Forem: Pete Letkeman The latest articles on Forem by Pete Letkeman (@pbaletkeman). https://forem.com/pbaletkeman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1234322%2Fee63d7e8-0339-4890-8e4b-ca26dfa04662.png Forem: Pete Letkeman https://forem.com/pbaletkeman en Using AI to Learn and Prepare for Certification Exams Pete Letkeman Sun, 03 May 2026 02:08:58 +0000 https://forem.com/pbaletkeman/using-ai-to-learn-and-prepare-for-certification-exams-1og https://forem.com/pbaletkeman/using-ai-to-learn-and-prepare-for-certification-exams-1og <p>Certification prep can feel like a maze. There are endless courses, playlists, blogs, and PDFs — and choosing where to start often takes longer than the studying itself. If you’re willing to bring AI/LLMs into your workflow, you can skip a lot of that friction. AI can help you build a study plan, generate exam‑style questions, and even simulate full practice tests.</p> <p>Here’s how I’ve been using AI as a study partner in a way that fits naturally into a developer workflow.</p> <h2> 1. Build a Study Plan with AI </h2> <p>If you’re staring at a blank page wondering how to begin, give the AI a snapshot of your background and constraints. The more specific the input, the more useful the output.</p> <p><strong>Example scenario:</strong><br> You’re a Java developer with five years of experience, familiar with Spring Boot and Hibernate. You want to learn Python 3.12 in eight weeks with only five hours per week.</p> <p><strong>Example prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I'm a Java developer with five years of experience, familiar with Spring Boot and Hibernate. Create a customized study plan to help me learn Python 3.12. I have five hours a week and need to learn it in eight weeks. ALWAYS verify all sites you link to before citing them. Include videos, reading materials, and hands-on practice. Double-check that all recommendations are valid and up to date. </code></pre> </div> <p>This gives the AI enough context to produce a structured, time‑boxed plan with curated resources instead of generic advice.</p> <h2> 2. Generate Exam‑Style Questions </h2> <p>Most certifications publish an exam outline or topic breakdown. That outline is your blueprint — it tells you exactly what the exam will cover.</p> <p>A few examples of publicly available exam guides:</p> <ul> <li><a href="https://learn.github.com/certification/COPILOT" rel="noopener noreferrer">https://learn.github.com/certification/COPILOT</a></li> <li><a href="https://www.databricks.com/learn/training/certification#certifications" rel="noopener noreferrer">https://www.databricks.com/learn/training/certification#certifications</a></li> <li><a href="https://www.broadcom.com/support/education/software/certification/exams/spring-pro-develop-exam" rel="noopener noreferrer">https://www.broadcom.com/support/education/software/certification/exams/spring-pro-develop-exam</a></li> </ul> <p>Once you have the outline, you can ask AI to generate questions that match the categories and weightings.</p> <p><strong>Example prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Using the exam outline from https://learn.github.com/certification/COPILOT, create 100 exam-like multiple-choice questions of varying difficulty. Follow the categories and weights from the exam guide. ENSURE all questions are unique, accurate, and fully validated. </code></pre> </div> <p>Run this multiple times and you’ll quickly build a large, diverse pool of exam‑style questions aligned with the actual blueprint.</p> <h2> 3. Create Practice Tests </h2> <p>With a study plan and a question bank, you can simulate real exam conditions.</p> <p>A few practical tips:</p> <ul> <li>Keep the question format consistent (you can enforce this in your prompt).</li> <li>Randomize both the question order and the answer choices.</li> <li>Don’t memorize answers — focus on understanding the underlying concepts.</li> </ul> <p><strong>Example question format:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Question: What is the answer to life, living, and the universe? A) 42 B) 40 C) unknown D) none </code></pre> </div> <p>Once you have a set of questions, you can:</p> <ul> <li> <strong>Build a lightweight quiz engine</strong> in your language of choice, or</li> <li><strong>Ask AI to scaffold one for you.</strong></li> </ul> <p>I built a simple quiz engine in VS Code that loads questions from a file, shuffles them, and randomizes answer order. It’s repeatable, language‑agnostic, and perfect for drilling through large question sets.</p> <h2> My Work &amp; Experiments </h2> <p>If you want to see this approach in action, here’s the repo where I’ve been experimenting:</p> <p><strong>Main repo:</strong><br> <a href="https://github.com/pbaletkeman/exam-prep" rel="noopener noreferrer">https://github.com/pbaletkeman/exam-prep</a></p> <p>I started with GitHub Copilot learning material (not in this repo), then moved on to:</p> <ul> <li>GitHub Actions: <a href="https://github.com/pbaletkeman/exam-prep/tree/main/actions-source-material" rel="noopener noreferrer">https://github.com/pbaletkeman/exam-prep/tree/main/actions-source-material</a> </li> <li>Terraform: <a href="https://github.com/pbaletkeman/exam-prep/tree/main/terraform/learning" rel="noopener noreferrer">https://github.com/pbaletkeman/exam-prep/tree/main/terraform/learning</a> </li> <li>Databricks: <a href="https://github.com/pbaletkeman/exam-prep/tree/main/databricks/learning" rel="noopener noreferrer">https://github.com/pbaletkeman/exam-prep/tree/main/databricks/learning</a> </li> </ul> <p>For the fun of it I had GitHub Copilot create the same quiz engines for:</p> <ul> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-python" rel="noopener noreferrer">Python</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-java" rel="noopener noreferrer">Java</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-springboot" rel="noopener noreferrer">Java SpringBoot</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-golang" rel="noopener noreferrer">Go</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-dart" rel="noopener noreferrer">Dart</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-nodejs" rel="noopener noreferrer">NodeJS</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-csharp" rel="noopener noreferrer">C#</a></li> <li><a href="https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine/quiz-engine-rust" rel="noopener noreferrer">Rust</a></li> </ul> <p>Each version lives here:<br> <code>https://github.com/pbaletkeman/exam-prep/tree/main/quiz-engine</code></p> <p>It’s a great way to compare language ergonomics while keeping the logic identical.