我们演示还是用books 的Restful api数据接口,把Kong Gateway - 01范例中PostgresSQL中的kong数据库删掉,
导入一个已经配置好的干干净净的后台数据库kong-20180427.bak
(参看安装篇 How to Install kong-community-edition On Cent OS 7)
[[email protected] ~]# pg_dump --help
[[email protected] ~]# psql --help
[[email protected] ~]# dropdb --help
[[email protected] ~]# createdb --help
[[email protected] ~]# kong stop # kong 服务必须先停止运行
[[email protected] ~]# dropdb -h 127.0.0.1 -p 5432 -U postgres kong # 删除kong数据库
Password: 123456
[[email protected] ~]# createdb -h 127.0.0.1 -p 5432 -U postgres kong # 创建kong数据库
Password: 123456
[[email protected] ~]# psql -h 127.0.0.1 -p 5432 -U postgres -d kong < /opt/kong-20180427.bak # 恢复kong数据库
Password for user postgres: 123456
[[email protected] ~]# kong start
Kong started
用Kong配置一个book服务
在安装并启动Kong之后,使用Kong的管理API端口8001添加一个名称为book的服务
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/ \
--data 'name=book' \
--data 'url=http://contoso.com/v1/books'
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 13:58:02 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"host": "contoso.com",
"created_at": 1525672682,
"connect_timeout": 60000,
"id": "a5b8bd64-2a69-42d3-aa9f-031a912cc89e",
"protocol": "http",
"name": "book",
"read_timeout": 60000,
"port": 80,
"path": "/v1/books",
"updated_at": 1525672682,
"retries": 5,
"write_timeout": 60000
}
以下几条命令以后可能你会用到,顺便贴出来
查询已分配了服务名称的路由列表
curl -i -X GET \
--url http://localhost:8001/services/book/routes
查询所有路由列表
curl -i -X GET \
--url http://localhost:8001/routes
根据路由id查询1条路由
curl -i -X GET \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede
根据路由id删除1条路由
curl -i -X DELETE \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede
根据id,hosts修改1条路由,根据同一名称的book服务,配置methods参数无
法用不同的路由来区分控制器方法的权限,故不用设置methods参数;
修改路由的方式无法设置参数的null值,我们只能删掉路由,然后创建路由来实现
curl -i -X PATCH \
--url http://localhost:8001/routes/4e0ddea7-ec70-41b9-bdd1-9b7c893b8ede \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
添加一个路由(paths[]的值必须与book服务中的/v1/books一致)
使book服务暴露出来以供用户访问,book服务没必要添加多个路由。
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/routes \
--data 'hosts[]=contoso.com' \
--data 'paths[]=/v1/books'
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 13:58:44 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525672724,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525672724,
"paths": [
"/v1/books"
],
"service": {
"id": "a5b8bd64-2a69-42d3-aa9f-031a912cc89e"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "63eaa9de-1ae9-4b60-baab-171246406b48" // {route_id} = id
}
通过Kong在8000端口暴露出来的服务地址获得所有的书籍
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Mon, 07 May 2018 13:59:14 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 47
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]
curl http://localhost:8001/services/book
curl http://localhost:8001/services/book/plugins
为book服务启用JWT插件
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/services/book/plugins \
--data "name=jwt"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 14:03:06 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525701786000,
"config": {
"cookie_names": { },
"secret_is_base64": false,
"key_claim_name": "iss",
"anonymous": "",
"run_on_preflight": true,
"uri_param_names": [
"jwt"
]
},
"id": "9370ed94-8a16-454e-b7f3-c517a457c246",
"enabled": true,
"service_id": "a5b8bd64-2a69-42d3-aa9f-031a912cc89e",
"name": "jwt"
}
为路由{route_id}启动JWT插件
http://localhost:8001/routes/{route_id}/plugins
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/routes/63eaa9de-1ae9-4b60-baab-171246406b48/plugins \
--data "name=jwt"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 14:21:03 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525702863000,
"config": {
"cookie_names": { },
"secret_is_base64": false,
"key_claim_name": "iss",
"anonymous": "",
"run_on_preflight": true,
"uri_param_names": [
"jwt"
]
},
"id": "c2a74d2e-524d-4c65-b4c0-90b551f64049", // jwt plugin id
"enabled": true,
"route_id": "63eaa9de-1ae9-4b60-baab-171246406b48",
"name": "jwt"
}
添加1个username为jack的消费者,{custom_id}参数可省略,此参数是个自定义唯一标识,
