Adeegsiga REST-loo hubiyey Tijaabinta Tusaalooyinka socodka OAuth 2.0

OAuth 2.0 waxay bixisaa afar qulquli oo kala duwan, laakiin ujeedada ugu weyn ee socod kasta waa in la sameeyo hel tilmaan-helid oo u isticmaal helitaanka ilaha la ilaaliyo.

Afarta qulqulka kala duwan waa:

  • Deeqda Xeerka Oggolaanshaha
  • Qulqulka Lacag Bixinta
  • Aqoonsiga Macmiilka
  • Qulqulka Grant Password

Casharkaan wuxuu bixinayaa tusaalooyin koodh iyadoo la adeegsanayo REST oo la hubo si loo tijaabiyo socodka OAuth 2.0, Abaalmarinta Koodhka Oggolaanshaha iyo socodka Aqoonsiga Macmiilka.




Qulqulka Xeerka Oggolaanshaha Qulqulka

Tani waa qulqulka ugu caansan ee koodh la soo saaro oo loo isticmaalo helitaanka marin_siis . Koodhkan waxaa lagu riixayaa codsi hore-dhamaadka ah (biraawsarka) ka dib markii uu adeegsadaha soo galo. Access_token waxaa laga soo saaraa dhinaca serverka, iyadoo lagu xaqiijinayo macmiilka lambarkiisa sirta ah iyo lambarka la helay.

Saddex tallaabo:


  • 1 - Hel Koodhka Auth
  • 2 - Hel Helitaanka Token
  • 3 - Isticmaal Helitaanka Token (si aad u hesho ilaha la ilaaliyo)

Hel Auth Code

Tallaabada ugu horreysa waa in la helo code:

import io.restassured.RestAssured; import io.restassured.http.ContentType; import io.restassured.response.Response; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import static io.restassured.RestAssured.given; import java.util.Base64; public class RestAssuredOAuth2 {
public static String clientId = 'some_client_id';
public static String redirectUri = 'some_redirect_uri';
public static String scope = 'some_scope';
public static String username = 'some_email';
public static String password = 'some_password';
public static String encode(String str1, String str2) {
return new String(Base64.getEncoder().encode((str1 + ':' + str2).getBytes()));
}
public static Response getCode() {
String authorization = encode(username, password);

return


given()




.header('authorization', 'Basic ' + authorization)




.contentType(ContentType.URLENC)




.formParam('response_type', 'code')




.queryParam('client_id', clientId)




.queryParam('redirect_uri', redirectUri)




.queryParam('scope', scope)




.post('/oauth2/authorize')




.then()




.statusCode(200)




.extract()




.response();
}
public static String parseForOAuth2Code(Response response) {
return response.jsonPath().getString('code');
}
@BeforeAll
public static void setup() {
RestAssured.baseURI = 'https://some-url.com';
}
@Test
public void iShouldGetCode() {
Response response = getCode();
String code = parseForOAuth2Code(response);

Assertions.assertNotNull(code);
} }

Hel Helitaanka Token

Marka aan helno nambarka oggolaanshaha, kadib waxaan codsan karnaa access_token:

public static Response getToken(String authCode) {
String authorization = encode(username, password);
return
given()

.header('authorization', 'Basic ' + authorization)

.contentType(ContentType.URLENC)

.queryParam('code', authCode)

.queryParam('redirect_uri', redirectUri)

.queryParam('grant_type', grantType)

.post('/oauth2/token')

.then()

.statusCode(200)

.extract()

.response();
}
public static String parseForAccessToken(Response loginResponse) {
return loginResponse.jsonPath().getString('access_token');
}
@Test
public void iShouldGetToken() {
Response tokenResponse = getToken(code);
String accessToken = parseForAccessToken(tokenResponse);
Assertions.assertNotNull(accessToken);
}

Isticmaalka Token Access

Ugu dambeyntiina, markii aan helno wax ansax ah access_token, kadib waxaan codsan karnaa ilaha la ilaaliyo:

public static void getUsers() {
given().auth()
.oauth2(accessToken)
.when()
.get('/users')
.then()
.statusCode(200); }

Waxaan sidoo kale u diri karnaa calaamadda gelitaanka sidii Authorization Header leh Bearer Horgale


Tusaale ahaan:

public static void getUsers() {
given()
.header('Authorization', 'Bearer ' + accessToken)
.when()
.get('/users')
.then()
.statusCode(200); }


Socodka Aqoonsiga Macmiilka

Qulqulka aqoonsiga macmiilku ma laha UI (biraawsar) ku lug leh waxaana badanaa loo adeegsadaa oggolaanshaha Mashiinka-ilaa-Mashiinka.

Xaqiijinta-hubinta, tani waxay umuuqan doontaa:

import io.restassured.RestAssured; import io.restassured.http.ContentType; import io.restassured.response.Response; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import static io.restassured.RestAssured.given; import static io.restassured.RestAssured.requestSpecification; public class RestAssuredOAuth2 {
public static Response response;
private String userAdminClientId = System.getenv('M2M_USER_ADMIN_CLIENT_ID');
private String userAdminClientSecret = System.getenv('M2M_USER_ADMIN_CLIENT_SECRET');
private String oauth2Payload = '{ ' +

' 'client_id': '' + userAdminClientId + '', ' +

' 'client_secret': '' + userAdminClientSecret + '', ' +

' 'audience': 'https://some-url.com/user', ' +

' 'grant_type': 'client_credentials', ' +

' 'scope': 'user:admin' }';
private static String createUserPayload = '{ ' +

' 'username': 'api-user', ' +

' 'email': 'api-user@putsbox.com', ' +

' 'password': 'Passw0rd123!', ' +

' 'firstName': 'my-first-name', ' +

' 'lastName': 'my-last-name', ' +

' 'roles': ['read'] }';
public void userAdminConfigSetup() {
requestSpecification = given().auth().oauth2(getAccessToken(oauth2Payload))


.header('Accept', ContentType.JSON.getAcceptHeader())


.contentType(ContentType.JSON);
}
public String getAccessToken(String payload) {
return given()


.contentType(ContentType.JSON)


.body(payload)


.post('/token')


.then().extract().response()


.jsonPath().getString('access_token');
}
@BeforeAll
public static void setup() {
RestAssured.baseURI = 'https://some-url.com';
}
@Test
public void createUser() {
userAdminConfigSetup();
response = given(requestSpecification)


.body(createUserPayload)


.post('/user')


.then().extract().response();

Assertions.assertEquals(201, response.statusCode());
} }


Gunaanad

Halkan, waxaan ku soo bandhignay tusaalooyin koodh leh REST oo la hubo sida loo helo access_token adoo adeegsanaya socodka OAuth 2.0. Marka aan helno access_token ka dib waxaan codsan karnaa kheyraadka la ilaaliyo.


Waxaan rajeynayaa inaad ka heshay waxtarka kore.