</p> <h2> Final Thoughts </h2> <p>AI won’t replace real studying - but it <em>will</em> remove the overhead that slows you down. Instead of spending hours hunting for resources or manually building practice material, you can jump straight into structured learning, targeted practice, and realistic exam simulations.<br> If you’re preparing for a certification and want to accelerate your workflow, AI is absolutely worth adding to your toolkit.</p> ai programming career learning AI-Powered Resume Generator: Architecture & Implementation Pete Letkeman Sat, 24 Jan 2026 01:18:09 +0000 https://forem.com/pbaletkeman/ai-powered-resume-generator-architecture-implementation-2748 https://forem.com/pbaletkeman/ai-powered-resume-generator-architecture-implementation-2748 <h1> Building an AI-Powered Resume Generator: Architecture &amp; Implementation </h1> <h2> Overview </h2> <p>I've been working on a full-stack application that leverages LLMs to generate polished, professional resume content. This post is a technical walkthrough of the architecture, integration points, and key implementation details.</p> <p><strong>Tech Stack:</strong></p> <ul> <li> <strong>Backend:</strong> Java 21, Spring Boot 3.x, Gradle</li> <li> <strong>Frontend:</strong> React 19, TypeScript, Vite</li> <li> <strong>LLM Integration:</strong> OpenAI API / Ollama (OpenAI-compatible endpoint)</li> <li> <strong>Data Format:</strong> JSON-driven resume model</li> <li> <strong>Build Tooling:</strong> Gradle (backend), Node (frontend)</li> </ul> <p>Repository: <a href="https://github.com/pbaletkeman/java-resumes" rel="noopener noreferrer">https://github.com/pbaletkeman/java-resumes</a></p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ │ React UI │ │ (TypeScript)│ └──────┬──────┘ │ HTTP/REST ↓ ┌─────────────────────────────────┐ │ Spring Boot REST API │ │ (Java 21, Gradle 8.10) │ │ │ │ ├─ ResumeController │ │ ├─ FilesStorageService │ │ └─ ApiService (LLM gateway) │ └──────────┬──────────────────────┘ │ ┌────┴─────┐ ↓ ↓ ┌────────┐ ┌────────────┐ │ Ollama │ │ OpenAI API │ │(local) │ │ (cloud) │ └────────┘ └────────────┘ </code></pre> </div> <h2> Key Components &amp; Design Decisions </h2> <h3> 1. <strong>REST API Layer (Spring Boot)</strong> </h3> <p>The backend exposes endpoints for:</p> <ul> <li> <strong>File uploads</strong> (multipart/form-data)</li> <li> <strong>Resume optimization</strong> (async background processing)</li> <li> <strong>File retrieval</strong> (results polling)</li> <li> <strong>File management</strong> (list, download, delete)</li> </ul> <p><strong>Key Endpoint Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@PostMapping</span><span class="o">(</span><span class="n">path</span> <span class="o">=</span> <span class="s">"/api/upload"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">ResponseMessage</span><span class="o">&gt;</span> <span class="nf">optimizeResume</span><span class="o">(</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"optimize"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">optimizeJson</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"resume"</span><span class="o">)</span> <span class="nc">MultipartFile</span> <span class="n">resume</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"job"</span><span class="o">)</span> <span class="nc">MultipartFile</span> <span class="n">job</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Validate inputs</span> <span class="k">if</span> <span class="o">(</span><span class="n">resume</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">()</span> <span class="o">||</span> <span class="n">job</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">BAD_REQUEST</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="k">new</span> <span class="nc">ResponseMessage</span><span class="o">(</span><span class="s">"No file/invalid file provided"</span><span class="o">));</span> <span class="o">}</span> <span class="c1">// Spawn background thread for LLM processing (non-blocking)</span> <span class="nc">Thread</span> <span class="n">thread</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Thread</span><span class="o">(</span><span class="k">new</span> <span class="nc">BackgroundResume</span><span class="o">(</span><span class="n">optimize</span><span class="o">,</span> <span class="n">root</span><span class="o">));</span> <span class="n">thread</span><span class="o">.</span><span class="na">start</span><span class="o">();</span> <span class="c1">// Return 202 Accepted immediately</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">ACCEPTED</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="k">new</span> <span class="nc">ResponseMessage</span><span class="o">(</span><span class="s">"generating"</span><span class="o">));</span> <span class="o">}</span> </code></pre> </div> <p><strong>Why this pattern?