The latest articles on Forem by Pete Letkeman (@pbaletkeman). https://forem.com/pbaletkeman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1234322%2Fee63d7e8-0339-4890-8e4b-ca26dfa04662.png https://forem.com/pbaletkeman en Pete Letkeman Sat, 24 Jan 2026 01:18:09 +0000 https://forem.com/pbaletkeman/ai-powered-resume-generator-architecture-implementation-2748 https://forem.com/pbaletkeman/ai-powered-resume-generator-architecture-implementation-2748 <h1> Building an AI-Powered Resume Generator: Architecture &amp; Implementation </h1> <h2> Overview </h2> <p>I've been working on a full-stack application that leverages LLMs to generate polished, professional resume content. This post is a technical walkthrough of the architecture, integration points, and key implementation details.</p> <p><strong>Tech Stack:</strong></p> <ul> <li> <strong>Backend:</strong> Java 21, Spring Boot 3.x, Gradle</li> <li> <strong>Frontend:</strong> React 19, TypeScript, Vite</li> <li> <strong>LLM Integration:</strong> OpenAI API / Ollama (OpenAI-compatible endpoint)</li> <li> <strong>Data Format:</strong> JSON-driven resume model</li> <li> <strong>Build Tooling:</strong> Gradle (backend), Node (frontend)</li> </ul> <p>Repository: <a href="https://github.com/pbaletkeman/java-resumes" rel="noopener noreferrer">https://github.com/pbaletkeman/java-resumes</a></p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ │ React UI │ │ (TypeScript)│ └──────┬──────┘ │ HTTP/REST ↓ ┌─────────────────────────────────┐ │ Spring Boot REST API │ │ (Java 21, Gradle 8.10) │ │ │ │ ├─ ResumeController │ │ ├─ FilesStorageService │ │ └─ ApiService (LLM gateway) │ └──────────┬──────────────────────┘ │ ┌────┴─────┐ ↓ ↓ ┌────────┐ ┌────────────┐ │ Ollama │ │ OpenAI API │ │(local) │ │ (cloud) │ └────────┘ └────────────┘ </code></pre> </div> <h2> Key Components &amp; Design Decisions </h2> <h3> 1. <strong>REST API Layer (Spring Boot)</strong> </h3> <p>The backend exposes endpoints for:</p> <ul> <li> <strong>File uploads</strong> (multipart/form-data)</li> <li> <strong>Resume optimization</strong> (async background processing)</li> <li> <strong>File retrieval</strong> (results polling)</li> <li> <strong>File management</strong> (list, download, delete)</li> </ul> <p><strong>Key Endpoint Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@PostMapping</span><span class="o">(</span><span class="n">path</span> <span class="o">=</span> <span class="s">"/api/upload"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">ResponseMessage</span><span class="o">&gt;</span> <span class="nf">optimizeResume</span><span class="o">(</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"optimize"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">optimizeJson</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"resume"</span><span class="o">)</span> <span class="nc">MultipartFile</span> <span class="n">resume</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"job"</span><span class="o">)</span> <span class="nc">MultipartFile</span> <span class="n">job</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Validate inputs</span> <span class="k">if</span> <span class="o">(</span><span class="n">resume</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">()</span> <span class="o">||</span> <span class="n">job</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">BAD_REQUEST</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="k">new</span> <span class="nc">ResponseMessage</span><span class="o">(</span><span class="s">"No file/invalid file provided"</span><span class="o">));</span> <span class="o">}</span> <span class="c1">// Spawn background thread for LLM processing (non-blocking)</span> <span class="nc">Thread</span> <span class="n">thread</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Thread</span><span class="o">(</span><span class="k">new</span> <span class="nc">BackgroundResume</span><span class="o">(</span><span class="n">optimize</span><span class="o">,</span> <span class="n">root</span><span class="o">));</span> <span class="n">thread</span><span class="o">.</span><span class="na">start</span><span class="o">();</span> <span class="c1">// Return 202 Accepted immediately</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">ACCEPTED</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="k">new</span> <span class="nc">ResponseMessage</span><span class="o">(</span><span class="s">"generating"</span><span class="o">));</span> <span class="o">}</span> </code></pre> </div> <p><strong>Why this pattern?</strong></p> <ul> <li>LLM API calls are slow (2-30+ seconds)</li> <li>HTTP connections timeout if we wait for LLM</li> <li> <code>202 Accepted</code> signals async processing to the client</li> <li>Frontend polls <code>/api/files</code> until results appear</li> </ul> <h3> 2. <strong>Async Background Processing</strong> </h3> <p>The <code>BackgroundResume</code> class handles long-running operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">BackgroundResume</span> <span class="kd">implements</span> <span class="nc">Runnable</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">Optimize</span> <span class="n">optimize</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">root</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">run</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="c1">// 1. Load LLM configuration</span> <span class="nc">String</span> <span class="n">configStr</span> <span class="o">=</span> <span class="nc">Utility</span><span class="o">.