它作用是把消费者jack映射到另外一个数据库上
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/consumers/ \
--data "username=jack"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 14:40:42 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525704042000,
"username": "jack",
"id": "10a72138-ee94-4556-8bf3-25657d48e535" // consumer_id = id
}
创建1个JWT凭证
http://localhost:8001/consumers/{consumer_id or username}/jwt
[[email protected] ~]# curl -i -X POST \
--url http://localhost:8001/consumers/jack/jwt \
--header "Content-Type: application/x-www-form-urlencoded"
HTTP/1.1 201 Created
Date: Mon, 07 May 2018 14:48:57 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525704537000,
"id": "75a35c9f-477f-4c5c-83fa-958c74714891",
"algorithm": "HS256",
"key": "XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg",
"secret": "yMvLqFmwg9xAWrmfHZ1UF7xMU50AfPFb",
"consumer_id": "10a72138-ee94-4556-8bf3-25657d48e535"
}
列出消费者jack的JWT凭证信息
http://localhost:8001/consumers/{consumer_id or username}/jwt
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8001/consumers/jack/jwt
HTTP/1.1 200 OK
Date: Mon, 07 May 2018 15:02:03 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 1,
"data": [
{
"created_at": 1525704537000,
"id": "75a35c9f-477f-4c5c-83fa-958c74714891",
"algorithm": "HS256",
"key": "XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg",
"secret": "yMvLqFmwg9xAWrmfHZ1UF7xMU50AfPFb",
"consumer_id": "10a72138-ee94-4556-8bf3-25657d48e535"
}
]
}
在线JWT编码和解码https://jwt.io/
HEADER:ALGORITHM & TOKEN TYPE
{
"alg": "HS256",
"typ": "JWT"
}
PAYLOAD:DATA
{
"iss": "XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg", // key值
"exp": 1442430054, // 2015/9/17 3:0:54
"nbf": 1442426454, // 2015/9/17 2:0:54
"iat": 1442426454 // 2015/9/17 2:0:54
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
yMvLqFmwg9xAWrmfHZ1UF7xMU50AfPFb // secret值
) secret base64 encoded // config.secret_is_base64=false 默认值为false,故不要勾选
现在我们已经在https://jwt.io/网页左侧文本框中获得了一个访问JWT令牌
这样就有可以访问书籍这个接口了
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books \
--header 'Host: contoso.com' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 244
Connection: keep-alive
Date: Tue, 08 May 2018 02:41:05 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 77
X-Kong-Proxy-Latency: 45
Via: kong/0.13.1
[
{
"id": 1,
"title": "Fashion That Changed the World",
"author": "Jennifer Croll"
},
{
"id": 2,
"title": "Brigitte Bardot - My Life in Fashion",
"author": "Henry-Jean Servat and Brigitte Bardot"
},
{
"id": 3,
"title": "The Fashion Image",
"author": "Thomas Werner"
}
]
[[email protected] ~]# curl -i -X GET \
--url https://localhost:8443/v1/books/3 \
--header 'Host: contoso.com' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 63
Connection: keep-alive
Date: Tue, 08 May 2018 03:03:49 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 53
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[{"id":3,"title":"The Fashion Image","author":"Thomas Werner"}]
[[email protected] ~]# curl -i -X DELETE \
--url https://localhost:8443/v1/books/3 \
--header 'Host: contoso.com' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 34
Connection: keep-alive
Date: Tue, 08 May 2018 03:07:15 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 44
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
{"message":"deleted successfully"}
[[email protected] ~]# curl -i -X POST \
--url https://localhost:8443/v1/books \
--data 'title=TiDB in Action' \
--data 'author=Tomson' \
--header 'Host: contoso.com' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI' --insecure
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 35
Connection: keep-alive
Date: Tue, 08 May 2018 03:09:36 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 41
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
{"message":"inserted successfully"}
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8000/v1/books?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI \
--header 'Host: contoso.com'
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 234