</strong></p> <ul> <li>LLM API calls are slow (2-30+ seconds)</li> <li>HTTP connections timeout if we wait for LLM</li> <li> <code>202 Accepted</code> signals async processing to the client</li> <li>Frontend polls <code>/api/files</code> until results appear</li> </ul> <h3> 2. <strong>Async Background Processing</strong> </h3> <p>The <code>BackgroundResume</code> class handles long-running operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">BackgroundResume</span> <span class="kd">implements</span> <span class="nc">Runnable</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">Optimize</span> <span class="n">optimize</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">root</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">run</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="c1">// 1. Load LLM configuration</span> <span class="nc">String</span> <span class="n">configStr</span> <span class="o">=</span> <span class="nc">Utility</span><span class="o">.</span><span class="na">readFileAsString</span><span class="o">(</span><span class="s">"config.json"</span><span class="o">);</span> <span class="nc">Config</span> <span class="n">config</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Gson</span><span class="o">().</span><span class="na">fromJson</span><span class="o">(</span><span class="n">configStr</span><span class="o">,</span> <span class="nc">Config</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="c1">// 2. Build LLM request</span> <span class="nc">ChatBody</span> <span class="n">chatBody</span> <span class="o">=</span> <span class="nc">ApiService</span><span class="o">.</span><span class="na">createChatBody</span><span class="o">(</span><span class="n">optimize</span><span class="o">);</span> <span class="c1">// 3. Call LLM (OpenAI-compatible API)</span> <span class="nc">LLMResponse</span> <span class="n">response</span> <span class="o">=</span> <span class="nc">ApiService</span><span class="o">.</span><span class="na">produceFiles</span><span class="o">(</span> <span class="n">optimize</span><span class="o">,</span> <span class="n">config</span><span class="o">.</span><span class="na">getEndpoint</span><span class="o">(),</span> <span class="n">config</span><span class="o">.</span><span class="na">getApikey</span><span class="o">(),</span> <span class="n">config</span><span class="o">.</span><span class="na">getModel</span><span class="o">()</span> <span class="o">);</span> <span class="c1">// 4. Save results (Markdown + PDF)</span> <span class="nc">FilesStorageService</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">getContent</span><span class="o">());</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Resume optimization completed"</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Background task failed: {}"</span><span class="o">,</span> <span class="n">e</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Why background threads instead of async/await?</strong></p> <ul> <li>Simple, synchronous model</li> <li>No need for reactive framework overhead</li> <li>Easy to reason about error handling</li> <li>Works well for moderate concurrency</li> </ul> <h3> 3. <strong>LLM Integration (OpenAI-Compatible API)</strong> </h3> <p>The <code>ApiService</code> class abstracts LLM provider differences:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApiService</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">LLMResponse</span> <span class="nf">produceFiles</span><span class="o">(</span> <span class="nc">Optimize</span> <span class="n">optimize</span><span class="o">,</span> <span class="nc">String</span> <span class="n">endpoint</span><span class="o">,</span> <span class="nc">String</span> <span class="n">apiKey</span><span class="o">,</span> <span class="nc">String</span> <span class="n">model</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="c1">// Build OpenAI-compatible request</span> <span class="nc">ChatBody</span> <span class="n">chatBody</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ChatBody</span><span class="o">();</span> <span class="n">chatBody</span><span class="o">.</span><span class="na">setModel</span><span class="o">(</span><span class="n">model</span><span class="o">);</span> <span class="n">chatBody</span><span class="o">.</span><span class="na">setMessages</span><span class="o">(</span><span class="n">createPrompt</span><span class="o">(</span><span class="n">optimize</span><span class="o">));</span> <span class="n">chatBody</span><span class="o">.</span><span class="na">setTemperature</span><span class="o">(</span><span class="n">optimize</span><span class="o">.</span><span class="na">getTemperature</span><span class="o">());</span> <span class="c1">// Send to LLM</span> <span class="nc">HttpClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">HttpClient</span><span class="o">.</span><span class="na">newHttpClient</span><span class="o">();</span> <span class="nc">String</span> <span class="n">jsonRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Gson</span><span class="o">().</span><span class="na">toJson</span><span class="o">(</span><span class="n">chatBody</span><span class="o">);</span> <span class="nc">HttpRequest</span> <span class="n">request</span> <span class="o">=</span> <span class="nc">HttpRequest</span><span class="o">.</span><span class="na">newBuilder</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="no">URI</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">endpoint</span> <span class="o">+</span> <span class="s">"/v1/chat/completions"</span><span class="o">))</span> <span class="o">.</span><span class="na">header</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">,</span> <span class="s">"Bearer "</span> <span class="o">+</span> <span class="n">apiKey</span><span class="o">)</span> <span class="o">.</span><span class="na">header</span><span class="o">(</span><span class="s">"Content-Type"</span><span class="o">,</span> <span class="s">"application/json"</span><span class="o">)</span> <span class="o">.</span><span class="na">POST</span><span class="o">(</span><span class="nc">HttpRequest</span><span class="o">.</span><span class="na">BodyPublishers</span><span class="o">.</span><span class="na">ofString</span><span class="o">(</span><span class="n">jsonRequest</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">HttpResponse</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="na">send</span><span class="o">(</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpResponse</span><span class="o">.