Learning objectives
What are OAuth 2.0 and JWT.
Create the Client Account
Creata a route with OAuth 2.0 authentication.
Test the route with OAuth 2.0 to validate the permission.
Prerequisites
Docker installed and the daemon is running on your computer.
Curl installed on your computer.
We can reuse the movie-api docker container we created from the Tribestream quickstart guide. To start movie-api execute the following command:
docker start movie-api
If this is the first time you run movie-api, open a terminal execute the following command according to your operating system:
docker run -d -p 9090:9090 --name movie-api tomitribedev/movie-api
We can validate that our microservice is up and running by executing the following command:
curl -i http://localhost:9090/movie-api/api/movies
You should be able to see the movie-api microservice output:
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 907
ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8"
Date: Wed, 04 Jul 2018 11:16:42 GMT
Connection: keep-alive
[{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John
Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]%
We can reuse the TAG docker container we created from the Tribestream quickstart guide. To start TAG execute the following command:
docker start tag
If this is the first time you run TAG, open a terminal execute the following command according to your operating system:
For linux:
docker run --net="host" -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway
For OSX:
docker run -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway`
TAG is complete ready when you see the following message on the TAG log:
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-bio-8009"]
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18348 ms
OAuth is an open standard for authorization that enables client applications to access server resources on behalf of a specific Resource Owner which also enables the owner to authorize limited third-party access to their server resources without sharing their credentials.
Tribestream API Gateway can be used to apply this authorization. The Server issues tokens to client applications on behalf of a Resource Owner for which will be able to use it authenticating subsequent API calls to the endpoint. So the protected endpoints can accept or respond to protected resource requests using access tokens.
A JWT is a JSON-based security token encoding that enables identity and security information to be shared across security domains.
OAuth access tokens are used to grant access to specific resources for a specific period of time. It will enable users to grant third-party applications access to their endpoints without sharing all data and access permissions.
Open a browser and navigate to: http://localhost:8080/tag
Login into the TAG dashboard using the following credentials: username: admin
, password: admin
To create the client account we are going to use to authenticate and authorize the deployed microservices, follow the next steps:
Click on the Accounts
option to navigate to Accounts Page, click the Plus button on the upper right side and select Account. Create a new Account with the following data and make sure you enable the Create another check box before clicking the Save button.
From the Accounts page, click on movieapp
account to open the account detail page.
Click the …
button on the upper right side and select Add Client Secret
from the menu. In the Add Client Secret modal window, type tomitribe
as the client secret, select the profile OAuth2 Profile
and then click the Save button.
To create the accounts ALICE and BOB, please look the step 4 from TAG Quickstart or just execute the follow curl commands:
curl -v -X POST http://localhost:8080/tag/api/account/ --insecure --header 'accept: application/json' --header 'authorization: Basic YWRtaW46YWRtaW4=' --header 'cache-control: no-cache' --header 'content-type: application/json' -d '{"username": "bob","email": "[email protected]","displayName": "Bob","roles": [{"displayName": "user","name": "user","id": "user"}],"credentials": {"password": {"active": true,"value": "superpassword","createdDate": "2018-04-29T20:22:01Z"}}}'
curl -v -X POST http://localhost:8080/tag/api/account/ --insecure --header 'accept: application/json' --header 'authorization: Basic YWRtaW46YWRtaW4=' --header 'cache-control: no-cache' --header 'content-type: application/json' -d '{"username": "alice","email": "[email protected]","displayName": "Alice","roles": [{"displayName": "administrator","name": "administrator","id": "usadministrator"}],"credentials": {"password": {"active": true,"value": "supersecret","createdDate": "2018-04-29T20:22:01Z"}}}'
From the Dashboard page, Click on the Routes
option to navigate to Routes Page. Click the Plus button on the upper right side and select MOD_REWRITE ROUTE
For MOD_REWRITE textarea put:
For Linux:
RewriteRule "^/oauth2-endpoint(.*)$" "http://localhost:9090/movie-api/api/movies$1" [P,NE,auth]
For OSX:
RewriteRule "^/oauth2-endpoint(.*)$" http://host.docker.internal:9090/movie-api/api/movies$1 [P,NE,auth]
For Security Profile select: Oauth2 Profile and for roles use: Administrator.
We can test the behavior of the TAG configuration directly from the Route screen. Click the …
button and select Test. This will open the Test Routes screen. In the Test Routes screen set the Resource URL to /oauth2-endpoint
.
Add OAuth Authentication clicking in …
button and select the Add OAuth 2.0
option. Scroll down to the OAuth2 section and add for the Username alice
with the password supersecret
. For the Client Id add movieapp
with Client Secret tomitribe
.
When done, hit the Test
button. If everything was set up correctly, you should get a 200 OK in the Response from Tribestream Gatway in Result Section.
If you try call the endpoint with Bob user, it should returns a 403, that’s because bob does not have permission to call the endpoint, just user with role Administratos is able to call it, so on the OAuth2 section add for the Username bob
with the password superpassword
. For the Client Id add movieapp
with Client Secret tomitribe
.