</span><span class="na">readFileAsString</span><span class="o">(</span><span class="s">"config.json"</span><span class="o">);</span> <span class="nc">Config</span> <span class="n">config</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Gson</span><span class="o">().</span><span class="na">fromJson</span><span class="o">(</span><span class="n">configStr</span><span class="o">,</span> <span class="nc">Config</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="c1">// 2. Build LLM request</span> <span class="nc">ChatBody</span> <span class="n">chatBody</span> <span class="o">=</span> <span class="nc">ApiService</span><span class="o">.</span><span class="na">createChatBody</span><span class="o">(</span><span class="n">optimize</span><span class="o">);</span> <span class="c1">// 3. Call LLM (OpenAI-compatible API)</span> <span class="nc">LLMResponse</span> <span class="n">response</span> <span class="o">=</span> <span class="nc">ApiService</span><span class="o">.</span><span class="na">produceFiles</span><span class="o">(</span> <span class="n">optimize</span><span class="o">,</span> <span class="n">config</span><span class="o">.</span><span class="na">getEndpoint</span><span class="o">(),</span> <span class="n">config</span><span class="o">.</span><span class="na">getApikey</span><span class="o">(),</span> <span class="n">config</span><span class="o">.</span><span class="na">getModel</span><span class="o">()</span> <span class="o">);</span> <span class="c1">// 4. Save results (Markdown + PDF)</span> <span class="nc">FilesStorageService</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">getContent</span><span class="o">());</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Resume optimization completed"</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Background task failed: {}"</span><span class="o">,</span> <span class="n">e</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Why background threads instead of async/await?</strong></p> <ul> <li>Simple, synchronous model</li> <li>No need for reactive framework overhead</li> <li>Easy to reason about error handling</li> <li>Works well for moderate concurrency</li> </ul> <h3> 3. <strong>LLM Integration (OpenAI-Compatible API)</strong> </h3> <p>The <code>ApiService</code> class abstracts LLM provider differences:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApiService</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">LLMResponse</span> <span class="nf">produceFiles</span><span class="o">(</span> <span class="nc">Optimize</span> <span class="n">optimize</span><span class="o">,</span> <span class="nc">String</span> <span class="n">endpoint</span><span class="o">,</span> <span class="nc">String</span> <span class="n">apiKey</span><span class="o">,</span> <span class="nc">String</span> <span class="n">model</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="c1">// Build OpenAI-compatible request</span> <span class="nc">ChatBody</span> <span class="n">chatBody</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ChatBody</span><span class="o">();</span> <span class="n">chatBody</span><span class="o">.</span><span class="na">setModel</span><span class="o">(</span><span class="n">model</span><span class="o">);</span> <span class="n">chatBody</span><span class="o">.</span><span class="na">setMessages</span><span class="o">(</span><span class="n">createPrompt</span><span class="o">(</span><span class="n">optimize</span><span class="o">));</span> <span class="n">chatBody</span><span class="o">.</span><span class="na">setTemperature</span><span class="o">(</span><span class="n">optimize</span><span class="o">.</span><span class="na">getTemperature</span><span class="o">());</span> <span class="c1">// Send to LLM</span> <span class="nc">HttpClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">HttpClient</span><span class="o">.</span><span class="na">newHttpClient</span><span class="o">();</span> <span class="nc">String</span> <span class="n">jsonRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Gson</span><span class="o">().</span><span class="na">toJson</span><span class="o">(</span><span class="n">chatBody</span><span class="o">);</span> <span class="nc">HttpRequest</span> <span class="n">request</span> <span class="o">=</span> <span class="nc">HttpRequest</span><span class="o">.</span><span class="na">newBuilder</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="no">URI</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">endpoint</span> <span class="o">+</span> <span class="s">"/v1/chat/completions"</span><span class="o">))</span> <span class="o">.