Secure Microservices with OAuth 2.0 and JWT

Learning objectives

  • Basics of OAuth 2.0

  • Introduction to JSON Web Token (JWT)

  • How to secure a microservice with the Tribestream API Gateway (TAG)

Prerequisites

  • Docker installed and running.

  • Curl installed.

Run Docker Containers

Before digging into OAuth2 using TAG you need run the docker containers of the Movies Microservice and TAG.

Run the Movies Microservice container

If you went through the Tribestream Quickstart Guide you can reuse the movie-api docker container. To start the movie-api execute the following command:

docker start movie-api

However, if this is the first time you hear about the movie-api, open the terminal and execute the following command.

docker run -d -p 9090:9090 --name movie-api  tomitribedev/movie-api

You can validate that the microservice is up and running by executing the command below:

curl -i http://localhost:9090/movie-api/api/movies

You should be able to see the movie-api microservice output:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 907
ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8"
Date: Wed, 04 Jul 2018 11:16:42 GMT
Connection: keep-alive

[{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John
Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]%

Run the Tribestream API Gateway (TAG) container

If you went through the Tribestream Quickstart Guide you can reuse the TAG docker container. To start TAG execute the following command:

docker start tag

However, if this is the first time you run TAG, open the terminal and execute the following command.

For linux:

docker run --net="host" -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway

For OSX:

docker run -e LICENSE=accept --name tag -p 8080:8080  tomitribe/tribestream-api-gateway`

TAG is ready when you see the following message in the logs:

INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-bio-8009"]
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18348 ms

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service.

The Tribestream API Gateway will help you to easily configure OAuth2 to protect your microservices using the OAuth2 Profile. TAG will receive your credentials, check them and issue an access token. This token can be used to call different routes to microservices multiple times until it expires.

What is JSON Web Token (JWT)?

JSON Web Token is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

TAG emits a JWT access tokens. The token is a Base64 encoded JSON that has a header, a payload with the claims and the signature to guarantee data integrity.

How to secure a microservice with the Tribestream API Gateway (TAG)

To learn how to do it let’s go through the following scenario:

My name is John and as a streaming application owner, I want populate my Movie Streaming Website with a movies catalog, so users can have access to all the movies we can stream. This catalog is exclusive for USA and cannot be shared with other countries.

You as a TAG Administrator need to protected an existing Movie Catalog Microservice, this microservice must be available only for USA and accessible for the Movie Streaming Website.

First step is to open the browser and navigate to http://localhost:8080/tag. Login into the TAG dashboard using username admin , password admin .

Create the Client Account

Create the client account to identify the Streaming Website, following the steps below:

  • Click on the Accounts

  • Click the Plus button (+)

  • Select Account

Fill the Account information with the following data:

After clicking Save you will be redirected to a page with all the streaming-website account information.

Add a Client Secret with the following steps:

  • Click …​

  • Select Add Client Secret on the menu

Use the following data in the Add Client Secret window:

  • New Client Secret: 12345678

  • Re-type: 12345678

  • OAuth Security Profile: OAuth2 Profile

  • Click Save

Create the User Account

You also need to create a user for the Streaming Website owner.

  • Go back to the Accounts

  • Click the Plus button (+)

  • Select Account

Fill the Account information with the following data:

You will be redirected to the Account page with John’s information.

  • Click …​

  • Select Add password

  • Type password abcde123

  • Click Save

Now you have both the client for the website configured and the user account for John also configured.

Create a secure route with the OAuth2 Security Profile

Now let’s create a secured OAuth2 route to the Movies Catalog Microservice and give access only to applications with the USA role. This means that, if an application has a role different than USA, for example BRA which stands for Brazil, it will not be able to access the route.

On the Dashboard page execute the following steps:

  • Click on the Routes

  • Click the Plus button (+)

  • Select MOD_REWRITE ROUTE

Then fill the form with the following data:

  • Name: Movies Catalog USA

  • Add the MOD_REWRITE description

RewriteRule "^/movies-catalog$" "http://localhost:9090/movie-api/api/movies" [P,NE,auth]
  • Security Profiles: OAuth2 Profile

  • Roles: USA

Note
If you are using OSX as the operating system, replace in MOD_REWRITE localhost for host.docker.internal.

After clicking Save you will be on the page of your created route. You now have a route /movies-catalog secured with OAuth2 and only calls from accounts with the role USA will be proxied to the Movies Catalog Microservice.

Calling the Movies Catalog Route

You can test the behavior of the TAG configuration directly from the Route screen.

  • Click …​

  • Click Test

This will open the Test Routes screen, set the Scenario name to Movies Catalog and the Resource URL to /movies-catalog.

Add OAuth2 Authentication with the following steps:

  • Click …​

  • Select Add OAuth 2.0

  • Scroll down to the OAuth2 section

  • The Grant Type password is already filled

  • Fill Username with john

  • Fill Password with abcde123

  • Fill Client Id with streaming-website

  • Fill Client Secret with 12345678

After that click Test. You will get back a http status 403 and the reason is that the client must have the role USA to be authorized to access the route.

So now, scroll to the top and save the test scenario Movies Catalog.

Then go back to streaming-website client account to add the role.

  • Go to the Dashboard

  • Click Accounts

  • Click STREAMING WEBSITE

  • Add USA to Roles

  • Save

Then go to the route Movies Catalog Route:

  • Go to the Dashboard

  • Click Routes

  • Click MOVIES CATALOG USA

  • Click …​

  • Select Test

In the Test Routes window, search for scenario Movies Catalog. You will get saved information back, now click Test.

You will now receive a http status 200 in the response, which means you were able to get a token, use this token to call the /movies-catalog and you were authorized to use the route successfully as you had the necessary role to do it. Therefore the request will be proxied and if you check the PAYLOAD, the microservice returned the catalog of movies for the Streaming Website.

Stop the Docker containers

After executing this tutorial stop all docker images so it does not overload your computer.

docker stop tag
docker stop movie-api