Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 115 lines (70 sloc) 3.566 kb
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
1 # CloudFoundry User Account and Authentication (UAA) Server
ace5777 @daleolds start of UAA
daleolds authored
2
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
3 ## Quick Start
ace5777 @daleolds start of UAA
daleolds authored
4
ab32020 @dsyer Update README
dsyer authored
5 If this works you are in business:
ace5777 @daleolds start of UAA
daleolds authored
6
ab32020 @dsyer Update README
dsyer authored
7 $ git clone git://github.com/vmware-ac/uaa.git
8 $ cd uaa
9 $ mvn install
10
11 Each module has a `mvn jetty:run` target, or you could import them as
12 projects into STS (use 2.8.0 or better if you can). To work together
13 the apps run on different ports (8080=/uaa, 7080=/app, 9080=/api).
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
14
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
15 ### Demo of command line usage
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
16
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
17 First run the uaa server as described above:
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
18
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
19 $ cd uaa
20 $ mvn jetty:run
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
21
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
22 Then start another terminal and from the project base directory, run:
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
23
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
24 $ ./login.sh "localhost:8080/cloudfoundry-identity-uaa"
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
25
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
26 And hit return twice to accept the default username and password.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
27
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
28 This authenticates and obtains an access token from the server using the OAuth2 implicit
29 grant, similar to the approach intended for a client like VMC. The token is
30 stored in the file `.access_token`.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
31
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
32 Now run the `api` server:
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
33
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
34 $ cd api
35 $ mvn jetty:run
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
36
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
37 And then (from the base directory) execute:
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
38
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
39 $ ./get.sh http://localhost:9080/cloudfoundry-identity-api/apps
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
40
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
41 which should return a JSON array of (pretend) running applications.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
42
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
43 ## Inventory
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
44
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
45 There are actually several projects here:
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
46
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
47 1. `uaa` is the actual UAA server
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
48
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
49 2. `api` is an OAuth2 resource service which returns a mock list of deployed apps
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
50
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
51 3. `app` is a user application that uses both of the above
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
52
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
53 In CloudFoundry terms
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
54
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
55 * `uaa` provides an authentication service plus authorized delegation for
56 back-end services and apps (by issuing OAuth2 access tokens).
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
57
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
58 * `api` is `api.cloudfoundry.com` - it's a service which provides resources
59 which other applications may wish to access on behalf of the resource
60 owner (the end user).
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
61
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
62 * `app` is `code.cloudfoundry.com` or `studio.cloudfoundry.com` - a
63 webapp that needs single sign on and access to the `api` service on
64 behalf of users.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
65
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
66 The authentication service is `uaa`. It's a plain Spring MVC webapp.
67 Deploy as normal in Tomcat or your container of choice, or execute
68 `mvn jetty:run` to run it directly from `uaa` directory in the source tree.
69 When running with maven it listen on port 8080.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
70
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
71 It supports the APIs defined in the UAA-APIs document. To summarise:
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
72
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
73 1. The OAuth2 /authorize and /token endpoints
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
74
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
75 2. A /login_info endpoint to allow querying for required login prompts
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
76
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
77 3. A /check_token endpoint, to allow resource servers to obtain information about
78 an access token submitted by an OAuth2 client.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
79
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
80 4. SCIM user provisioning endpoints (todo)
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
81
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
82 5. OpenID connect endpoints to support authentication (todo). Authentication is currently
83 performed by submitting credentials directly to the /authorize endpoint (as described in UAA-API doc).
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
84
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
85 ## The API Application
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
86
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
87 An example resource server. It hosts a service which returns
88 a list of mock applications under `/apps`.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
89
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
90 Run it using `mvn jetty:run` from the `api` directory. This will start
91 the application on port 9080.
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
92
93 ## The App Application
94
95 This is a user interface (primarily aimed at browser) app that uses
96 OpenID for authentication (i.e. SSO) and OAuth2 for access grants. It
97 authenticates with the Auth service, and then accesses resources in
98 the API service.
99
100 ### Use Cases
101
3c3c502 @tekul Update README and scripts to illustrate the implicit flow login/token gr...
tekul authored
102
ab32020 @dsyer Update README
dsyer authored
103 1. See all apps
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
104
ab32020 @dsyer Update README
dsyer authored
105 GET /app/apps
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
106
107 browser is redirected through a series of authentication and access
108 grant steps (which could be slimmed down to implicit steps not
109 requiring user at some point), and then the photos are shown.
110
ab32020 @dsyer Update README
dsyer authored
111 2. See the currently logged in user details, a bag of attributes
650b10c @dsyer Initial draft - uaa with hard-coded user database
dsyer authored
112 grabbed from the open id provider
113
ab32020 @dsyer Update README
dsyer authored
114 GET /app
Something went wrong with that request. Please try again.