</span><span class="na">header</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">,</span> <span class="s">"Bearer "</span> <span class="o">+</span> <span class="n">apiKey</span><span class="o">)</span> <span class="o">.</span><span class="na">header</span><span class="o">(</span><span class="s">"Content-Type"</span><span class="o">,</span> <span class="s">"application/json"</span><span class="o">)</span> <span class="o">.</span><span class="na">POST</span><span class="o">(</span><span class="nc">HttpRequest</span><span class="o">.</span><span class="na">BodyPublishers</span><span class="o">.</span><span class="na">ofString</span><span class="o">(</span><span class="n">jsonRequest</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">HttpResponse</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="na">send</span><span class="o">(</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpResponse</span><span class="o">.</span><span class="na">BodyHandlers</span><span class="o">.</span><span class="na">ofString</span><span class="o">()</span> <span class="o">);</span> <span class="c1">// Parse response</span> <span class="nc">LLMResponse</span> <span class="n">llmResponse</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Gson</span><span class="o">().</span><span class="na">fromJson</span><span class="o">(</span> <span class="n">response</span><span class="o">.</span><span class="na">body</span><span class="o">(),</span> <span class="nc">LLMResponse</span><span class="o">.</span><span class="na">class</span> <span class="o">);</span> <span class="k">return</span> <span class="n">llmResponse</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Why OpenAI-compatible format?</strong></p> <ul> <li>Works with Ollama (local models)</li> <li>Works with OpenAI (cloud models)</li> <li>Works with Azure OpenAI, Together.ai, etc.</li> <li>Single integration code path</li> <li>Easy to swap providers</li> </ul> <p><strong>Configuration (config.json):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:11434"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apikey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ollama"</span><span class="p">,</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mistral:7b"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Frontend Architecture (React + TypeScript) </h2> <h3> Core Hook: <code>useApi</code> </h3> <p>Centralized API communication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">function</span> <span class="nf">useApi</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">error</span><span class="p">,</span> <span class="nx">setError</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">execute</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">fn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">any</span><span class="o">&gt;</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nf">setError</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">fn</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Unknown error</span><span class="dl">"</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">execute</span><span class="p">,</span> <span class="nx">loading</span><span class="p">,</span> <span class="nx">error</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> File Upload &amp; Polling Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">MainContentTab</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">execute</span><span class="p">,</span> <span class="nx">loading</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useApi</span><span class="p">();</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">generatedFiles</span><span class="p">,</span> <span class="nx">setGeneratedFiles</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">File</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">([]);</span> <span class="kd">const</span> <span class="nx">handleSubmit</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">formData</span><span class="p">:</span> <span class="nx">FormData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">execute</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// 1. Upload resume + job description</span> <span class="k">await</span> <span class="nx">fileService</span><span class="p">.</span><span class="nf">uploadForOptimization</span><span class="p">(</span><span class="nx">formData</span><span class="p">);</span> <span class="c1">// 2. Start polling for results</span> <span class="kd">let</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">attempts</span> <span class="o">&lt;</span> <span class="mi">60</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 5 minutes max</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">5000</span><span class="p">));</span> <span class="c1">// Poll every 5s</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fileService</span><span class="p">.</span><span class="nf">listFiles</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">newFiles</span> <span class="o">=</span> <span class="nx">files</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">f</span> <span class="o">=&gt;</span> <span class="nx">f</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">.pdf</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">f</span><span class="p">.