UAA proxy as a service
Go Shell
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 5 commits ahead, 6 commits behind cloudfoundry-community:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
broker
proxy
.gitignore
.travis.yml
CONTRIBUTING.md
LICENSE.md
README.md
install.sh
manifest.yml.sample

README.md

UAA Auth Route Service Build Status

Important Note: This is a more advanced version of cloudfoundry-community/cf-uaa-guard-service. This version provide a role based authentication through users scopes, a session expiration mechanism (based on token expiration) and useful endpoints for developpers.

(Based on https://github.com/benlaplanche/cf-basic-auth-route-service)

Using the new route services functionality available in Cloud Foundry, you can now bind applications to routing services. Traffic sent to your application is routed through the bound routing service before continuing onto your service.

This allows you to perform actions on the HTTP traffic, such as enforcing authentication, rate limiting or logging.

For more details see:

Getting Started

There are two components and thus steps to getting this up and running. The broker and the filtering proxy.

Before getting started you will need:

  • Access to a cloud foundry deployment
  • UAA client credentials

First, run in command line install.sh to install dependencies.

Uncomment and fill in the environment variables required as the sample in manifest.yml.sample and copy the manifest to manifest.yml.

Run cf push to deploy both apps.

Once the broker is deployed, you can register it:

cf create-service-broker \
    uaa-auth-broker \
    $GUARD_BROKER_USERNAME \
    $GUARD_BROKER_PASSWORD \
    https://uaa-guard-broker.my-paas.com \
    --space-scoped

Once you've created the service broker, you must enable-service-access in order to see it in the marketplace.

cf enable-service-access uaa-auth

You should now be able to see the service in the marketplace if you run cf marketplace

Protecting an application with UAA authentication

Now you have setup the supporting components, you can now protect your application with auth!

First create an instance of the service from the marketplace, here we are calling our instance authy

$cf create-service uaa-auth uaa-auth authy

Next, identify the application and its URL which you wish to protect. Here we have an application called hello with a URL of https://hello.my-paas.com

Then you need to bind the service instance you created called authy to the hello.my-paas.com route

⇒  cf bind-route-service my-paas.com authy --hostname hello

Binding may cause requests for route hello.my-paas.com to be altered by service instance authy. Do you want to proceed?> y
Binding route hello.my-paas.com to service instance authy in org org / space space as admin...
OK

You can validate the route for hello is now bound to the authy service instance

⇒  cf routes
Getting routes for org org / space space as admin ...

space          host                domain            port   path   type   apps                service
space          hello               my-paas.com                            hello               authy

All of that looks good, so the last step is to validate we can no longer view the hello application without providing credentials!

⇒  curl -k https://hello.my-paas.com
Unauthorized

and if you visit it you will be redirected to UAA.

Knowing who is logged in

This service will forward a set of headers:

  • Authorization with the bearer token.
  • X-Auth-User with the email of the logged in user.
  • X-Auth-User-Email with the email of the logged in user.
  • X-Auth-User-Name with the name of the logged in user.
  • X-Auth-User-Id with the uuid of the logged in user.
  • X-Auth-User-Scopes with a list of scopes of the logged in user (separate by a ,).

Add a proxy to only make your app accessible by a cloud foundry admin

As an administrator you will maybe need to restrict access to some apps in order to only make them usable by other administrator.

The proxy has a mechanism of roles based on scopes. If a user doesn't have a required scopes he will be rejected by the proxy.

Let's have a look to an manifest example:

---
buildpack: go_buildpack
applications:
  - name: uaa-guard-proxy-users
    path: proxy
    memory: 128M
    env:
      GUARD_COOKIE_SECRET: very-secret
      GUARD_LOGIN_URL: https://login.my-paas.com
      GUARD_CLIENT_KEY: uaa-guard-oauth
      GUARD_CLIENT_SECRET: yoursecret
      GUARD_PROXY_NAME: uaa-users-auth
      GUARD_PROXY_DESCRIPTION: "Just add to a route and it will request cloud foundry authentication before proceeding and let any users registered on cloud foundry login."
      GUARD_SCOPES: "openid"
  - name: uaa-guard-proxy-admin
    path: proxy
    memory: 128M
    env:
      GUARD_COOKIE_SECRET: very-secret
      GUARD_LOGIN_URL: https://login.my-paas.com
      GUARD_CLIENT_KEY: uaa-guard-admin-oauth
      GUARD_CLIENT_SECRET: yoursecret
      GUARD_PROXY_NAME: uaa-admin-auth
      GUARD_PROXY_DESCRIPTION: "Just add to a route and it will request cloud foundry authentication before proceeding and let only admin registered on cloud foundry login."
      GUARD_SCOPES: "openid,cloud_controller.admin"
  - name: uaa-guard-broker
    path: broker
    memory: 64M
    env:
      GUARD_BROKER_NAME: uaa-auth
      GUARD_BROKER_USERNAME: broker
      GUARD_BROKER_PASSWORD: broker
      GUARD_ROUTE_SERVICE_URLS: https://uaa-guard-proxy-users.my-paas.com,https://uaa-guard-proxy-admin.my-paas.com

the app uaa-guard-proxy-admin has a second scope (cloud_controller.admin) it means that user will need to have the cloud_controller.admin scope in order to login to the app.

The broker has a second route service urls, it will add a new plan to the broker based on the name of the proxy.

To update the catalog of the service broker in cloud foundry run:

cf update-service-broker \
    uaa-auth-broker \
    $GUARD_BROKER_USERNAME \
    $GUARD_BROKER_PASSWORD \
    https://uaa-guard-broker.my-paas.com \
    --space-scoped

Useful endpoints

  • /me (e.g.: https://hello.my-paas.com/me): Give information of a logged user in a json format (this useful for frontend developper), example of json:
{
	"scope": [
		"openid"
	],
	"user_id": "c434a43b-a165-4019-b24d-5af8103028d9",
	"user_name": "arthurhlt",
	"exp": 1487136414,
	"email": "arthur.halet@orange.com",
	"token_type": "bearer",
	"access_token": "ajwttoken"
}
  • /logout (e.g.: https://hello.my-paas.com/logout): By calling this endpoint it will logout the connected user.