1
00:00:00,240 --> 00:00:07,470
In the previous lecture, we got an access token by invoking the endpoint to oral humanity hyphen coconut's

2
00:00:07,470 --> 00:00:10,320
last token against our key Glock's over.

3
00:00:10,560 --> 00:00:16,440
So let me try to get the access token one more time, because my previous access token might have expired.

4
00:00:16,800 --> 00:00:22,650
So as you can see in the body, we have to make sure we are passing the claim daily claim, secret scope

5
00:00:22,650 --> 00:00:23,570
and type.

6
00:00:24,690 --> 00:00:31,680
So once we have these details populated and invoke this epper with the post method, you should get

7
00:00:31,680 --> 00:00:32,729
an actor Stockmann.

8
00:00:32,970 --> 00:00:35,070
So I got a new access token here.

9
00:00:35,550 --> 00:00:37,260
I'll take this access token.

10
00:00:37,650 --> 00:00:43,620
And here first, I'll try to invoke this my account API without passing any access token.

11
00:00:43,620 --> 00:00:46,830
You can see I'm getting four zero one unauthorized.

12
00:00:47,160 --> 00:00:55,500
So now in order to pass this access token to my resource, our API, I need to mention and header with

13
00:00:55,500 --> 00:01:03,510
the name authorization and the value will be better space followed by that access token that you got

14
00:01:03,510 --> 00:01:05,170
from the key blocks over.

15
00:01:05,489 --> 00:01:10,050
So with this now, if I try to invoke you can see right now I have four zero one.

16
00:01:10,500 --> 00:01:16,740
But for this, I'm getting four zero three, far below zero, which means amateur indicator.

17
00:01:16,980 --> 00:01:19,230
But I'm not authorized to invoke this.

18
00:01:19,650 --> 00:01:26,970
This is because we have configure in order to invoke my account to pay the client application of the

19
00:01:26,970 --> 00:01:33,720
user should have a role of user, since I have not created any roles and assigned to the client that

20
00:01:33,720 --> 00:01:37,650
I have created on the key block, it is throwing fraudulent error.

21
00:01:38,040 --> 00:01:39,990
But let's try to invoke my.

22
00:01:40,410 --> 00:01:46,020
Because for these only the user should be authenticated and there is no to restrictions.

23
00:01:46,320 --> 00:01:53,160
So if I tried to invoke my loans and in the Bardi also, we should make sure we are passing the email.

24
00:01:53,460 --> 00:01:57,210
And what is the email that we have presented in the database?

25
00:01:58,110 --> 00:02:04,200
As you can see here, I'm getting a two hundred response, which means I pass the access token that

26
00:02:04,200 --> 00:02:06,780
I got from the kik lots over to my resource.

27
00:02:06,780 --> 00:02:14,190
So where when I am invoking a securest API, my resource server went and validated the access token

28
00:02:14,190 --> 00:02:16,020
that is provided by me.

29
00:02:16,560 --> 00:02:24,420
And once it decided it is a valid access token and I have enough authorization to invoke that particular

30
00:02:24,420 --> 00:02:27,510
API, it is giving a proper response to me.

31
00:02:27,960 --> 00:02:32,640
So now my is working because there is no Rawles mapping is needed for that.

32
00:02:32,880 --> 00:02:41,080
But if I invoke the same access token my account as we saw previously, we are getting four zero three

33
00:02:41,100 --> 00:02:41,440
error.

34
00:02:41,460 --> 00:02:43,830
So how to resolve this for the same?

35
00:02:44,160 --> 00:02:46,800
We can go to Google admin console.

36
00:02:47,070 --> 00:02:48,140
Here we have a role.

37
00:02:48,150 --> 00:02:49,200
It's tab.

38
00:02:49,200 --> 00:02:50,100
Click on that.

39
00:02:50,430 --> 00:02:53,670
And by default, we have some predefined roles created.

40
00:02:53,940 --> 00:02:55,770
So I'm trying to create a new role.

