Basics of OAuth 2.0
Introduction to JSON Web Token (JWT)
How to secure a microservice with the Tribestream API Gateway (TAG)
Before digging into OAuth2 using TAG you need run the docker containers of the Movies Microservice and TAG.
If you went through the Tribestream Quickstart Guide you can reuse the movie-api docker container. To start the movie-api execute the following command:
docker start movie-apiHowever, if this is the first time you hear about the movie-api, open the terminal and execute the following command.
docker run -d -p 9090:9090 --name movie-api tomitribedev/movie-apiYou can validate that the microservice is up and running by executing the command below:
curl -i http://localhost:9090/movie-api/api/moviesYou should be able to see the movie-api microservice output:
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 907
ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8"
Date: Wed, 04 Jul 2018 11:16:42 GMT
Connection: keep-alive
[{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John
Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]%If you went through the Tribestream Quickstart Guide you can reuse the TAG docker container. To start TAG execute the following command:
docker start tagHowever, if this is the first time you run TAG, open the terminal and execute the following command.
For linux:
docker run --net="host" -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gatewayFor OSX:
docker run -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway`TAG is ready when you see the following message in the logs:
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8080"]
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-bio-8009"]
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18348 msOAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service.
The Tribestream API Gateway will help you to easily configure OAuth2 to protect your microservices using the OAuth2 Profile. TAG will receive your credentials, check them and issue an access token. This token can be used to call different routes to microservices multiple times until it expires.
JSON Web Token is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
TAG emits a JWT access tokens. The token is a Base64 encoded JSON that has a header, a payload with the claims and the signature to guarantee data integrity.
To learn how to do it let’s go through the following scenario:
My name is John and as a streaming application owner, I want populate my Movie Streaming Website with a movies catalog, so users can have access to all the movies we can stream. This catalog is exclusive for USA and cannot be shared with other countries.
You as a TAG Administrator need to protected an existing Movie Catalog Microservice, this microservice must be available only for USA and accessible for the Movie Streaming Website.
First step is to open the browser and navigate to http://localhost:8080/tag. Login into the TAG dashboard using username admin , password admin .
Create the client account to identify the Streaming Website, following the steps below:
Click on the Accounts
Click the Plus button (+)
Select Account
Fill the Account information with the following data:
Username: streaming-website
Email: [email protected]
Full Name: Streaming Website
After clicking Save you will be redirected to a page with all the streaming-website account information.
Add a Client Secret with the following steps:
Click …
Select Add Client Secret on the menu
Use the following data in the Add Client Secret window:
New Client Secret: 12345678
Re-type: 12345678
OAuth Security Profile: OAuth2 Profile
Click Save
You also need to create a user for the Streaming Website owner.
Go back to the Accounts
Click the Plus button (+)
Select Account
Fill the Account information with the following data:
Username: john
Email: [email protected]
Full Name: John
You will be redirected to the Account page with John’s information.
Click …
Select Add password
Type password abcde123
Click Save
Now you have both the client for the website configured and the user account for John also configured.
Now let’s create a secured OAuth2 route to the Movies Catalog Microservice and give access only to applications with the USA role. This means that, if an application has a role different than USA, for example BRA which stands for Brazil, it will not be able to access the route.
On the Dashboard page execute the following steps:
Click on the Routes
Click the Plus button (+)
Select MOD_REWRITE ROUTE
Then fill the form with the following data:
Name: Movies Catalog USA
Add the MOD_REWRITE description
RewriteRule "^/movies-catalog$" "http://localhost:9090/movie-api/api/movies" [P,NE,auth]Security Profiles: OAuth2 Profile
Roles: USA
|
Note
|
If you are using OSX as the operating system, replace in MOD_REWRITE localhost for host.docker.internal. |
After clicking Save you will be on the page of your created route. You now have a route /movies-catalog secured with OAuth2 and only calls from accounts with the role USA will be proxied to the Movies Catalog Microservice.
You can test the behavior of the TAG configuration directly from the Route screen.
Click …
Click Test
This will open the Test Routes screen, set the Scenario name to Movies Catalog and the Resource URL to /movies-catalog.
Add OAuth2 Authentication with the following steps:
Click …
Select Add OAuth 2.0
Scroll down to the OAuth2 section
The Grant Type password is already filled
Fill Username with john
Fill Password with abcde123
Fill Client Id with streaming-website
Fill Client Secret with 12345678
After that click Test. You will get back a http status 403 and the reason is that the client must have the role USA to be authorized to access the route.
So now, scroll to the top and save the test scenario Movies Catalog.
Then go back to streaming-website client account to add the role.
Go to the Dashboard
Click Accounts
Click STREAMING WEBSITE
Add USA to Roles
Save
Then go to the route Movies Catalog Route:
Go to the Dashboard
Click Routes
Click MOVIES CATALOG USA
Click …
Select Test
In the Test Routes window, search for scenario Movies Catalog. You will get saved information back, now click Test.
You will now receive a http status 200 in the response, which means you were able to get a token, use this token to call the /movies-catalog and you were authorized to use the route successfully as you had the necessary role to do it. Therefore the request will be proxied and if you check the PAYLOAD, the microservice returned the catalog of movies for the Streaming Website.