</span><span class="na">BodyHandlers</span><span class="o">.</span><span class="na">ofString</span><span class="o">()</span> <span class="o">);</span> <span class="c1">// Parse response</span> <span class="nc">LLMResponse</span> <span class="n">llmResponse</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Gson</span><span class="o">().</span><span class="na">fromJson</span><span class="o">(</span> <span class="n">response</span><span class="o">.</span><span class="na">body</span><span class="o">(),</span> <span class="nc">LLMResponse</span><span class="o">.</span><span class="na">class</span> <span class="o">);</span> <span class="k">return</span> <span class="n">llmResponse</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Why OpenAI-compatible format?</strong></p> <ul> <li>Works with Ollama (local models)</li> <li>Works with OpenAI (cloud models)</li> <li>Works with Azure OpenAI, Together.ai, etc.</li> <li>Single integration code path</li> <li>Easy to swap providers</li> </ul> <p><strong>Configuration (config.json):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:11434"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apikey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ollama"</span><span class="p">,</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mistral:7b"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Frontend Architecture (React + TypeScript) </h2> <h3> Core Hook: <code>useApi</code> </h3> <p>Centralized API communication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">function</span> <span class="nf">useApi</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">error</span><span class="p">,</span> <span class="nx">setError</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">execute</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">fn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">any</span><span class="o">&gt;</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nf">setError</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">fn</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Unknown error</span><span class="dl">"</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">execute</span><span class="p">,</span> <span class="nx">loading</span><span class="p">,</span> <span class="nx">error</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> File Upload &amp; Polling Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">MainContentTab</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">execute</span><span class="p">,</span> <span class="nx">loading</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useApi</span><span class="p">();</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">generatedFiles</span><span class="p">,</span> <span class="nx">setGeneratedFiles</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">File</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">([]);</span> <span class="kd">const</span> <span class="nx">handleSubmit</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">formData</span><span class="p">:</span> <span class="nx">FormData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">execute</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// 1. Upload resume + job description</span> <span class="k">await</span> <span class="nx">fileService</span><span class="p">.</span><span class="nf">uploadForOptimization</span><span class="p">(</span><span class="nx">formData</span><span class="p">);</span> <span class="c1">// 2. Start polling for results</span> <span class="kd">let</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">attempts</span> <span class="o">&lt;</span> <span class="mi">60</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 5 minutes max</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">5000</span><span class="p">));</span> <span class="c1">// Poll every 5s</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fileService</span><span class="p">.</span><span class="nf">listFiles</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">newFiles</span> <span class="o">=</span> <span class="nx">files</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">f</span> <span class="o">=&gt;</span> <span class="nx">f</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">.pdf</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">f</span><span class="p">.</span><span class="nx">timestamp</span> <span class="o">&gt;</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">uploadTime</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">newFiles</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setGeneratedFiles</span><span class="p">(</span><span class="nx">newFiles</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="nx">attempts</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="c1">// UI for upload and display results</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why polling instead of WebSockets?</strong></p> <ul> <li>Simpler client/server contract</li> <li>Works through corporate proxies/firewalls</li> <li>No need for persistent connection</li> <li>Acceptable for batch processing workflows</li> </ul> <h2> Data Model: Optimize DTO </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Optimize</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">promptType</span><span class="o">;</span> <span class="c1">// ["Resume", "CoverLetter", "Skills"]</span> <span class="kd">private</span> <span class="kt">double</span> <span class="n">temperature</span><span class="o">;</span> <span class="c1">// 0.0-1.0 (creativity level)</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">model</span><span class="o">;</span> <span class="c1">// Model identifier from config</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">company</span><span class="o">;</span> <span class="c1">// Target company name</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">jobTitle</span><span class="o">;</span> <span class="c1">// Target job title</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">jobDescription</span><span class="o">;</span> <span class="c1">// Full job posting text</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">resume</span><span class="o">;</span> <span class="c1">// User's current resume</span> <span class="c1">// Getters/setters...