41
00:02:56,280 --> 00:02:58,080
And the role name is user.

42
00:02:58,470 --> 00:02:59,490
I'm clicking sale.

43
00:02:59,730 --> 00:03:04,830
Similarly, I will also create one more role, which is admin.

44
00:03:05,490 --> 00:03:11,490
So once I have created these two roles, you can verify that the role names are appearing here.

45
00:03:11,940 --> 00:03:14,790
So I have to map these roles to my client.

46
00:03:15,090 --> 00:03:15,700
I did that.

47
00:03:15,720 --> 00:03:17,640
I have created so far the same.

48
00:03:17,880 --> 00:03:24,000
I just had to go to clients and hear the client is easy bank epper.

49
00:03:24,450 --> 00:03:29,100
Once you click on the client easy bank API, there is a role tab here.

50
00:03:29,490 --> 00:03:36,170
You just have to click on the service account rules, because this is not an individual user.

51
00:03:36,180 --> 00:03:42,600
This is an service account which we are trying to use inside client credentials.

52
00:03:42,600 --> 00:03:42,990
Grant.

53
00:03:43,620 --> 00:03:46,500
So I'll click on this service account rules.

54
00:03:46,950 --> 00:03:54,510
So here we have two available roles, adding both of them to the client ID Easy Bank API.

55
00:03:54,750 --> 00:04:01,860
So now my client Easy Bank API has role access of admin and user.

56
00:04:02,220 --> 00:04:09,150
So if I tried to get the first access token and invoke my account API, it should work without any issues.

57
00:04:09,600 --> 00:04:15,990
So let me try to get the access token again by invoking the same epei slash token.

58
00:04:17,339 --> 00:04:20,640
So this time I got different access token and taking that.

59
00:04:21,240 --> 00:04:30,390
I'll go to the my account AP location tab here and there, dad, I need to replace the access token

60
00:04:30,840 --> 00:04:32,130
with the latest one.

61
00:04:32,580 --> 00:04:39,600
Once I replaced the latest access token, if I tried to invoke, I should get a proper response with

62
00:04:39,600 --> 00:04:40,950
the 200 status.

63
00:04:41,130 --> 00:04:43,500
So you can see I got a successful response.

64
00:04:43,710 --> 00:04:50,580
So at this rate, we can create clanged credentials claim by these roles and assign between them.

65
00:04:50,790 --> 00:04:57,180
And this is the scenario where one microservice, auto one service is trying to invoke other service.

66
00:04:57,510 --> 00:05:04,350
So due to that reason, we have used to claim declensions, grandpap, where there is no individual

67
00:05:04,350 --> 00:05:05,460
user involved.

68
00:05:05,730 --> 00:05:12,660
We can also check about what is present inside this access token by going to the JWT payroll.

69
00:05:13,050 --> 00:05:15,930
So I'm just basing the access token that will resume.

70
00:05:16,260 --> 00:05:23,430
So you can see these are all the details below that my Geekcorps, our responder, my roles are present

71
00:05:23,430 --> 00:05:29,040
inside real access inside that all of my roles are present and are roles key.

72
00:05:29,460 --> 00:05:34,140
If you can recall, we wrote a quick log roll converter here for.

73
00:05:34,410 --> 00:05:39,960
We are looking for the key real access, which is matching to this one.

74
00:05:39,990 --> 00:05:42,870
They got a value for real access.

75
00:05:43,050 --> 00:05:47,430
I will look again for the key roles so that we are doing here.

76
00:05:47,820 --> 00:05:56,370
Once we got the key value of roles, I'm making sure the role is being changed to role, underscore

77
00:05:56,370 --> 00:06:01,680
role name and as all those roles and putting inside grant authority.

78
00:06:01,800 --> 00:06:06,810
And I'm passing all those authorities to my spring security framework.