</span><span class="nx">timestamp</span> <span class="o">&gt;</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">uploadTime</span><span class="dl">'</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">newFiles</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setGeneratedFiles</span><span class="p">(</span><span class="nx">newFiles</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="nx">attempts</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="c1">// UI for upload and display results</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why polling instead of WebSockets?</strong></p> <ul> <li>Simpler client/server contract</li> <li>Works through corporate proxies/firewalls</li> <li>No need for persistent connection</li> <li>Acceptable for batch processing workflows</li> </ul> <h2> Data Model: Optimize DTO </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Optimize</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">promptType</span><span class="o">;</span> <span class="c1">// ["Resume", "CoverLetter", "Skills"]</span> <span class="kd">private</span> <span class="kt">double</span> <span class="n">temperature</span><span class="o">;</span> <span class="c1">// 0.0-1.0 (creativity level)</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">model</span><span class="o">;</span> <span class="c1">// Model identifier from config</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">company</span><span class="o">;</span> <span class="c1">// Target company name</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">jobTitle</span><span class="o">;</span> <span class="c1">// Target job title</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">jobDescription</span><span class="o">;</span> <span class="c1">// Full job posting text</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">resume</span><span class="o">;</span> <span class="c1">// User's current resume</span> <span class="c1">// Getters/setters...</span> <span class="o">}</span> </code></pre> </div> <p>This DTO drives:</p> <ol> <li> <strong>Prompt construction</strong> - What content to generate</li> <li> <strong>LLM parameters</strong> - Temperature, model selection</li> <li> <strong>Output filtering</strong> - Which sections to include</li> </ol> <h2> Key Implementation Challenges &amp; Solutions </h2> <h3> Challenge 1: LLM Response Time </h3> <p><strong>Problem:</strong> API calls can take 10-30+ seconds<br> <strong>Solution:</strong></p> <ul> <li>Return <code>202 Accepted</code> immediately</li> <li>Process async in background thread</li> <li>Frontend polls for completion</li> </ul> <h3> Challenge 2: File Format Conversion </h3> <p><strong>Problem:</strong> LLM outputs plain text; need PDF with formatting<br> <strong>Solution:</strong></p> <ul> <li>Convert Markdown → HTML (CommonMark parser)</li> <li>Convert HTML → PDF (Flying Saucer library)</li> <li>Save both Markdown + PDF for flexibility</li> </ul> <h3> Challenge 3: Local vs Cloud LLM </h3> <p><strong>Problem:</strong> Different APIs for Ollama vs OpenAI<br> <strong>Solution:</strong></p> <ul> <li>Use OpenAI-compatible format (both support it)</li> <li>Config-driven endpoint selection</li> <li>Single integration point</li> </ul> <h3> Challenge 4: Test Isolation </h3> <p><strong>Problem:</strong> Tests failing due to state dependencies (file existence)<br> <strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@BeforeEach</span> <span class="kt">void</span> <span class="nf">setUp</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="nc">Path</span> <span class="n">uploadsPath</span> <span class="o">=</span> <span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"uploads"</span><span class="o">);</span> <span class="nc">Files</span><span class="o">.</span><span class="na">createDirectories</span><span class="o">(</span><span class="n">uploadsPath</span><span class="o">);</span> <span class="c1">// Create dummy files for delete tests, etc.</span> <span class="nc">Files</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">uploadsPath</span><span class="o">.</span><span class="na">resolve</span><span class="o">(</span><span class="s">"resume.pdf"</span><span class="o">),</span> <span class="s">"dummy"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">());</span> <span class="o">}</span> </code></pre> </div> <h2> Deployment Considerations </h2> <h3> Local Development </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Terminal 1: Start Ollama</span> ollama serve ollama pull mistral:7b <span class="c"># Terminal 2: Run backend</span> ./gradlew bootRun <span class="c"># Listens on :8080</span> <span class="c"># Terminal 3: Run frontend</span> <span class="nb">cd </span>frontend <span class="o">&amp;&amp;</span> npm run dev <span class="c"># Listens on :5173</span> </code></pre> </div> <h3> Cloud Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># application.properties </span><span class="py">server.port</span><span