OAuth examples #153
OAuth examples #153
Conversation
| 3scale setup | ||
| ------------ | ||
|
|
||
| To get this working with a 3scale instance |
There was a problem hiding this comment.
Looks like the end of the phrase is missing...
Also, it would be good to mention here that:
- Self-managed deployment type and OAuth authentication method should be selected
- Login URL on the Integration page need to be configured, for the current example I guess it would be http://localhost:3000/auth/login
There was a problem hiding this comment.
Agreed, please complete the sentence Pili
|
Tested and it works 👍 One other point to include to the documentation is that "Request access token locally" should be set in Postman in order to make a successful /oauth/token call. |
mpguerra
force-pushed
the
merge-oauth-examples
branch
from
0d85fdb
to
732b581
Compare
| @@ -86,6 +86,7 @@ location = /_threescale/oauth_store_token { | |||
| internal; | |||
| proxy_set_header X-Real-IP $remote_addr; | |||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
| proxy_set_header Host "$backend_host"; | |||
There was a problem hiding this comment.
Pili, can you tell us what the purpose of adding the header is please?
There was a problem hiding this comment.
I haven't tried without, but I think it wasn't working.
All other calls to the backend do already have this header.
There was a problem hiding this comment.
Authorization against backend fails when this header is missing
| 3scale setup | ||
| ------------ | ||
|
|
||
| To get this working with a 3scale instance |
There was a problem hiding this comment.
Agreed, please complete the sentence Pili
| @@ -0,0 +1,20 @@ | |||
| # URI to fetch gateway configuration from. Expected format is: https?://[password@]hostname | |||
There was a problem hiding this comment.
Is .env-sample the best name or being inside an example .env is fine?
Where is the code that loads this?
There was a problem hiding this comment.
I didn't want to commit my .env since it would be specific to my environment, so I added a sample of what a .env file could look like. Could also be removed since this is documented in the README
| @@ -0,0 +1,3 @@ | |||
| .git | |||
| .dockerignore | |||
| Gemfile.lock | |||
There was a problem hiding this comment.
Sure you don't want this to lock the versions of the gems that your bundle install installs?
|
|
||
| # Set an environment variable to store where the app is installed to inside | ||
| # of the Docker image. | ||
| ENV INSTALL_PATH /auth-server |
There was a problem hiding this comment.
can we follow the (emerging) convention of ours to install in /opt/app?
|
|
||
| # Copy in the application code from your work station at the current directory | ||
| # over to the working directory. | ||
| COPY . . |
There was a problem hiding this comment.
This will copy Gemfile, which is already copied above. Remove above copy?
| @@ -0,0 +1,126 @@ | |||
| { | |||
There was a problem hiding this comment.
Wouldn't this be a better example if it used the config.json downloaded from the config API, for the user account doing the example. That would make it flexible to whatever the user has configured in 3scale Admin Portal, would avoid having to redact secrets (making sample non-functional), and supply service IDs, shared secrets etc.
The only data data needed would the service_id and token that is already needed by apicast, to get the config from the config API.
There was a problem hiding this comment.
this is here as an example config to show the data that is necessary, the example would work with any config.json downloaded from the admin portal as long as they are using oauth authentication mode AND they have filled in the login url/Authorization endpoint in the Integration screen.
| "services": [ | ||
| { | ||
| "id": 2555417736402, | ||
| "account_id": 2445581608319, |
There was a problem hiding this comment.
lots of data here, tied to your test account
There was a problem hiding this comment.
this is just as an example, I could also remove this config from the example
|
Further comment: Can we please separate out the fixes for OAuth into one PR....for including in RC1.... and continue the discussion and polishing of the examples, via a separate PR... The ".... and ....." in the commit title is a givaway, it's adding two things in one commit/PR. thanks. |
| @@ -10,7 +12,7 @@ local function extract_params() | |||
| params.authorization = {} | |||
|
|
|||
| if header_params['Authorization'] then | |||
| params.authorization = ngx.decode_base64(header_params['Authorization']:split(" ")[2]):split(":") | |||
| params.authorization = split(ngx.decode_base64(split(header_params['Authorization']," ")[2]),":") | |||
There was a problem hiding this comment.
Is this a functional change, or just syntax?
We're trying to understand the changes that fix the broken OAuth....
There was a problem hiding this comment.
This is a functional change which fixes the bug.
There used to be a global function function string:split, which didn't make it to APIcast, so strvariable:split is not a valid syntax.
|
@mpguerra Now that you submitted the fixes in a separate PR, you should modify this one to remove them and only add the examples. You should rebase on v2 branch first to get latest changes to readme etc.... |
mayorova
force-pushed
the
merge-oauth-examples
branch
from
b54799b
to
27332b9
Compare
|
Rebased on top of |
mayorova
force-pushed
the
merge-oauth-examples
branch
from
27332b9
to
b21f87b
Compare
| version: '2' | ||
| services: | ||
| gateway: | ||
| image: apicast-test:latest |
There was a problem hiding this comment.
shouldn't this point to quay.io/3scale/apicast:v2 ? people will not have apicst-test unless they built it locally
There was a problem hiding this comment.
