This is to share the project experience of Yu Zhihai from JustAuth community (adding HTTP API login method to JustAuth Plus).

Project review

What is JustAuth Plus (JAP) and what does it do?

JustAuth Plus is a derivative of JustAuth. JustAuth is a tool library for third-party login authorization, which integrates many well-known third-party platforms at home and abroad. JustAuth Plus, developed on the basis of JustAuth, is an open source login authentication middleware. Based on modular design, JustAuth Plus provides a standard technical solution for all WEB applications requiring login authentication. JAP allows developers to adapt to most WEB systems (proprietary, federated protocols) as easily and easily as JustAuth. If you want to learn more about JustAuth Plus, you can visit its website: justauth.plus.

Currently, JustAuth Plus supports multiple login authentication methods, such as Oauth2.0, OIDC, account password, etc., but it does not support login authentication through HTTP API interface. The requirement of this project is to write HTTP API module for JustAuth Plus.

Demand analysis

In the “login authentication process in the form of HTTP API interface”, there are three principals:

  1. Business System (Developer System)
  2. Third Party Systems (Identity service providers)
  3. The user

When a user logs in to the service system, the user provides the authentication information to the service system. The service system uses HTTP APIS to send authentication requests to third-party systems for user information authentication. The schematic is as follows:

For developers developing business systems, the business system may need to integrate multiple third-party systems, and the HTTP API protocol specifications exposed by each system may vary. So integrating third-party systems into business systems becomes a tricky business.

In this project development, WHAT I need to do is to add the HTTP API module in JAP. After simple configuration of this module, the developers can easily integrate the login authentication function of the third-party system into their business system.

The difficulties module

If this module is not used, the third-party system exposes the HTTP API interface to the outside, and the developer needs to comply with the HTTP authentication protocol when sending the authentication request to the third-party system. This module needs to mask the details of HTTP authentication protocol for developers, which is the difficulty of developing this module.

After consulting many materials and documents (refer to the references at the end of the article), in-depth study of HTTP authentication and authentication, summed up the three HTTP authentication methods:

1. BASIC Certification:

Basic authentication is the simplest HTTP authentication mode. The authentication process is simple and straightforward. During the authentication, plaintext passwords are directly sent, which may leak the passwords.

2. DIGEST authentication

Digest authentication is to make up for the weakness of BASIC authentication. It uses a nonce random number string. Both parties agree on which information to hash to complete the authentication of both parties. However, if the authentication packet is intercepted by an attacker, the attacker can still obtain the restricted resources, and the security is still insufficient.

3, BEARER authentication

BEAER authentication can also be called Bearer Token authentication, and we often use JWT as a form of Bearer Token authentication. Token is the core of Bearer authentication. Servers verify Token validity to authenticate and authorize.

The HTTP API authentication interface exposed by the third-party identity service provider is usually one of the above three authentication modes.

Module coding

After the HTTP authentication protocol is solved, the project code is not so complicated.

The schematic diagram of this module is as follows:

Functions and features:

  • Multiple HTTP authentication protocols are supported: BASIC, DIGEST, and BARER
  • Support for developing custom add request headers
  • Support for developers to add custom request parameters
  • Developers can customize authentication information resolution policies

Code design:

  • Subject package: Request header or response header for Http authentication
  • Util package: the utility class that this module needs to use
  • HttpApiConfig: This class is a configuration class that needs to be configured by the developer
  • HttpApiStrategy: The core class of this module that makes proxy requests to third-party identity service providers

The developer needs to provide HttpApiConfig configuration when using the HttpApi module, the HttpApi module will be based on the configuration information combined with the user authentication request to the third-party system to initiate authentication request.

HttpApiStrategy: HttpApiStrategy: HttpApiStrategy: HttpApiStrategy: HttpApiStrategy: HttpApiStrategy: HttpApiStrategy: HttpApiStrategy

The DEMO presentation

Because the code has not yet been merged into the official JustAuth Plus repository, the new HttpApi module cannot be directly referenced. The final version may differ from the current version, but this is for demonstration only.

Description of operating environment:

  • System: MacOS BigSur 11.4
  • Compiler: IntelliJ IDEA 2021.1.3
  • JDK: 11.0.11 (Note: THE JAP project itself is based on JDK 1.8)
  • Maven: 3.6.3

The following code demonstrates how developers can integrate the JAP-HTTP-API module into their business systems.