class="p">=</span><span class="s">8080</span> <span class="py">upload.path</span><span class="p">=</span><span class="s">/data/uploads</span> <span class="c"># Spring will detect OpenAI config from environment </span></code></pre> </div> <h2> Testing Strategy </h2> <p><strong>80%+ Coverage Target:</strong></p> <ol> <li> <strong>Controller Tests</strong> - HTTP layer with MockMvc</li> <li> <strong>Service Tests</strong> - Business logic, mocked LLM</li> <li> <strong>Integration Tests</strong> - Full request flow</li> <li> <strong>Model Tests</strong> - DTO serialization/validation </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./gradlew <span class="nb">test</span> <span class="c"># Run all tests</span> ./gradlew <span class="nb">test</span> <span class="nt">--tests</span> ClassName <span class="c"># Run specific test</span> ./gradlew checkstyleMain <span class="c"># Code quality (100% compliance)</span> </code></pre> </div> <h2> Performance &amp; Scalability Notes </h2> <ol> <li> <strong>Horizontal Scaling:</strong> Add more backend instances behind load balancer</li> <li> <strong>Rate Limiting:</strong> Implement per-user quotas for LLM API costs</li> <li> <strong>Caching:</strong> Cache LLM responses for identical inputs</li> <li> <strong>Async Queue:</strong> For high volume, use message queue (RabbitMQ, Kafka)</li> <li> <strong>File Storage:</strong> Consider cloud storage (S3, Azure Blob) vs local filesystem</li> </ol> <h2> ⚠️ Important Considerations </h2> <h3> LLM Hallucination Risk </h3> <p><strong>Critical:</strong> LLMs can generate plausible-sounding but inaccurate content. This includes:</p> <ul> <li>Fabricated job experiences</li> <li>Incorrect technical skills</li> <li>Made-up company names or achievements</li> <li>Dates and timelines that don't align with reality</li> </ul> <p><strong>Mitigation:</strong></p> <ul> <li> <strong>Always proofread generated content</strong> before using it</li> <li>Cross-check facts against source documents</li> <li>Verify all claims in the resume</li> <li>Consider this tool as a <strong>content enhancement tool</strong>, not a replacement for human review</li> <li>Use it to refine and polish verified information, not to generate unverified content</li> </ul> <h3> Processing Time </h3> <p><strong>Important:</strong> File generation is NOT instant:</p> <ul> <li> <strong>Local models (Ollama):</strong> 30 seconds to 5+ minutes depending on model size (7B models are faster, 13B+ models take longer)</li> <li> <strong>Cloud models (OpenAI):</strong> 5-30 seconds typically, but can vary with load</li> <li> <strong>Large job descriptions:</strong> Processing time increases with input size</li> <li> <strong>Network latency:</strong> Slower connections add to total time</li> </ul> <p><strong>Frontend Polling:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Default: polls every 5 seconds for up to 5 minutes (60 attempts)</span> <span class="c1">// For longer processing, increase attempts or polling interval</span> <span class="kd">let</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">attempts</span> <span class="o">&lt;</span> <span class="mi">60</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Adjust this for longer waits</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">5000</span><span class="p">));</span> <span class="c1">// 5 seconds</span> <span class="c1">// ... check for files</span> <span class="nx">attempts</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>User Experience:</strong></p> <ul> <li>Display a progress indicator during processing</li> <li>Show estimated wait time based on model selection</li> <li>Allow users to check back later via job ID</li> <li>Consider implementing email notifications when complete</li> </ul> <h2> Code Quality Standards </h2> <ul> <li> <strong>Checkstyle:</strong> 100% compliance (120 char line limit)</li> <li> <strong>Test Coverage:</strong> 80%+ target</li> <li> <strong>Java Version:</strong> Java 21 LTS with modern features</li> <li> <strong>Spring Boot:</strong> Version 3.5.1 with latest practices</li> </ul> <h2> What's Next? </h2> <p>Potential improvements:</p> <ul> <li>[ ] WebSocket support for real-time updates</li> <li>[ ] Template system for different resume formats</li> <li>[ ] Batch processing for multiple candidates</li> <li>[ ] Integration with LinkedIn/job boards</li> <li>[ ] A/B testing for LLM prompt optimization</li> <li>[ ] Cost analytics for OpenAI usage</li> </ul> <h2> Lessons Learned </h2> <ol> <li> <strong>Async by Default</strong> - HTTP endpoints should never block on slow operations</li> <li> <strong>Embrace Standards</strong> - OpenAI-compatible API is a superpower</li> <li> <strong>Simple Patterns &gt; Complex Frameworks</strong> - Background threads work great for this use case</li> <li> <strong>Test Independence</strong> - Always set up required state in @BeforeEach</li> <li> <strong>Config Over Code</strong> - Keep LLM provider flexible via configuration</li> </ol> <h2> Get Started </h2> <p><strong>Repository:</strong> <a href="https://github.com/pbaletkeman/java-resumes" rel="noopener noreferrer">https://github.com/pbaletkeman/java-resumes</a></p> <p><strong>Quick Start:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/pbaletkeman/java-resumes <span class="nb">cd </span>java-resumes ./gradlew clean build ./gradlew bootRun <span class="c"># Visit http://localhost:8080/spotlight/index.html</span> </code></pre> </div> <h2> Credits </h2> <p>Special thanks to <strong>Shaw Talebi</strong> for his excellent <a href="https://www.youtube.com/watch?v=R5WXaxmb6m4" rel="noopener noreferrer">tutorial on building resume optimization tools</a>, which served as the inspiration and starter foundation for this project.