Edge Services

This Project provides API Gateway and cross-cutting concerns using Spring Cloud Gateway, Spring Security, KeyCloak, and Redis.

• API Gateway is a common pattern in distributed architectures.
• Spring Cloud Gateway is a project built on top of Spring WebFlux and Project Reactor to provide API Gateway and a central place to handle cross-cutting concerns like security, resilience, and monitoring.
• An API Gateway provides an entry point to the system.
• Authentication and Authorization

1. Spring Cloud Gateway

• Spring Cloud Gateway provides three main building block:
  • Route: This is identified by a unique ID, a collection of predicates for deciding whether to follow the route, a URI for forwarding the request if the predicates allow.
  • Predicate: This matches anything from the HTTP request, including path,host, headers, query parameters, cookies and body.
  • Filter: This modifies an HTTP request or response before or after forwarding the request to the downstream service.

2. Fault Tolerance with Spring Cloud Circuit Breaker and Resilience4J

• Resilience is a critical property in a cloud native system.

3. Authentication:

Security is the most critical aspects of the web applications.

• Resource control systems allow users to access only when their identity has been proven, and they have the required permissions.

• To accomplish that, there are 3 pivotal steps need to be followed:

  1. Identification: happens when a user claims an identity (like providing a username or email)
  2. Authentication: is about verifying the user's claimed identity through factors like a passport, driver's license, a password, a token. When multiple factors are used to verify -> multi-factor authentication
  3. Authorization: always happens after the Authentication, and it checks what the user is allowed to do in a given context

• The central place for defining and configuring security policies in Spring Security is a SecurityWebFilterChain bean => that object tells the framework which filters should be enabled

3.1 KeyCloak

• KeyCloak, an open-source identity and access management solution developed and managed by RedHat.
• Use docker-compose to create a KeyCloak Container

Create a realm

docker exec -it excellent-keycloak bash

cd /opt/keycloak/bin

./kcadm.sh config credentials --server http://localhost:8080 --realm master --user user --password password

./kcadm.sh create realms -s realm=PairingService -s enabled=true

Create roles

./kcadm.sh create roles -r PairingService -s name=employee
./kcadm.sh create roles -r PairingService -s name=customer

• Since my system's main actors are just employee and customer, so two roles are created.

Create users and assign roles

./kcadm.sh create users -r PairingService -s username=chiskien -s firstName=Chis -s lastName=Kien -s enabled=true 

./kcadm.sh create users -r PairingService -s username=taro -s firstName=Virtue -s lastName=Amigo -s enabled=true 

./kcadm.sh add-roles -r PairingService --uusername chiskien --rolename customer

./kcadm.sh set-password -r UserRegistration --username chiskien --new-password password
./kcadm.sh set-password -r PairingService --username taro --new-password password

3.2 OpenID Connect, JWT, and KeyCloak

Client Dilemma in OAuth2

RegisterEdge Service as an OAuth2 Client

./kcadm.sh create clients -r PairingService -s clientId=pair-service -s enabled=true -s publicClient=false -s secret=keycloak-secret -s 'redirectUris=["http://localhost:9000", "http://localhost:9000/login/oauth2/code/*"]'