Connection: keep-alive
Date: Tue, 08 May 2018 03:17:54 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 29
X-Kong-Proxy-Latency: 0
Via: kong/0.13.1
[{"id":1,"title":"Fashion That Changed the World","author":"Jennifer Croll"},{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"},{"id":4,"title":"TiDB in Action","author":"Tomson"}]
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8001/routes
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 03:46:00 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"next": null,
"data": [
{
"created_at": 1525672724,
"strip_path": true,
"hosts": [
"contoso.com"
],
"preserve_host": false,
"regex_priority": 0,
"updated_at": 1525672724,
"paths": [
"/v1/books"
],
"service": {
"id": "a5b8bd64-2a69-42d3-aa9f-031a912cc89e"
},
"methods": null,
"protocols": [
"http",
"https"
],
"id": "63eaa9de-1ae9-4b60-baab-171246406b48"
}
]
}
根据jwt plugin id查询1条插件信息
[[email protected] ~]# curl -i -X GET \
--url http://localhost:8001/plugins/c2a74d2e-524d-4c65-b4c0-90b551f64049
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 04:17:46 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525702863000,
"config": {
"cookie_names": { },
"secret_is_base64": false,
"key_claim_name": "iss",
"anonymous": "",
"run_on_preflight": true,
"uri_param_names": [
"jwt"
]
},
"id": "c2a74d2e-524d-4c65-b4c0-90b551f64049",
"name": "jwt",
"enabled": true,
"route_id": "63eaa9de-1ae9-4b60-baab-171246406b48"
}
http://localhost:8001/plugins/{jwt plugin id}
[[email protected] ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/c2a74d2e-524d-4c65-b4c0-90b551f64049 \
--data "config.cookie_names=book-jwt-cookie"
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 04:24:18 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525702863000,
"config": {
"key_claim_name": "iss",
"cookie_names": [
"book-jwt-cookie"
],
"secret_is_base64": false,
"anonymous": "",
"run_on_preflight": true,
"uri_param_names": [
"jwt"
]
},
"id": "c2a74d2e-524d-4c65-b4c0-90b551f64049",
"enabled": true,
"route_id": "63eaa9de-1ae9-4b60-baab-171246406b48",
"name": "jwt"
}
[[email protected] ~]# curl -i -X GET \
--header 'Host: contoso.com' \
--cookie book-jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI \
--url http://localhost:8000/v1/books/2
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Tue, 08 May 2018 04:52:10 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 25
X-Kong-Proxy-Latency: 39
Via: kong/0.13.1
[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]
iss:定义jwt的(多个)签发者(验证的时候判断是否是签发者)
sub:定义jwt的所有者(验证的时候判断是否是所有者)
aud:定义jwt的(多个)接收方(验证的时候判断我是否是其中一员)
exp:定义jwt的过期时间,它必须大于jwt的签发时间
nbf:定义jwt的生效时间
iat:定义jwt的签发时间,claims_to_verify配置参数不允许设置iat
jti:jwt唯一身份标识,主要用来作为一次性token来使用,从而回避重放攻击
{"config.claims_to_verify":"\"iat\" is not allowed. Allowed values are: \"exp\", \"nbf\""}
启用jwt的过期时间和jwt的生效时间验证
[[email protected] ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/c2a74d2e-524d-4c65-b4c0-90b551f64049 \
--data "config.claims_to_verify=exp,nbf"
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 06:54:27 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525702863000,
"config": {
"claims_to_verify": [
"exp",
"nbf"
],
"secret_is_base64": false,
"key_claim_name": "iss",
"cookie_names": [
"book-jwt-cookie"
],
"anonymous": "",
"run_on_preflight": true,
"uri_param_names": [
"jwt"
]
},
"id": "c2a74d2e-524d-4c65-b4c0-90b551f64049",
"enabled": true,
"route_id": "63eaa9de-1ae9-4b60-baab-171246406b48",
"name": "jwt"
}
[[email protected] ~]# curl -i -X GET \
--header 'Host: contoso.com' \
--cookie book-jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTQ0MjQzMDA1NCwibmJmIjoxNDQyNDI2NDU0LCJpYXQiOjE0NDI0MjY0NTR9.Ct0NQWaIBXZs7s0SOK86l7RcxqznOdTREkcfcORoxiI \
--url http://localhost:8000/v1/books/2
HTTP/1.1 401 Unauthorized
Date: Tue, 08 May 2018 07:26:47 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
{"exp":"token expired"}
[[email protected] ~]# curl -i -X PATCH \
--url http://localhost:8001/plugins/c2a74d2e-524d-4c65-b4c0-90b551f64049 \