</p> <p>Have you built LLM integrations in Java? What patterns did you use? Drop a comment!</p> <p><strong>Discussion Topics:</strong></p> <ul> <li>Async patterns for LLM integrations</li> <li>Local vs cloud LLM trade-offs</li> <li>Resume optimization strategies</li> <li>Full-stack Java + React workflows</li> </ul> java ollama springboot llm Pete Letkeman Fri, 16 Feb 2024 22:09:18 +0000 https://forem.com/pbaletkeman/secure-python-litestar-site-with-openidoidc-using-okta-hosted-login-38nf https://forem.com/pbaletkeman/secure-python-litestar-site-with-openidoidc-using-okta-hosted-login-38nf <p>Here is a tutorial on how to setup <a href="https://www.okta.com">OKTA</a> as a OpenID/OIDC security provider for a site programmed in Python 3.11.x using <a href="https://www.litestar.dev">Litestar</a>.<br> This is done with 'Authorization Code flow'</p> <h4> About the Authorization Code grant </h4> <p>The Authorization Code flow is the recommended method for controlling access to web applications capable of securely storing secrets, see <a href="https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/">https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/</a></p> <h2> OKTA Setup </h2> <h3> Step 1 </h3> <div class="table-wrapper-paragraph"><table> <tr> <td> After you have created your OKTA account open `Applications` =&gt; `Applications` as seen on the right. </td> <td> <a href="https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t2oqsbt35lsghlo293ya.png"> <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft2oqsbt35lsghlo293ya.png" width="308" height="630"></a> </td> </tr> </table></div> <h3> Step 2 </h3> <p>Click <code>Create App Integration</code><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvzikq1c8p66ntdl8xp7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvzikq1c8p66ntdl8xp7.png" alt="Image description" width="800" height="236"></a></p> <h3> Step 3 </h3> <p>Choose <code>OIDC</code> - Open Connect with a description of<br> 'Token-based OAuth 2.0 authentication for Single Sign-On (SSO) through API endpoints. Recommended if you intend to build a custom app integration with the Okta Sign-In Widget.'<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7ire96qy769y2tc4o8z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx7ire96qy769y2tc4o8z.png" alt="Image description" width="800" height="703"></a></p> <p>And then choose <code>Web Application</code> with a description of <br> 'Server-side applications where authentication and tokens are handled on the server (for example, Go, Java, ASP.Net, Node.js, PHP)'</p> <p>And Click <code>Next</code></p> <h3> Step 4 </h3> <p>Checked the following (<em>may not matter</em>):</p> <ul> <li>Client Credentials</li> <li>Refresh Token</li> <li>Implicit (hybrid)</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6czzrrbq7lk411l3643i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6czzrrbq7lk411l3643i.png" alt="Image description" width="800" height="467"></a></p> <h3> Step 5 </h3> <p>Ensure that both <code>Sign-in redirect URIs</code> and <code>Sign-out redirect URIs (Optional) have the correct values</code>. By default Litestar brings up the web site on port 8000.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl1eaa565ocxxtwytxmu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl1eaa565ocxxtwytxmu.png" alt="Image description" width="800" height="261"></a></p> <h3> Step 6 </h3> <p>In <code>Assignments</code> select <code>Allow everyone in your organization to access</code>.<br> In <code>Enable immediate access (Recommended)</code> select <code>Enable immediate access with *Federation Broker Model*</code><br> Click <code>Save</code><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4pqduqiox4v6sb5hp8g6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4pqduqiox4v6sb5hp8g6.png" alt="Image description" width="800" height="369"></a></p> <h3> Step 7 </h3> <p>Create a text file named '<strong>.env</strong>' and from the <code>General</code> tab, copy both <code>Client ID</code> and <code>Client Secret</code> to the file to have something like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CLIENT_ID=your_client_id CLIENT_SECRET=your_client_secret OKTA_DOMAIN=dev-123456789.okta.com REDIRECT_URL=http://localhost:8000/authorization-code/callback OKTA_PROMPT=consent </code></pre> </div> <p>And provide the you value for <code>OKTA_DOMAIN</code>.