</span> <span class="o">}</span> </code></pre> </div> <p>This DTO drives:</p> <ol> <li> <strong>Prompt construction</strong> - What content to generate</li> <li> <strong>LLM parameters</strong> - Temperature, model selection</li> <li> <strong>Output filtering</strong> - Which sections to include</li> </ol> <h2> Key Implementation Challenges &amp; Solutions </h2> <h3> Challenge 1: LLM Response Time </h3> <p><strong>Problem:</strong> API calls can take 10-30+ seconds<br> <strong>Solution:</strong></p> <ul> <li>Return <code>202 Accepted</code> immediately</li> <li>Process async in background thread</li> <li>Frontend polls for completion</li> </ul> <h3> Challenge 2: File Format Conversion </h3> <p><strong>Problem:</strong> LLM outputs plain text; need PDF with formatting<br> <strong>Solution:</strong></p> <ul> <li>Convert Markdown → HTML (CommonMark parser)</li> <li>Convert HTML → PDF (Flying Saucer library)</li> <li>Save both Markdown + PDF for flexibility</li> </ul> <h3> Challenge 3: Local vs Cloud LLM </h3> <p><strong>Problem:</strong> Different APIs for Ollama vs OpenAI<br> <strong>Solution:</strong></p> <ul> <li>Use OpenAI-compatible format (both support it)</li> <li>Config-driven endpoint selection</li> <li>Single integration point</li> </ul> <h3> Challenge 4: Test Isolation </h3> <p><strong>Problem:</strong> Tests failing due to state dependencies (file existence)<br> <strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@BeforeEach</span> <span class="kt">void</span> <span class="nf">setUp</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="nc">Path</span> <span class="n">uploadsPath</span> <span class="o">=</span> <span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"uploads"</span><span class="o">);</span> <span class="nc">Files</span><span class="o">.</span><span class="na">createDirectories</span><span class="o">(</span><span class="n">uploadsPath</span><span class="o">);</span> <span class="c1">// Create dummy files for delete tests, etc.</span> <span class="nc">Files</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">uploadsPath</span><span class="o">.</span><span class="na">resolve</span><span class="o">(</span><span class="s">"resume.pdf"</span><span class="o">),</span> <span class="s">"dummy"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">());</span> <span class="o">}</span> </code></pre> </div> <h2> Deployment Considerations </h2> <h3> Local Development </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Terminal 1: Start Ollama</span> ollama serve ollama pull mistral:7b <span class="c"># Terminal 2: Run backend</span> ./gradlew bootRun <span class="c"># Listens on :8080</span> <span class="c"># Terminal 3: Run frontend</span> <span class="nb">cd </span>frontend <span class="o">&amp;&amp;</span> npm run dev <span class="c"># Listens on :5173</span> </code></pre> </div> <h3> Cloud Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># application.properties </span><span class="py">server.port</span><span class="p">=</span><span class="s">8080</span> <span class="py">upload.path</span><span class="p">=</span><span class="s">/data/uploads</span> <span class="c"># Spring will detect OpenAI config from environment </span></code></pre> </div> <h2> Testing Strategy </h2> <p><strong>80%+ Coverage Target:</strong></p> <ol> <li> <strong>Controller Tests</strong> - HTTP layer with MockMvc</li> <li> <strong>Service Tests</strong> - Business logic, mocked LLM</li> <li> <strong>Integration Tests</strong> - Full request flow</li> <li> <strong>Model Tests</strong> - DTO serialization/validation </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./gradlew <span class="nb">test</span> <span class="c"># Run all tests</span> ./gradlew <span class="nb">test</span> <span class="nt">--tests</span> ClassName <span class="c"># Run specific test</span> ./gradlew checkstyleMain <span class="c"># Code quality (100% compliance)</span> </code></pre> </div> <h2> Performance &amp; Scalability Notes </h2> <ol> <li> <strong>Horizontal Scaling:</strong> Add more backend instances behind load balancer</li> <li> <strong>Rate Limiting:</strong> Implement per-user quotas for LLM API costs</li> <li> <strong>Caching:</strong> Cache LLM responses for identical inputs</li> <li> <strong>Async Queue:</strong> For high volume, use message queue (RabbitMQ, Kafka)</li> <li> <strong>File Storage:</strong> Consider cloud storage (S3, Azure Blob) vs local filesystem</li> </ol> <h2> ⚠️ Important Considerations </h2> <h3> LLM Hallucination Risk </h3> <p><strong>Critical:</strong> LLMs can generate plausible-sounding but inaccurate content. This includes:</p> <ul> <li>Fabricated job experiences</li> <li>Incorrect technical skills</li> <li>Made-up company names or achievements</li> <li>Dates and timelines that don't align with reality</li> </ul> <p><strong>Mitigation:</strong></p> <ul> <li> <strong>Always proofread generated content</strong> before using it</li> <li>Cross-check facts against source documents</li> <li>Verify all claims in the resume</li> <li>Consider this tool as a <strong>content enhancement tool</strong>, not a replacement for human review</li> <li>Use it to refine and polish verified information, not to generate unverified content</li> </ul> <h3> Processing Time </h3> <p><strong>Important:</strong> File generation is NOT instant:</p> <ul> <li> <strong>Local models (Ollama):</strong> 30 seconds to 5+ minutes depending on model size (7B models are faster, 13B+ models take longer)</li> <li> <strong>Cloud models (OpenAI):</strong> 5-30 seconds typically, but can