Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Miguel-Rodriguez15/msvc/llms.txt

Use this file to discover all available pages before exploring further.

Once you have an access_token from msvc-auth, include it as a Bearer token in the Authorization header of every protected request. msvc-usuarios enforces scope-based authorization using Spring Security’s oauth2ResourceServer JWT support; msvc-cursos requires a valid Bearer token for the course detail endpoint (GET /{id}) that fetches enrolled users.

Attaching the Token

Pass the token in the standard Authorization: Bearer <access_token> header:
# List users — requires scope: read
curl http://localhost:8001/ \
  -H 'Authorization: Bearer <access_token>'

# Create a user — requires scope: write
curl -X POST http://localhost:8001/ \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{"nombre": "Ana García", "email": "ana@example.com", "password": "secret"}'

# Get course detail with enrolled users — Bearer required
curl http://localhost:8002/1 \
  -H 'Authorization: Bearer <access_token>'
The password field is BCrypt-hashed by msvc-usuarios before being stored. Send the plaintext value in the request body; the service handles encoding automatically.

Scope Requirements

msvc-usuarios maps scopes to HTTP methods in its SecurityFilterChain. The table below shows the exact authority required for each endpoint:
EndpointMethodRequired Scope
/ (usuarios)GETSCOPE_read or SCOPE_write
/{id} (usuarios)GETSCOPE_read or SCOPE_write
/ (usuarios)POSTSCOPE_write
/{id} (usuarios)PUTSCOPE_write
/{id} (usuarios)DELETESCOPE_write
/usuarios-por-cursoGETAny authenticated token
GET /{id} (cursos)GETBearer token required (header enforced in controller)
All other /cursos routesNo Authorization header required
The SecurityConfig in msvc-usuarios expresses these rules as:
.requestMatchers(HttpMethod.GET, "/", "/{id}").hasAnyAuthority("SCOPE_read", "SCOPE_write")
.requestMatchers(HttpMethod.POST, "/").hasAnyAuthority("SCOPE_write")
.requestMatchers(HttpMethod.PUT, "/{id}").hasAnyAuthority("SCOPE_write")
.requestMatchers(HttpMethod.DELETE, "/{id}").hasAnyAuthority("SCOPE_write")
.anyRequest().authenticated()
A token issued with scope=read can still access all GET endpoints because hasAnyAuthority("SCOPE_read", "SCOPE_write") accepts either authority. If you only need read access, omit write from the authorization request scopes.

Via the Gateway

All requests can also be sent through msvc-gateway on port 8090. The gateway routes /api/usuarios/** to msvc-usuarios and /api/cursos/** to msvc-cursos, forwarding headers — including Authorization — transparently:
# List users through the gateway on port 8090
curl http://localhost:8090/api/usuarios/ \
  -H 'Authorization: Bearer <access_token>'

# Get course detail (with enrolled users) through the gateway
curl http://localhost:8090/api/cursos/1 \
  -H 'Authorization: Bearer <access_token>'
When running in Kubernetes with the NGINX Ingress enabled, the same calls are reachable via the cluster hostname:
curl http://microservicios.local/usuarios/ \
  -H 'Authorization: Bearer <access_token>'

curl http://microservicios.local/cursos/1 \
  -H 'Authorization: Bearer <access_token>'

Token Decoding

The access_token is a standard three-part JWT (header.payload.signature). You can inspect the claims without a library by base64-decoding the payload segment:
# Decode the payload (not verification — for debugging only)
echo '<token_payload_base64>' | base64 -d | python3 -m json.tool
A typical JWT payload from msvc-auth contains:
{
  "sub": "ana@example.com",
  "aud": "usuarios-client",
  "iss": "http://msvc-auth:9000",
  "iat": 1718000000,
  "exp": 1718000300,
  "scope": "openid read write"
}
ClaimMeaning
subThe authenticated user’s email address
audThe intended audience (client ID)
issThe issuer URI of msvc-auth
iatIssued-at timestamp (Unix seconds)
expExpiry timestamp — token is invalid after this
scopeSpace-separated list of granted scopes
The RSA keys rotate on every restart of msvc-auth. If msvc-usuarios or msvc-cursos start returning 401 Unauthorized after a restart, it means the cached JWK Set is stale. Restart those services so they re-fetch the new public key from GET /oauth2/jwks on msvc-auth.

OIDC UserInfo

When the token was issued with the openid scope, you can retrieve the authenticated user’s identity claims from the OIDC UserInfo endpoint without decoding the JWT manually:
curl http://<auth-server>:9000/userinfo \
  -H 'Authorization: Bearer <access_token>'
The response returns a JSON object with standard OIDC claims such as sub, email, and any profile attributes populated by the authorization server.

Build docs developers (and LLMs) love