<br><br> You do not to supply a value for <code>OKTA_PROMPT</code> or even include it if you choose not to. For more details about regarding this parameter see <a href="https://developer.okta.com/docs/reference/api/oidc/#parameter-details">https://developer.okta.com/docs/reference/api/oidc/#parameter-details</a>.<br> Using OKTA_PROMPT is very helpful when testing multiple user accounts.</p> <h2> Python Code </h2> <p>Github.com repository found here <a href="https://github.com/pbaletkeman/litestarOpenID">https://github.com/pbaletkeman/litestarOpenID</a></p> <p>Copy the .env file from the previous step to the root directory of your Python project.</p> <p>For the most part the code is well documented, however here are some notes:</p> <ul> <li>It uses Mako templates, <a href="https://www.makotemplates.org/">https://www.makotemplates.org/</a> </li> <li>/profile is not secured, and is used to show you JWT Bearer Token which is needed to access /read-items and other secure routes, this is set in the callback method</li> <li>More user properties are found in the <code>user_response</code> object located in the callback method</li> </ul> <h2> Additionality PKCE </h2> <p>You can use Authorization Code Grant with Proof Key for Code Exchange (PKCE) which you can read about here:<br> <a href="https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/#about-the-authorization-code-grant-with-pkce">https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/#about-the-authorization-code-grant-with-pkce</a>.</p> <p>To enforce PKCE you will have to select 'Require PKCE as additional verification' as seen in the image below.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq4o3728k2cl5hdxh69mu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq4o3728k2cl5hdxh69mu.png" alt="Image description" width="753" height="403"></a><br> You can still use PKCE without requiring it.</p> <p>Here is the Python code for this,<br> <a href="https://github.com/pbaletkeman/okta-litestar-oidc-pkce">https://github.com/pbaletkeman/okta-litestar-oidc-pkce</a><br> Which is a lot like the none PKCE code.<br> Note that the following have been added/changed:</p> <p>lines: 181, 182, 192, 193<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'code_challenge': code_challenge, 'code_challenge_method': 'S256', </code></pre> </div> <p>line: 231<br> <code>query_params = {'grant_type': 'authorization_code', 'code': code,</code></p> <p>line: 185, 197 <br> And the <code>response_mode</code> has been changed from 'query' to 'form_post' which tells OKTA to send the data as a form post instead of using the query string. Query string is still valid and can be used if you choose to.</p> tutorial python security programming Pete Letkeman Sat, 10 Feb 2024 20:08:09 +0000 https://forem.com/pbaletkeman/secure-litestar-apis-with-okta-570l https://forem.com/pbaletkeman/secure-litestar-apis-with-okta-570l <p>I borrowed a lot from <a href="https://developer.okta.com/blog/2020/12/17/build-and-secure-an-api-in-python-with-fastapi">https://developer.okta.com/blog/2020/12/17/build-and-secure-an-api-in-python-with-fastapi</a> thanks to <a href="https://developer.okta.com/blog/authors/karl-hughes/">Karl Hughes</a> for this article.</p> <p>Litestar framework for Python 3.x creating APIs.<br> For more information about Litestar visit <a href="https://litestar.dev/">https://litestar.dev/</a></p> <h2> OKTA Setup </h2> <h3> Step 1 </h3> <p>After creating a developer account with okta click 'Applications' then 'Create App Integration' as shown in the image<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5n3pswjhkulldplf9f5t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5n3pswjhkulldplf9f5t.png" alt="Image description" width="790" height="334"></a></p> <h3> Step 2 </h3> <p>Choose 'API Services' with a description of<br> 'Interact with Okta APIs using the scoped OAuth 2.0 access tokens for machine-to-machine authentication.'<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvchz84nydn97hs2qcqbt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvchz84nydn97hs2qcqbt.png" alt="Image description" width="800" height="463"></a></p> <h3> Step 3 </h3> <p>Give the integration a name<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu47f1u2gbkf5g3w55e5i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu47f1u2gbkf5g3w55e5i.png" alt="Image description" width="800" height="233"></a>Result Screen<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjdcun93vr6utbvggl65.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjdcun93vr6utbvggl65.png" alt="Image description" width="765" height="632"></a></p> <h3> Step 4 </h3> <p>In the directory for the Python project create a file named .env with the following:<br> </p> <p><code>OKTA_CLIENT_ID=Value From The Previous Step<br> OKTA_CLIENT_SECRET=Value From The Previous Step<br> OKTA_ISSUER="{oktaDomain}/oauth2/default"<br> OKTA_TOKEN="{oktaDomain}/oauth2/default/v1/token"<br> OKTA_INTROSPECTION="{oktaDomain}/oauth2/default/v1/introspect"<br> OKTA_AUDIENCE="api://default"<br> OKTA_SCOPE="items"</code><br> </p> <h3> Step 5 </h3> <p>Now go to 'Security' -&gt; 'API' shown below:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fts27wqi0ndy1r9nytsau.