🚀 Oauth2 between microservices with authorization server

JVillator0 · JVillator0 · commit 49589a2179d2 · 2021-07-19T17:14:48.000-06:00
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,13 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+/vendor/
+composer.lock
diff --git a/README.md b/README.md
@@ -0,0 +1,67 @@
+# OAuth2 between Laravel projects
+
+A package that allows secure communication between two or more projects, focused mainly for use in microservices architectures, adding the Oauth2 authorization standard in addition to security at the network level by IP addresses and whitelists, which may already be owned.
+
+## Features
+
+- Simple implementation
+- It does not increase the latency of requests between microservices.
+- High level of security
+
+## Prerequisites
+
+1. Having an authorization server, it is recommended to use [Laravel Passport](https://laravel.com/docs/8.x/passport#client-credentials-grant-tokens) for this, specifically in the [Client Credentials Grant Tokens](https://laravel.com/docs/8.x/passport#client-credentials-grant-tokens) section
+
+2. Store the file `oauth-public.key` at folder `storage/app/` in the microservices to communicate, this file is provided by the authorization server
+
+## Installation
+
+1. Import the library
+    ```
+    composer require diimolabs/laravel-oauth2-client
+    ```
+
+2. Add the following environment variables:
+    ```
+    OAUTH_HOST=
+    OAUTH_CLIENT_ID=
+    OAUTH_CLIENT_SECRET=
+    ```
+    And fill with the data provided by the authorization server when creating the client corresponding to the project
+
+3. Implement the `middleware` that validates the authorization of the input requests, in the file `app/Http/kernel.php`
+    ```php
+    protected $routeMiddleware = [
+        // Other middleware...
+        'jwt' => \Diimolabs\Oauth2Client\Middleware\EnsureJwtIsValidMiddleware::class
+    ];
+    ```
+
+## Use
+
+Example of requesting a resource to a microservice
+
+```php
+use Diimolabs\Oauth2Client\OAuthHttpClient;
+
+Route::prefix('v1')->group(function(){
+    Route::get('message', function(){
+        return OAuthHttpClient::oauthRequest()
+            ->get('http://msa-2.test/api/v1/hello-world')
+            ->body();
+    });
+});
+
+```
+
+Example of a request from a microservice client
+
+```php
+Route::prefix('v1')->middleware('jwt')->group(function ()
+{
+    Route::get('/hello-world', function ()
+    {
+        return 'Hello world from microservice 2';
+    });
+});
+```
diff --git a/composer.json b/composer.json
@@ -0,0 +1,35 @@
+{
+    "name": "diimolabs/laravel-oauth2-client",
+    "type": "library",
+    "description": "Package to handle communication with authorization between microservices",
+    "keywords": [
+        "laravel",
+        "microservices",
+        "authorization",
+        "oauth"
+    ],
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Javier Villatoro",
+            "email": "javier99.villatoro@gmail.com"
+        }
+    ],
+    "require": {
+        "php": ">=7.4",
+        "firebase/php-jwt": "^5.4",
+        "guzzlehttp/guzzle": "^7.3"
+    },
+    "autoload": {
+        "psr-4": {
+            "Diimolabs\\Oauth2Client\\": "src/"
+        }
+    },
+    "extra": {
+        "laravel": {
+            "providers": [
+                "Diimolabs\\Oauth2Client\\OAuthServiceProvider"
+            ]
+        }
+    }
+}
diff --git a/src/Middleware/EnsureJwtIsValidMiddleware.php b/src/Middleware/EnsureJwtIsValidMiddleware.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Diimolabs\Oauth2Client\Middleware;
+
+use Closure;
+use Firebase\JWT\JWT;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+
+class EnsureJwtIsValidMiddleware
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param string $scopes
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next, $scopes = "")
+    {
+        try {
+            if (! $request->bearerToken()){
+                return response()->json([
+                    'message' => 'You are not authorized'
+                ], 401);
+            }
+
+            $authorizationHeader = $request->header('Authorization');
+            $jwt = explode(' ', $authorizationHeader)[1];
+
+            $publicKey = file_get_contents(storage_path('app/oauth-public.key'));