vary with load</li> <li> <strong>Large job descriptions:</strong> Processing time increases with input size</li> <li> <strong>Network latency:</strong> Slower connections add to total time</li> </ul> <p><strong>Frontend Polling:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Default: polls every 5 seconds for up to 5 minutes (60 attempts)</span> <span class="c1">// For longer processing, increase attempts or polling interval</span> <span class="kd">let</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">attempts</span> <span class="o">&lt;</span> <span class="mi">60</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Adjust this for longer waits</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">5000</span><span class="p">));</span> <span class="c1">// 5 seconds</span> <span class="c1">// ... check for files</span> <span class="nx">attempts</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>User Experience:</strong></p> <ul> <li>Display a progress indicator during processing</li> <li>Show estimated wait time based on model selection</li> <li>Allow users to check back later via job ID</li> <li>Consider implementing email notifications when complete</li> </ul> <h2> Code Quality Standards </h2> <ul> <li> <strong>Checkstyle:</strong> 100% compliance (120 char line limit)</li> <li> <strong>Test Coverage:</strong> 80%+ target</li> <li> <strong>Java Version:</strong> Java 21 LTS with modern features</li> <li> <strong>Spring Boot:</strong> Version 3.5.1 with latest practices</li> </ul> <h2> What's Next? </h2> <p>Potential improvements:</p> <ul> <li>[ ] WebSocket support for real-time updates</li> <li>[ ] Template system for different resume formats</li> <li>[ ] Batch processing for multiple candidates</li> <li>[ ] Integration with LinkedIn/job boards</li> <li>[ ] A/B testing for LLM prompt optimization</li> <li>[ ] Cost analytics for OpenAI usage</li> </ul> <h2> Lessons Learned </h2> <ol> <li> <strong>Async by Default</strong> - HTTP endpoints should never block on slow operations</li> <li> <strong>Embrace Standards</strong> - OpenAI-compatible API is a superpower</li> <li> <strong>Simple Patterns &gt; Complex Frameworks</strong> - Background threads work great for this use case</li> <li> <strong>Test Independence</strong> - Always set up required state in @BeforeEach</li> <li> <strong>Config Over Code</strong> - Keep LLM provider flexible via configuration</li> </ol> <h2> Get Started </h2> <p><strong>Repository:</strong> <a href="https://github.com/pbaletkeman/java-resumes" rel="noopener noreferrer">https://github.com/pbaletkeman/java-resumes</a></p> <p><strong>Quick Start:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/pbaletkeman/java-resumes <span class="nb">cd </span>java-resumes ./gradlew clean build ./gradlew bootRun <span class="c"># Visit http://localhost:8080/spotlight/index.html</span> </code></pre> </div> <h2> Credits </h2> <p>Special thanks to <strong>Shaw Talebi</strong> for his excellent <a href="https://www.youtube.com/watch?v=R5WXaxmb6m4" rel="noopener noreferrer">tutorial on building resume optimization tools</a>, which served as the inspiration and starter foundation for this project.</p> <p>Have you built LLM integrations in Java? What patterns did you use? Drop a comment!</p> <p><strong>Discussion Topics:</strong></p> <ul> <li>Async patterns for LLM integrations</li> <li>Local vs cloud LLM trade-offs</li> <li>Resume optimization strategies</li> <li>Full-stack Java + React workflows</li> </ul> java ollama springboot llm Secure Python Litestar Site With OpenID/OIDC Using Okta Hosted Login Pete Letkeman Fri, 16 Feb 2024 22:09:18 +0000 https://forem.com/pbaletkeman/secure-python-litestar-site-with-openidoidc-using-okta-hosted-login-38nf https://forem.com/pbaletkeman/secure-python-litestar-site-with-openidoidc-using-okta-hosted-login-38nf <p>Here is a tutorial on how to setup <a href="https://www.okta.com">OKTA</a> as a OpenID/OIDC security provider for a site programmed in Python 3.11.x using <a href="https://www.litestar.dev">Litestar</a>.<br> This is done with 'Authorization Code flow'</p> <h4> About the Authorization Code grant </h4> <p>The Authorization Code flow is the recommended method for controlling access to web applications capable of securely storing secrets, see <a href="https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/">https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/</a></p> <h2> OKTA Setup </h2> <h3> Step 1 </h3> <div class="table-wrapper-paragraph"><table> <tr> <td> After you have created your OKTA account open `Applications` =&gt; `Applications` as seen on the right. </td> <td> <a href="https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t2oqsbt35lsghlo293ya.png"> <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft2oqsbt35lsghlo293ya.png" width="308" height="630"></a> </td> </tr> </table></div> <h3> Step 2 </h3> <p>Click <code>Create App Integration</code><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvzikq1c8p66ntdl8xp7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvzikq1c8p66ntdl8xp7.png" alt="Image description" width="800" height="236"></a></p> <h3> Step 3 </h3> <p>Choose <code>OIDC</code> - Open Connect with a description of<br> 'Token-based OAuth 2.0 authentication for Single Sign-On (SSO) through API endpoints. Recommended if you intend to build a custom app integration with the Okta Sign-In Widget.'<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7ire96qy769y2tc4o8z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7ire96qy769y2tc4o8z.png" alt="Image description" width="800" height="703"></a></p> <p>And then choose <code>Web Application</code> with a description of <br> 'Server-side applications where authentication and tokens are handled on the server (for example, Go, Java, ASP.Net, Node.js, PHP)'</p> <p>And Click <code>Next</code></p> <h3> Step 4 </h3> <p>Checked the following (<em>may not matter</em>):</p> <ul> <li>Client Credentials</li> <li>Refresh Token</li> <li>Implicit (hybrid)</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6czzrrbq7lk411l3643i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6czzrrbq7lk411l3643i.png" alt="Image description" width="800" height="467"></a></p> <h3> Step 5 </h3> <p>Ensure that both <code>Sign-in redirect URIs</code> and <code>Sign-out redirect URIs (Optional) have the correct values</code>. By default Litestar brings up the web site on port 8000.