZjItOTBlOC1hYzE1YTJ lMTFmZDYiLCJyZWZyZXNoX3Rva2VuIjoiNWYyYzlhN2EtY2IzZC00MTJjLWFiNzktYjhkYWU3MzQ5MmMxIiwicm9sZXMiOlsidXNlciJdLCJpc3MiOiJUaGlua01pY3Jvc2VydmljZXMuY29tIiwiZXhwIjoxNTg0NzQ3MzgyLCJpYXQiOjE1ODQ3NDczMjIsInJlZnJlc2hfdG9rZW5fZXhwIjoxNTg0NzQ4MjIyNTI5fQ.c5RJwJtAtBcopoXmiJ0_j8-5VbWr3yDava3xNjUJPRgAs5hOZpz-_UfUL6gIRpR-W4Bvzi4I0Tbgovf6b39qCg"
which is the JWT we will supply to our methods requiring authentication. Note: Since our tokens are short lived, you will likely need to re-authenticate to generate a new token for each of the secured methods. You can decode your JWT tokens with the jwt.io debugger. Simply copy the JWT into the Encoded text area, and tick the secret base64 encoded checkbox in the Verify Signature section.



Here we can inspect the decoded header and payload of the JWT.

Change User Password

Now that we have authenticated with our registered credentials, we will change our credentials password. To do this, click on the /changePassword option.



We supply the current password, the new password, and the confirmation password values in the request body JSON. We have another field we need to supply as well:



The Authorization section contains a field for the Authorization Token. This field allows us to set HTTP Authorization header. The value of this field must begin with bearer a space, and a valid JWT generated by the ./authenticate method. When these fields have been set, click the Execute button.



Request Password Recovery Code

The /changePassword method requires that we know our current password. If we have forgotten our password, we can use the /recoverPassword method to send a recovery code via email.



If the email supplied corresponds to an existing account, the user will receive an email containing a recovery code similar to this: 

	
		2e752dcf-5cf8-46b3-a786-2a9a09b43d9e
We will use this recovery code in the next method to change our password.

Change Password with Recovery Code

We will use the previously received recovery code, along with the account email address, the new password, and the confirmation password.



Metrics and Monitoring

The Authentication Service generates the following service-level metrics:
  • registration.new.total
  • authentication.successful..total
  • authentication.failure.total
  • password.changed.total
  • password.recovered.total
This will allow us to monitor for new user registrations,authentication successes and failures, password changes ,and recoveries in the service.

To visualize this data we will import the AuthenticationDashboard.json file from the ThinkMicroservices Github Dashboards repository. The dashboard should appear as:

Grafana Authentication Dashboard

Resources



Coming Up

We have covered alot of ground in the last four articles but we now have an Authentication Service. This is by far the most complex service we will be building so things will be much simpler going forward. Now that we have our AuthenticationService, we can begin building services that have secured features. In the next article, we will build the Account Profile Service.