+
+            JWT::decode($jwt, $publicKey, ['RS256']);
+        } catch (\Throwable $th) {
+            Log::error("[JWT Valid Error]: " . $th->getMessage() . '. On line:' . $th->getLine());
+
+            return response('Internal server error', 500);
+        }
+
+        return $next($request);
+    }
+}
diff --git a/src/OAuthHttpClient.php b/src/OAuthHttpClient.php
@@ -0,0 +1,77 @@
+<?php
+
+namespace Diimolabs\Oauth2Client;
+
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Storage;
+
+class OAuthHttpClient
+{
+    private static $path;
+
+    private static $host;
+
+    private static $clientId;
+
+    private static $clientSecret;
+
+    private static function getCredentialsInfo() {
+        return collect(json_decode(
+            file_get_contents(self::$path)
+        ));
+    }
+
+    private static function requestToken() {
+        $response = Http::acceptJson()
+            ->post(self::$host . '/oauth/token', [
+                'grant_type' => 'client_credentials',
+                'client_id' => self::$clientId,
+                'client_secret' => self::$clientSecret,
+            ]);
+
+        if($response->failed()){
+            abort(403);
+        }
+
+        Storage::put('oauth-credentials.json.key', $response->body());
+    }
+
+    private static function validateToken() {
+        // check if exist file with token
+        if(!file_exists(self::$path)){
+            self::requestToken();
+        }
+
+        $data = self::getCredentialsInfo();
+
+        $expiredDate = now()->parse(date("Y-m-d H:i:s", $data['expires_in']));
+
+        if(now()->lt($expiredDate)){
+            self::requestToken();
+        }
+    }
+
+    private static function getAuthorizationToken() {
+        self::validateToken();
+
+        return self::getCredentialsInfo()['access_token'];
+    }
+
+    private static function getOauthAuthorization(){
+        return [
+            'Authorization' => 'Bearer ' . self::getAuthorizationToken()
+        ];
+    }
+
+    public static function oauthRequest() {
+        self::$path = storage_path('app/oauth-credentials.json.key');
+        self::$host = config('oauth-client.host');
+        self::$clientId = config('oauth-client.client_id');
+        self::$clientSecret = config('oauth-client.client_secret');
+
+        info(self::$path);
+        return Http::withHeaders(
+            self::getOauthAuthorization()
+        );
+    }
+}
diff --git a/src/OAuthServiceProvider.php b/src/OAuthServiceProvider.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Diimolabs\Oauth2Client;
+
+use Diimolabs\Oauth2Client\OAuthHttpClient;
+use Illuminate\Support\ServiceProvider;
+
+class OAuthServiceProvider extends ServiceProvider
+{
+    public function boot()
+    {
+        $this->publishes([
+            __DIR__ . '/config/oauth-client.php' => config_path('oauth-client.php')
+        ], 'oauth-client');
+    }
+
+    public function register()
+    {
+        $this->app->singleton(OAuthHttpClient::class, function(){
+            return new OAuthHttpClient();
+        });
+    }
+}
diff --git a/src/config/oauth-client.php b/src/config/oauth-client.php
@@ -0,0 +1,36 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | OAuth2 Credentials information
+    |--------------------------------------------------------------------------
+    |
+    | Information required to request tokens from the authorization server
+    |
+    */
+
+    'host' => env('OAUTH_HOST', ''),
+
+    'client_id' => env('OAUTH_CLIENT_ID', ''),
+
+    'client_secret' => env('OAUTH_CLIENT_SECRET', ''),
+
+    /*
+    |--------------------------------------------------------------------------
+    | External services
+    |--------------------------------------------------------------------------
+    |
+    | A key => value pair array that consists on the different external services
+    | that the resource server or application wants to communicate in which can
+    | be called . E.g:
+    | [ 'service1' => 'https://api.service1.com/v1' ]
+    | So, you can use it within your preferred http client package like this:
+    | $this->http->post(config('oauth-client.services.service1') . '/blog')
+    |
+    */
+    'external_services' => [
+        // "example" => "https://myservice.com/api"
+    ],
+];