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl1eaa565ocxxtwytxmu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl1eaa565ocxxtwytxmu.png" alt="Image description" width="800" height="261"></a></p> <h3> Step 6 </h3> <p>In <code>Assignments</code> select <code>Allow everyone in your organization to access</code>.<br> In <code>Enable immediate access (Recommended)</code> select <code>Enable immediate access with *Federation Broker Model*</code><br> Click <code>Save</code><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4pqduqiox4v6sb5hp8g6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4pqduqiox4v6sb5hp8g6.png" alt="Image description" width="800" height="369"></a></p> <h3> Step 7 </h3> <p>Create a text file named '<strong>.env</strong>' and from the <code>General</code> tab, copy both <code>Client ID</code> and <code>Client Secret</code> to the file to have something like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CLIENT_ID=your_client_id CLIENT_SECRET=your_client_secret OKTA_DOMAIN=dev-123456789.okta.com REDIRECT_URL=http://localhost:8000/authorization-code/callback OKTA_PROMPT=consent </code></pre> </div> <p>And provide the you value for <code>OKTA_DOMAIN</code>.<br><br> You do not to supply a value for <code>OKTA_PROMPT</code> or even include it if you choose not to. For more details about regarding this parameter see <a href="https://developer.okta.com/docs/reference/api/oidc/#parameter-details">https://developer.okta.com/docs/reference/api/oidc/#parameter-details</a>.<br> Using OKTA_PROMPT is very helpful when testing multiple user accounts.</p> <h2> Python Code </h2> <p>Github.com repository found here <a href="https://github.com/pbaletkeman/litestarOpenID">https://github.com/pbaletkeman/litestarOpenID</a></p> <p>Copy the .env file from the previous step to the root directory of your Python project.</p> <p>For the most part the code is well documented, however here are some notes:</p> <ul> <li>It uses Mako templates, <a href="https://www.makotemplates.org/">https://www.makotemplates.org/</a> </li> <li>/profile is not secured, and is used to show you JWT Bearer Token which is needed to access /read-items and other secure routes, this is set in the callback method</li> <li>More user properties are found in the <code>user_response</code> object located in the callback method</li> </ul> <h2> Additionality PKCE </h2> <p>You can use Authorization Code Grant with Proof Key for Code Exchange (PKCE) which you can read about here:<br> <a href="https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/#about-the-authorization-code-grant-with-pkce">https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/#about-the-authorization-code-grant-with-pkce</a>.</p> <p>To enforce PKCE you will have to select 'Require PKCE as additional verification' as seen in the image below.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq4o3728k2cl5hdxh69mu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq4o3728k2cl5hdxh69mu.png" alt="Image description" width="753" height="403"></a><br> You can still use PKCE without requiring it.</p> <p>Here is the Python code for this,<br> <a href="https://github.com/pbaletkeman/okta-litestar-oidc-pkce">https://github.com/pbaletkeman/okta-litestar-oidc-pkce</a><br> Which is a lot like the none PKCE code.<br> Note that the following have been added/changed:</p> <p>lines: 181, 182, 192, 193<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'code_challenge': code_challenge, 'code_challenge_method': 'S256', </code></pre> </div> <p>line: 231<br> <code>query_params = {'grant_type': 'authorization_code', 'code': code,</code></p> <p>line: 185, 197 <br> And the <code>response_mode</code> has been changed from 'query' to 'form_post' which tells OKTA to send the data as a form post instead of using the query string. Query string is still valid and can be used if you choose to.</p> tutorial python security programming Secure Litestar APIs with OKTA Pete Letkeman Sat, 10 Feb 2024 20:08:09 +0000 https://forem.com/pbaletkeman/secure-litestar-apis-with-okta-570l https://forem.com/pbaletkeman/secure-litestar-apis-with-okta-570l <p>I borrowed a lot from <a href="https://developer.okta.com/blog/2020/12/17/build-and-secure-an-api-in-python-with-fastapi">https://developer.okta.com/blog/2020/12/17/build-and-secure-an-api-in-python-with-fastapi</a> thanks to <a href="https://developer.okta.com/blog/authors/karl-hughes/">Karl Hughes</a> for this article.</p> <p>Litestar framework for Python 3.x creating APIs.<br> For more information about Litestar visit <a href="https://litestar.dev/">https://litestar.dev/</a></p> <h2> OKTA Setup </h2> <h3> Step 1 </h3> <p>After creating a developer account with okta click 'Applications' then 'Create App Integration' as shown in the image<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5n3pswjhkulldplf9f5t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5n3pswjhkulldplf9f5t.png" alt="Image description" width="790" height="334"></a></p> <h3> Step 2 </h3> <p>Choose 'API Services' with a description of<br> 'Interact with Okta APIs using the scoped OAuth 2.0 access tokens for machine-to-machine authentication.'<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvchz84nydn97hs2qcqbt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvchz84nydn97hs2qcqbt.png" alt="Image description" width="800" height="463"></a></p> <h3> Step 3 </h3> <p>Give the integration a name<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu47f1u2gbkf5g3w55e5i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu47f1u2gbkf5g3w55e5i.png" alt="Image description" width="800" height="233"></a>Result Screen<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjdcun93vr6utbvggl65.