79
00:06:07,080 --> 00:06:14,730
So this way I wrote a custom converter, which will make sure to do that conversion so that my roles

80
00:06:15,000 --> 00:06:19,230
are being passed to my spring security framework the way it is expecting.

81
00:06:19,710 --> 00:06:26,910
But if you don't want to do that in Sadaf, any role you can use has any authority or has authority,

82
00:06:27,300 --> 00:06:34,590
because inside authority, we learnt there is no prefix of role will be added by spring secuity framework

83
00:06:34,740 --> 00:06:37,560
against that rules that we have configured.

84
00:06:38,010 --> 00:06:41,670
But with this simple rule convertor, we should be good.

85
00:06:41,970 --> 00:06:48,060
Even if you are trying to use the role based access mechanism and you can see these are the scopes supported

86
00:06:48,060 --> 00:06:56,700
by my key, our right not so open it will you access token and ID token and your email, will you email

87
00:06:56,700 --> 00:07:01,860
details and the email, will you email details of the user at the client?

88
00:07:01,860 --> 00:07:06,570
If there are any present inside Keek, log odds over and address.

89
00:07:06,570 --> 00:07:08,340
Will you address details and profile?

90
00:07:08,340 --> 00:07:09,720
Will you profile details?

91
00:07:10,140 --> 00:07:16,470
We can also see whether we are trying to get an access token by invoking the EPA slash token.

92
00:07:16,650 --> 00:07:23,610
We are also getting a dedicated separate AIDY token so we can go and check what is present inside this

93
00:07:23,610 --> 00:07:27,690
I.D. token by pasting that here in the JWT, not able.

94
00:07:28,050 --> 00:07:34,560
And this I.D. token contains and Baddeley the details about the individual user, our client application

95
00:07:34,560 --> 00:07:37,410
who are trying to perform identification and authorization.

96
00:07:37,560 --> 00:07:42,410
So that idees easy bank API here and there is no address.

97
00:07:42,450 --> 00:07:43,650
That's why it is empty.

98
00:07:44,070 --> 00:07:49,920
And we also have other details, like at what time the token is issued, what is the expiration time.

99
00:07:50,170 --> 00:07:56,760
So any details that you want to know specific to the user R identity of the client application?

100
00:07:56,970 --> 00:07:59,130
You can always leverage that idea to open.

101
00:07:59,370 --> 00:08:01,410
So this way, open a framework.

102
00:08:01,620 --> 00:08:05,400
Also, either I token on top of access token.

103
00:08:05,880 --> 00:08:13,320
With this, we have a clear understanding on how to create and climbed on key Glock's or what.

104
00:08:13,440 --> 00:08:17,460
So that we can use that inside client credentials grant type.

105
00:08:17,760 --> 00:08:24,570
Once that is created, we saw how to get an access token by invoking an API against clock.

106
00:08:24,600 --> 00:08:26,070
So what was that?

107
00:08:26,190 --> 00:08:32,150
We also configured a resource server and establish a link between resource server and key glugs.

108
00:08:32,150 --> 00:08:39,090
So by mentioning a property inside application that properties once that is done, we also saw how to

109
00:08:39,090 --> 00:08:45,150
take an access token from the key clerk's hour and password access token to the resource server to get

110
00:08:45,150 --> 00:08:48,210
the proper authenticated response from it.

111
00:08:48,480 --> 00:08:54,780
So this way we cover the first two scenarios, like getting the response from the resource server using

112
00:08:54,780 --> 00:08:56,580
Posman API invocation.

113
00:08:56,760 --> 00:09:04,200
And the same approach can be used for any API to API interaction or service to service interaction in

114
00:09:04,200 --> 00:09:04,980
the next lecture.

115
00:09:05,220 --> 00:09:13,050
Let's try to understand how to implement or to framework in the scenarios where we have an Web application

116
00:09:13,500 --> 00:09:16,320
to interact with them, resource our bank.

117
00:09:16,360 --> 00:09:18,220
You and I'll see you in the next lecture by.