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fts27wqi0ndy1r9nytsau.png" alt="Image description" width="800" height="529"></a><br> Note that values for Audience and Issuer URI are in .env file.</p> <h3> Step 6 </h3> <p>Click on the edit icon you should see something like this:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh66p8dilmrnj0f12y94u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh66p8dilmrnj0f12y94u.png" alt="Image description" width="800" height="567"></a></p> <h3> Step 7 </h3> <p>Try the 'Metadata URI' in a new tab in you web browser to see something like:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zzqizbwsayqfcwdjd50.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zzqizbwsayqfcwdjd50.png" alt="Image description" width="746" height="349"></a></p> <h3> Step 8 </h3> <p>Click 'Scopes' -&gt; 'Add Scope'<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flr2kmr2njvxrx1sc3rgz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flr2kmr2njvxrx1sc3rgz.png" alt="Image description" width="800" height="227"></a></p> <h3> Step 9 </h3> <p>Add a scope such as what is shown below:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofusyayh5tdaunblyt42.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofusyayh5tdaunblyt42.png" alt="Image description" width="728" height="742"></a></p> <h3> Step 10 </h3> <p>Complete the .env file with the correct information including replacing <code>{oktaDomain}</code> with your okta domain and having the correct value for <code>OKTA_SCOPE="items"</code>, if you changed yours that is and note that OKTA_SCOPE is important for remote validation.</p> <h2> Python Code </h2> <p>You can find the final code for this here <a href="https://github.com/pbaletkeman/litestarOKTA">https://github.com/pbaletkeman/litestarOKTA</a>.</p> <p>Large segments of this code came from <a href="https://docs.litestar.dev/latest/usage/security/jwt.html">https://docs.litestar.dev/latest/usage/security/jwt.html</a>.<br> To learn more about Litestar security go here <a href="https://docs.litestar.dev/latest/usage/security/index.html">https://docs.litestar.dev/latest/usage/security/index.html</a></p> <p>Download the files to your local system and copy them to your Python project directory.</p> <h3> Step 11 </h3> <p>Install the required Python libraries using<br> </p> <p><code>pip install -r requirements.txt</code><br> </p> <p>Note, that this includes all of litestar[full] which may be more than you need.</p> <h3> Step 12 </h3> <p>Libraries of note:</p> <ul> <li> <code>base64</code> is used to encode your <code>client id</code> and <code>client secret</code> </li> <li> <code>httpx</code> is used to connect to the OKTA server and return the JWT token</li> <li> <code>okta_jwt.jwt</code> is used to validate the JWT token locally, which is quicker, but less secure than JWT token validation on the OKTA server</li> <li> <code>starlette.config</code> is used to import the .env file into your application, you may want to use <code>python-dotenv</code> instead</li> </ul> <h3> Step 13 </h3> <p>In this sample project we only ever will have one user/account which means that we can do this<br> <br> <code>API_USER_DB: dict[str, OAuthSchema] = {}</code><br> <br> but if you have more than one account you should rethink how your database of users is stored.</p> <h3> Step 14 </h3> <p>This project includes a method for local JWT token validation, but it is not used, the remote JWT token validate is used instead.<br> Remote validation is more secure, takes longer and increases system resource usage as this makes a call to the <a href="https://developer.okta.com/docs/reference/api/oidc/#introspect">Introspection</a> endpoint.<br> The local validation method is <code>def validate(token: str) -&gt; bool:</code> and the remote validation method is <code>def validate_remote(token: str) -&gt; bool:</code></p> <h2> Notes </h2> <h4> Note 1 </h4> <p>When running this project you should have the following endpoints:</p> <ul> <li>/login <ul> <li>uses Authorization header to login</li> </ul> </li> <li>/form-login <ul> <li>uses data from HTML Form to login</li> </ul> </li> <li>/json-login <ul> <li>uses data from JSON body to login</li> </ul> </li> </ul> <p>as shown below:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgujinm6u6o9mx95a8vju.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgujinm6u6o9mx95a8vju.png" alt="Image description" width="496" height="297"></a><br> Each endpoint has it's purpose and it's up to you to choose the appropriate one.</p> <h4> Note 2 </h4> <p>In <code>json_login_handler</code> and <code>form_login_handler</code> there is some funky magic happening here:<br> </p> <p><code>auth_header = 'Basic ' + str(base64.b64encode((data.client_id + ':' + data.client_secret).encode('ascii')))[2:-1]</code><br> </p> <p>To get the token we must send a authorization header of 'basic' a base 64 encoded version of the username:password. However Python prepends the letter "b" and then surrounds the value with a single quote which is why we are using [2:-1]</p> tutorial python api security