Yes, makes sense. I guess it was like that before because there were some fixes for the apicast needed for this to work properly. Not relevant now, as the fixes are already in master.
There was a problem hiding this comment.
think about whether you want to point to a (potentially, constantly changing) "latest", or a known numbered version that you know worked when you wrote the example...
There was a problem hiding this comment.
As this example is using a default APIcast functionality, it should work for the later versions, unless some breaking changes are introduced.
In case of breaking changes I think we need to go through the examples to verify they still work.so, I guess quay.io/3scale/apicast:v2 should work...
| require 'sinatra' | ||
|
|
||
| set :bind, '0.0.0.0' | ||
| nginx_redirect_uri = "http://localhost:8080/callback?" #nginx callback |
There was a problem hiding this comment.
I guess this example will only work when the Public Base URL is "localhost". Or it should be probably mentioned somewhere in README that this url needs to be adjusted to coincide with the API public base URL
There was a problem hiding this comment.
We should probably just add this to the README for now.
|
I'm going to add some of these comments to my list of things to improve for a second iteration of this example, e.g for the nginx callback, this would ideally be a parameter that is provided to the auth server on startup. However, I'm getting concerned that the comments on this PR are deviating from what was the intended purpose of this example which was something that "just works" for anyone that wants to try it out to see how to set up an example, run it, go through the token request process and see how it would work, the PR as it is does the trick when using docker-compose. Otherwise it becomes an example that doesn't really run unless you have the correct variables plugged in which in a way defeats the purpose of having something anyone can run :) |
|
@mpguerra if this is supposed to "just work"™️ it has to change the image in docker compose file to released apicast. Otherwise you'd have to build it locally first. |
| @@ -1,27 +0,0 @@ | |||
| # URI to fetch gateway configuration from. Expected format is: https?://[password@]hostname | |||
| THREESCALE_PORTAL_ENDPOINT=http://127.0.0.1.xip.io:8090/config/ | |||
There was a problem hiding this comment.
I guess this was not intentional?
… Authorization server for testing remove sample env as it's already documented in README Update README Keep Gemfile.lock to lock gem versions Remove example config.json Docker fixes: remove Gemfile.lock from .dockerignore, copy application into /opt/app, remove redundant COPY from Dockerfile and move bundle install after Gemfile is copied
Change image to point to quay.io/3scale/apicast:v2
mpguerra
force-pushed
the
merge-oauth-examples
branch
from
8379c61
to
2827990
Compare
mpguerra
force-pushed
the
merge-oauth-examples
branch
from
2827990
to
551fb7f
Compare
|
Tested with the provided client, and it works. |
|
|
||
| <!-- HTML5 shim, for IE6-8 support of HTML5 elements --> | ||
| <!--[if lt IE 9]> | ||
| <script src="/js/html5shiv.js"></script> |
There was a problem hiding this comment.
This is not in the repo so it should not be in the code either.
|
|
||
| <!-- HTML5 shim, for IE6-8 support of HTML5 elements --> | ||
| <!--[if lt IE 9]> | ||
| <script src="/js/html5shiv.js"></script> |
There was a problem hiding this comment.
This has no value for the example and should not be here.
|
|
||
| get("/") do | ||
| if params[:action] == "get_token" | ||
| get_token(params[:code]) |
There was a problem hiding this comment.
This can't work. This is not defined anywhere.
* cleanup docker-compose * fix ports * fix uuid generation * cleanup dockerignore files * use bundler
|
I did major cleanup to the docker setup and ruby dependencies. Would be good to get some 👍 and we can merge it. Also if someone feels like providing steps in a form of a bash script we can run it as part of the test suite. |
| - "3001:3001" | ||
| volumes: | ||
| - ./client:/opt/app/client | ||
| - "3001:3000" |
There was a problem hiding this comment.
why? should still be 3001:3001, no?
There was a problem hiding this comment.
No. Both dockers expose port 3000. It just maps 3000 in docker to 3001 on local machine.
There was a problem hiding this comment.
OK, I see. I was confused by this line I guess it's not needed?
There was a problem hiding this comment.
Yep. Not needed. Will remove it.
| set :bind, '0.0.0.0' | ||
| enable :sessions | ||
| set :session_secret, '*&(^B234' | ||
| set :port, 3001 |
There was a problem hiding this comment.
This should be removed. Also the bind is not necessary.
Replaces #145 and closes #150