OAuth2 with JWT and LDAP Account Source


Learning objectives

  • Authenticate users with the Tribestream API Gateway

  • Use an external LDAP as identity store


Build the project

You will need to checkout the source locally and then build the project. Here are the steps

git clone https://github.com/tomitribe/oauth2-jwt-ldap-account-source.git
cd oauth2-jwt-custom-claims

Creating an LDAP

The first thing is to make sure we have an LDAP to authenticate against. The API Gateway will be configured to connect to this LDAP.

docker run --restart=always -p 389:389 --env LDAP_ORGANISATION="superbiz.com" --env LDAP_DOMAIN="superbiz.com" --env LDAP_ADMIN_PASSWORD="secret" \
--volume `pwd`/src/main/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom \
--detach --name ldap osixia/openldap:1.1.9 --copy-service

Starting the Tribestream API Gateway

In order to work, this application requires an STS (Secure Token Service) capable of generating signed JWT tokens. This is what the Tribestream API Gateway is about. It’s also capable of doing routing and while enforcing permissions. If you want to know more, check out the website at https://tribestream.io

The best and simplest way to start the API Gateway is to use Docker as follow

docker run --rm -it --name tag -e LICENSE=accept -e CASSANDRA_EMBEDDED=true -p 8080:8080 tomitribe/tribestream-api-gateway:latest

Once the Tribestream API Gateway is up and running, you can connect to the console with the following URL http://localhost:8080/tag/

Populating and configuring the Tribestream API Gateway

To ease configuration, this project comes with necessary configuration and scripts to load the configuration of the API Gateway. You can also navigate through the UI and do it your self.

But as a faster solution, run the following commands

cd src/main/scripts
you need to make sure you first started the API Gateway with the previous step.

Starting the movie chat application

Next step consists in starting the demo application. From the project root directory, run the following command.

mvn clean install -DskipTests tomee:run

It should start on port 8181 so it does not clash with the Gateway So what you need is to open a browser and navigate to http://localhost:8181/moviefun/

There are 4 accounts created with the import scripts (See step 2).

  • alex/password with create, update and delete role

  • john/password with create role

  • nick/password with delete role

  • mark/password with update role

As soon as you get in the application using one of these accounts, checkout the HTTP requests from the application to the remote server. If you are using the Chrome browser, you can open up the developer tools.

Authenticating using LDAP credentials

Now that everything is up and running, you can now use one of the accounts from the system or use any account from LDAP. Best way to see it is to try it!

Use alex/password credentials to login using system accounts defined in the Tribestream API Gateway. Use ana/password to use an LDAP account.