Documentation

Product Version
Examples > Secure Microservices with OAuth 2.0 and JWT [1.0] >

Secure Microservices with OAuth 2.0 and JWT

Learning objectives

  • What are OAuth 2.0 and JWT.

  • Create the Client Account

  • Creata a route with OAuth 2.0 authentication.

  • Test the route with OAuth 2.0 to validate the permission.

Prerequisites

  • Docker installed and the daemon is running on your computer.

  • Curl installed on your computer.

Start Demo Microservice

We can reuse the movie-api docker container we created from the Tribestream quickstart guide. To start movie-api execute the following command:

docker start movie-api

If this is the first time you run movie-api, open a terminal execute the following command according to your operating system:

docker run -d -p 9090:9090 --name movie-api  tomitribedev/movie-api

We can validate that our microservice is up and running by executing the following command:

curl -i http://localhost:9090/movie-api/api/movies

You should be able to see the movie-api microservice output:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 907
ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8"
Date: Wed, 04 Jul 2018 11:16:42 GMT
Connection: keep-alive

[{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John
Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]%

Run Tribestream API Gateway

We can reuse the TAG docker container we created from the Tribestream quickstart guide. To start TAG execute the following command:

docker start tag

If this is the first time you run TAG, open a terminal execute the following command according to your operating system:

For linux:

docker run --net="host" -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway

For OSX:

docker run -e LICENSE=accept --name tag -p 8080:8080  tomitribe/tribestream-api-gateway`
TAG is complete ready when you see the following message on the TAG log:
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-bio-8009"]
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18348 ms

What is OAuth 2.0

OAuth is an open standard for authorization that enables client applications to access server resources on behalf of a specific Resource Owner which also enables the owner to authorize limited third-party access to their server resources without sharing their credentials.

Tribestream API Gateway can be used to apply this authorization. The Server issues tokens to client applications on behalf of a Resource Owner for which will be able to use it authenticating subsequent API calls to the endpoint. So the protected endpoints can accept or respond to protected resource requests using access tokens.

What is JSON Web Token (JWT)

A JWT is a JSON-based security token encoding that enables identity and security information to be shared across security domains.

OAuth access tokens are used to grant access to specific resources for a specific period of time. It will enable users to grant third-party applications access to their endpoints without sharing all data and access permissions.

Login into TAG

Open a browser and navigate to: http://localhost:8080/tag

Login into the TAG dashboard using the following credentials: username: admin, password: admin

Create the Client account

To create the client account we are going to use to authenticate and authorize the deployed microservices, follow the next steps: Click on the Accounts option to navigate to Accounts Page, click the Plus button on the upper right side and select Account. Create a new Account with the following data and make sure you enable the Create another check box before clicking the Save button.

From the Accounts page, click on movieapp account to open the account detail page.

Click the button on the upper right side and select Add Client Secret from the menu. In the Add Client Secret modal window, type tomitribe as the client secret, select the profile OAuth2 Profile and then click the Save button.

To create the accounts ALICE and BOB, please look the step 4 from TAG Quickstart or just execute the follow curl commands:

curl -v -X POST http://localhost:8080/tag/api/account/ --insecure --header 'accept: application/json' --header 'authorization: Basic YWRtaW46YWRtaW4=' --header 'cache-control: no-cache' --header 'content-type: application/json' -d '{"username": "bob","email": "[email protected]","displayName": "Bob","roles": [{"displayName": "user","name": "user","id": "user"}],"credentials": {"password": {"active": true,"value": "superpassword","createdDate": "2018-04-29T20:22:01Z"}}}'
curl -v -X POST http://localhost:8080/tag/api/account/ --insecure --header 'accept: application/json' --header 'authorization: Basic YWRtaW46YWRtaW4=' --header 'cache-control: no-cache' --header 'content-type: application/json' -d '{"username": "alice","email": "[email protected]","displayName": "Alice","roles": [{"displayName": "administrator","name": "administrator","id": "usadministrator"}],"credentials": {"password": {"active": true,"value": "supersecret","createdDate": "2018-04-29T20:22:01Z"}}}'

Create a route to use the Oauth2 Security Profile

From the Dashboard page, Click on the Routes option to navigate to Routes Page. Click the Plus button on the upper right side and select MOD_REWRITE ROUTE

For MOD_REWRITE textarea put:

For Linux:

RewriteRule "^/oauth2-endpoint(.*)$" "http://localhost:9090/movie-api/api/movies$1" [P,NE,auth]

For OSX:

RewriteRule "^/oauth2-endpoint(.*)$" http://host.docker.internal:9090/movie-api/api/movies$1 [P,NE,auth]

For Security Profile select: Oauth2 Profile and for roles use: Administrator.

Calling the endpoint

We can test the behavior of the TAG configuration directly from the Route screen. Click the button and select Test. This will open the Test Routes screen. In the Test Routes screen set the Resource URL to /oauth2-endpoint.

Add OAuth Authentication clicking in button and select the Add OAuth 2.0 option. Scroll down to the OAuth2 section and add for the Username alice with the password supersecret. For the Client Id add movieapp with Client Secret tomitribe.

When done, hit the Test button. If everything was set up correctly, you should get a 200 OK in the Response from Tribestream Gatway in Result Section.

If you try call the endpoint with Bob user, it should returns a 403, that’s because bob does not have permission to call the endpoint, just user with role Administratos is able to call it, so on the OAuth2 section add for the Username bob with the password superpassword. For the Client Id add movieapp with Client Secret tomitribe.

Stop Tribestream API Gateway and Demo Microservice

Since both the TAG and the microservice were created with a specific container name, you can now stop both containers, from the command line execute the following command.

Stopping TAG

docker stop tag

Stopping the microservice

docker stop movie-api

On this page

Table of Contents

Product Version