1. Import JAP Maven dependencies

<dependency>
    <groupId>com.fujieid</groupId>
    <artifactId>jap</artifactId>
    <version>1.0.3</version>
    <type>pom</type>
</dependency>
Copy the code

2. Write test Controller

@GetMapping("/basic")
public ResponseEntity authBasic(HttpServletRequest request, HttpServletResponse response ){
    HttpApiStrategy httpApiStrategy = new HttpApiStrategy(new JapHttpApiUserService(), new JapConfig());
    // Configure the HttpApi module
    HttpApiConfig httpApiConfig = new HttpApiConfig()
            // Specify the third-party Http authentication category
            .setAuthSchema(HttpApiConfig.AuthSchemaEnum.BASIC)
            // Specify the third-party Http authentication mode
            .setHttpMethod(HttpApiConfig.HttpMethodEnum.GET)
            // Specify where the user's incoming authentication information is stored
            .setAuthInfoField(HttpApiConfig.AuthInfoFieldEnum.BODY)
             // Specify the third party login address (I started a local service as a third party system)
            .setLoginUrl("localhost:8088/api/v1/source1");

    // Pass the authentication information to the HTTP-API module, which is responsible for proxy authentication
    JapResponse authenticate = httpApiStrategy.authenticate(httpApiConfig, request, response);
    // Obtain certification results
    if(authenticate.isSuccess()){
        return new ResponseEntity(200."login success",authenticate.getData());
    }else{
        return new ResponseEntity(403."login failure",authenticate.getData()); }}Copy the code

3. Simulate users to send login requests for testing

Project summary

First, the most important thing is to identify requirements. When I first received the project, there were some deviations in my understanding of the project requirements. I initially thought it was to implement a full authentication framework in a RESTFul style, but the actual requirements of the project were completely different. Without a thorough understanding of the requirements to start the coding work, a lot of wasted effort, but also a waste of time and energy, I think this is a lot of friends in the first contact with the project development often make mistakes, haha.

Secondly, this project is mainly about the implementation of Http authentication protocol, so I need to consult many authoritative materials, including but not limited to various literatures, RFC documents and encyclopedias. During this period, I have encountered many new terms and concepts. It also needs to be translated into coding implementations after the requirements are understood.

In terms of coding, designing a framework needs to consider the ease of use of the framework, the robustness of the code, the standardization of the code, and so on. Being able to do these well will greatly improve the coding ability. I also need to plan during the coding process, which part of the code to write the highest priority, for example, I planned before the coding began.

About the JAP

What is JAP?

JAP is an open source login authentication middleware based on a modular design. It provides a standard technical solution for all WEB applications that require login authentication. Developers can adapt the vast majority of WEB systems (proprietary systems, federated protocols) based on JAP.

What are the features of JAP?

What are the advantages of JAP?

  • Ease of use: JAP’s API takes the simplicity of JustAuth and works right out of the box. JAP highly abstracts various login scenarios and provides multiple sets of apis that are simple to use, greatly reducing the cost of learning and using for developers
  • Comprehensive: JAP fully ADAPTS JustAuth supported third-party platforms to achieve third-party login. At the same time, JAP also supports all applications and systems based on standard OAuth2.0 protocol, OIDC protocol or SAML protocol. In addition, JAP also provides project SDKS in different languages for various development scenarios
  • Modular: JAP is based on modular design and development, providing a unique modular solution for each login scenario, such as account password, OAuth, OIDC, etc
  • Standardization: JAP is completely decoupled from business, abstracting logon-authentication-related logic into a set of standard technical solutions, providing a set of standard policies or interfaces for each business scenario, such as user login, password authentication, creating and binding accounts to third-party systems, etc. Flexible and convenient to complete the development and adaptation of related business logic
  • Generality: JAP can be used not only for third-party login, OAuth authorization, OIDC authentication and other business scenarios, but also for common account and password login scenarios of developers’ existing business systems. Basically, all login related business scenarios have been covered. For WEB applications, JAP provides solutions for a variety of login scenarios (regardless of the development language)

What scenarios does JAP apply to?

JAP applies to all scenarios that require login authentication. Such as:

  • Requirements: For a new project, you need to develop a login, authentication system, and in the long term, you need a standard, flexible, and fully functional login authentication function.
  • Flexible requirements: The existing login module is self-developed, but in the new round of technology planning, you want to reconstruct the login authentication module to adapt to the new requirements with more flexible architecture, such as integrating MFA login, OAuth login, SAML login, etc.
  • Try to save trouble: You have too many projects (or many development languages, such as Java, Python, Node, etc.), and each project requires login authentication module. We want to solve the problem of repetitive labor, so that r&d personnel can invest more time and energy in business development, and improve R&D productivity and efficiency.

For more information on JAP, see the JAP Product Technical White Paper

A link to the

  • Gitee:gitee.com/fujieid/jap
  • Github:github.com/fujieid/jap
  • CodeChina:codechina.csdn.net/fujieid/jap
  • Developer documentation: Justauth.plus

reference

  • RFC7617-The ‘Basic’ HTTP Authentication Scheme
  • RFC7235-Hypertext Transfer Protocol (HTTP/1.1): Authentication
  • RFC7519-JSON Web Token (JWT)
  • RFC2069-An Extension to HTTP : Digest Access Authentication
  • HTTP authentication – HTTP | MDN (mozilla.org)
  • Other authentication methods – GitHub Docs
  • HTTP Abstract Certification – Wikipedia, the Free Encyclopedia (wikipedia.org)