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjdcun93vr6utbvggl65.png" alt="Image description" width="765" height="632"></a></p> <h3> Step 4 </h3> <p>In the directory for the Python project create a file named .env with the following:<br> </p> <p><code>OKTA_CLIENT_ID=Value From The Previous Step<br> OKTA_CLIENT_SECRET=Value From The Previous Step<br> OKTA_ISSUER="{oktaDomain}/oauth2/default"<br> OKTA_TOKEN="{oktaDomain}/oauth2/default/v1/token"<br> OKTA_INTROSPECTION="{oktaDomain}/oauth2/default/v1/introspect"<br> OKTA_AUDIENCE="api://default"<br> OKTA_SCOPE="items"</code><br> </p> <h3> Step 5 </h3> <p>Now go to 'Security' -&gt; 'API' shown below:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fts27wqi0ndy1r9nytsau.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fts27wqi0ndy1r9nytsau.png" alt="Image description" width="800" height="529"></a><br> Note that values for Audience and Issuer URI are in .env file.</p> <h3> Step 6 </h3> <p>Click on the edit icon you should see something like this:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh66p8dilmrnj0f12y94u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh66p8dilmrnj0f12y94u.png" alt="Image description" width="800" height="567"></a></p> <h3> Step 7 </h3> <p>Try the 'Metadata URI' in a new tab in you web browser to see something like:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zzqizbwsayqfcwdjd50.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zzqizbwsayqfcwdjd50.png" alt="Image description" width="746" height="349"></a></p> <h3> Step 8 </h3> <p>Click 'Scopes' -&gt; 'Add Scope'<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flr2kmr2njvxrx1sc3rgz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flr2kmr2njvxrx1sc3rgz.png" alt="Image description" width="800" height="227"></a></p> <h3> Step 9 </h3> <p>Add a scope such as what is shown below:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofusyayh5tdaunblyt42.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofusyayh5tdaunblyt42.png" alt="Image description" width="728" height="742"></a></p> <h3> Step 10 </h3> <p>Complete the .env file with the correct information including replacing <code>{oktaDomain}</code> with your okta domain and having the correct value for <code>OKTA_SCOPE="items"</code>, if you changed yours that is and note that OKTA_SCOPE is important for remote validation.</p> <h2> Python Code </h2> <p>You can find the final code for this here <a href="https://github.com/pbaletkeman/litestarOKTA">https://github.com/pbaletkeman/litestarOKTA</a>.</p> <p>Large segments of this code came from <a href="https://docs.litestar.dev/latest/usage/security/jwt.html">https://docs.litestar.dev/latest/usage/security/jwt.html</a>.<br> To learn more about Litestar security go here <a href="https://docs.litestar.dev/latest/usage/security/index.html">https://docs.litestar.dev/latest/usage/security/index.html</a></p> <p>Download the files to your local system and copy them to your Python project directory.</p> <h3> Step 11 </h3> <p>Install the required Python libraries using<br> </p> <p><code>pip install -r requirements.txt</code><br> </p> <p>Note, that this includes all of litestar[full] which may be more than you need.</p> <h3> Step 12 </h3> <p>Libraries of note:</p> <ul> <li> <code>base64</code> is used to encode your <code>client id</code> and <code>client secret</code> </li> <li> <code>httpx</code> is used to connect to the OKTA server and return the JWT token</li> <li> <code>okta_jwt.jwt</code> is used to validate the JWT token locally, which is quicker, but less secure than JWT token validation on the OKTA server</li> <li> <code>starlette.config</code> is used to import the .env file into your application, you may want to use <code>python-dotenv</code> instead</li> </ul> <h3> Step 13 </h3> <p>In this sample project we only ever will have one user/account which means that we can do this<br> <br> <code>API_USER_DB: dict[str, OAuthSchema] = {}</code><br> <br> but if you have more than one account you should rethink how your database of users is stored.</p> <h3> Step 14 </h3> <p>This project includes a method for local JWT token validation, but it is not used, the remote JWT token validate is used instead.<br> Remote validation is more secure, takes longer and increases system resource usage as this makes a call to the <a href="https://developer.okta.com/docs/reference/api/oidc/#introspect">Introspection</a> endpoint.<br> The local validation method is <code>def validate(token: str) -&gt; bool:</code> and the remote validation method is <code>def validate_remote(token: str) -&gt; bool:</code></p> <h2> Notes </h2> <h4> Note 1 </h4> <p>When running this project you should have the following endpoints:</p> <ul> <li>/login <ul> <li>uses Authorization header to login</li> </ul> </li> <li>/form-login <ul> <li>uses data from HTML Form to login</li> </ul> </li> <li>/json-login <ul> <li>uses data from JSON body to login</li> </ul> </li> </ul> <p>as shown below:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgujinm6u6o9mx95a8vju.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgujinm6u6o9mx95a8vju.png" alt="Image description" width="496" height="297"></a><br> Each endpoint has it's purpose and it's up to you to choose the appropriate one.</p> <h4> Note 2 </h4> <p>In <code>json_login_handler</code> and <code>form_login_handler</code> there is some funky magic happening here:<br> </p> <p><code>auth_header = 'Basic ' + str(base64.b64encode((data.client_id + ':' + data.client_secret).encode('ascii')))[2:-1]</code><br> </p> <p>To get the token we must send a authorization header of 'basic' a base 64 encoded version of the username:password. However Python prepends the letter "b" and then surrounds the value with a single quote which is why we are using [2:-1]</p> tutorial python api security