With the authorization server in place, we can enhance the edge server and the product-composite service so they become OAuth 2.0 resource servers; that is, they require a valid access token to allow access. We will configure the edge server to accept any access token it can validate using the signature provided by the authorization server. The product-composite service will also require the access token to contain some OAuth 2.0 scopes:
- The product:read scope will be required for accessing the read-only APIs.
- The product:write scope will be required for accessing the create and delete APIs.
We also need to enhance our test script, test-em-all.bash, so that it acquires access tokens before it runs the tests.