--data "config.claims_to_verify=exp,nbf" \
--data "config.cookie_names=jwt-cookie" \
--data "config.secret_is_base64=true"
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 09:57:23 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525702863000,
"config": {
"secret_is_base64": true,
"cookie_names": [
"jwt-cookie"
],
"claims_to_verify": [
"exp",
"nbf"
],
"key_claim_name": "iss",
"anonymous": "",
"run_on_preflight": true,
"uri_param_names": [
"jwt"
]
},
"id": "c2a74d2e-524d-4c65-b4c0-90b551f64049",
"enabled": true,
"route_id": "63eaa9de-1ae9-4b60-baab-171246406b48",
"name": "jwt"
}
在线JWT编码和解码https://jwt.io/
Unix时间戳http://tool.chinaz.com/Tools/unixtime.aspx
HEADER:ALGORITHM & TOKEN TYPE
{
"alg": "HS256",
"typ": "JWT"
}
PAYLOAD:DATA
{
"iss": "XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg", // key值
"exp": 1525793425, // 2018/5/8 23:30:25
"nbf": 1525775425, // 2018/5/8 18:30:25
"iat": 1525775425 // 2018/5/8 18:30:25
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
yMvLqFmwg9xAWrmfHZ1UF7xMU50AfPFb // secret值
) secret base64 encoded // config.secret_is_base64=true 默认值为false,故必须勾选
[[email protected] ~]# timedatectl status
注意:此刻操作系统显示Local time: Tue 2018-05-08 18:15:12 CST
[[email protected] ~]# curl -i -X GET \
--header 'Host: contoso.com' \
--cookie jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTUyNTc5MzQyNSwibmJmIjoxNTI1Nzc1NDI1LCJpYXQiOjE1MjU3NzU0MjV9.0Cv8rJkXTMNKAvPTOBV1w0UYVhRx3XRb6xJofxloRuA \
--url http://localhost:8000/v1/books/2
HTTP/1.1 401 Unauthorized
Date: Tue, 08 May 2018 10:15:20 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: kong/0.13.1
{"nbf":"token not valid yet"}
上面返回的信息表示:JWT格式正确,就是还要等15分05秒JWT令牌才会生效
[[email protected] ~]# timedatectl status
Local time: Tue 2018-05-08 18:23:58 CST // 以本地时间为准,它才是现在真实的时间
Universal time: Tue 2018-05-08 10:23:58 UTC // 与真实时间相差8小时
RTC time: Tue 2018-05-08 10:23:58
Time zone: Asia/Shanghai (CST, +0800)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
[[email protected] ~]# curl -i -X GET \
--header 'Host: contoso.com' \
--cookie jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYSnFRMXpSQVhUWk52dlNHZ1Nsb1FyejczOFBqT0hFZyIsImV4cCI6MTUyNTc5MzQyNSwibmJmIjoxNTI1Nzc1NDI1LCJpYXQiOjE1MjU3NzU0MjV9.0Cv8rJkXTMNKAvPTOBV1w0UYVhRx3XRb6xJofxloRuA \
--url http://localhost:8000/v1/books/2
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 106
Connection: keep-alive
Date: Tue, 08 May 2018 10:31:19 GMT // 实际时间 Local time: Tue 2018-05-08 18:31:19 CST
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.13
X-Powered-By: PHP/7.1.13
X-Kong-Upstream-Latency: 23
X-Kong-Proxy-Latency: 31
Via: kong/0.13.1
[{"id":2,"title":"Brigitte Bardot - My Life in Fashion","author":"Henry-Jean Servat and Brigitte Bardot"}]
[[email protected] ~]# curl -i -X GET http://localhost:8001/jwts
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 13:36:36 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 1,
"data": [
{
"created_at": 1525704537000,
"id": "75a35c9f-477f-4c5c-83fa-958c74714891",
"algorithm": "HS256",
"key": "XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg",
"secret": "yMvLqFmwg9xAWrmfHZ1UF7xMU50AfPFb",
"consumer_id": "10a72138-ee94-4556-8bf3-25657d48e535"
}
]
}
[[email protected] ~]# curl -i -X GET http://localhost:8001/jwts
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 13:40:16 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"total": 1,
"data": [
{
"created_at": 1525704537000,
"id": "75a35c9f-477f-4c5c-83fa-958c74714891",
"algorithm": "HS256",
"key": "XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg",
"secret": "yMvLqFmwg9xAWrmfHZ1UF7xMU50AfPFb",
"consumer_id": "10a72138-ee94-4556-8bf3-25657d48e535"
}
]
}
http://localhost:8001/jwts/{key or id}/consumer
[[email protected] ~]# curl -i -X GET http://localhost:8001/jwts/XJqQ1zRAXTZNvvSGgSloQrz738PjOHEg/consumer
HTTP/1.1 200 OK
Date: Tue, 08 May 2018 13:43:03 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/0.13.1
{
"created_at": 1525704042000,
"username": "jack",
"id": "10a72138-ee94-4556-8bf3-25657d48e535"
}