| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-04-04 |
web apps, authorization code, authentication, nodejs, javascript, app access, application credentials, login, redirect uri, protected endpoint, video |
appid |
{:codeblock: .codeblock} {:screen: .screen} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:gif: data-image-type='gif'} {:important: .important} {:note: .note} {:pre: .pre} {:tip: .tip} {:preview: .preview} {:deprecated: .deprecated} {:beta: .beta} {:term: .term} {:shortdesc: .shortdesc} {:script: data-hd-video='script'} {:support: data-reuse='support'} {:table: .aria-labeledby="caption"} {:troubleshoot: data-hd-content-type='troubleshoot'} {:help: data-hd-content-type='help'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:java: .ph data-hd-programlang='java'} {:javascript: .ph data-hd-programlang='javascript'} {:swift: .ph data-hd-programlang='swift'} {:curl: .ph data-hd-programlang='curl'} {:video: .video} {:step: data-tutorial-type='step'} {:tutorial: data-hd-content-type='tutorial'} {:ui: .ph data-hd-interface='ui'} {:cli: .ph data-hd-interface='cli'} {:api: .ph data-hd-interface='api'} {:terraform: .ph data-hd-interface='terraform'} {:release-note: data-hd-content-type='release-note'}
{: #web-apps}
When you are developing a web application, you can use the {{site.data.keyword.appid_full}} web flow to securely authenticate users. Users are then able to access your server-side protected content in your web apps. {: shortdesc}
{: #understanding-web-flow}
Web apps often require users to authenticate to access protected content. {{site.data.keyword.appid_short_notm}} uses the OIDC authorization code flow to securely authenticate users. With this flow, when the user is authenticated, the app receives an authorization code. The code is then exchanged for an access, identity, and refresh token. In code, exchange step the tokens are always sent by using a secure backchannel between the app and the OIDC server. This process provides an extra layer of security as the attacker is not able to intercept the tokens. These tokens can be sent directly to the web server hosting application for user authentication.
{: caption="Figure 1. {{site.data.keyword.appid_short_notm}} web app request flow" caption-side="bottom"}
-
A user initiates the authorization flow by sending a request to the
/authorizationendpoint via the {{site.data.keyword.appid_short_notm}} SDK or API. -
If the user is unauthorized, the authentication flow is started with a redirect to {{site.data.keyword.appid_short_notm}}.
-
Depending on the user's
/authorizationrequest parameters or identity provider configuration, it starts the Login Widget in the user's browser. -
The user chooses an identity provider to authenticate with and completes the sign-in process.
-
The identity provider redirects to the client app with the authorization code.
-
The {{site.data.keyword.appid_short_notm}} SDK exchanges the authorization code for access, identity, and optional refresh tokens from the {{site.data.keyword.appid_short_notm}} service.
-
The tokens are saved by the {{site.data.keyword.appid_short_notm}} SDK and a redirect to the client application occurs.
-
The user is granted access to the app.
{: #web-configuring-nodejs}
You can configure {{site.data.keyword.appid_short_notm}} to work with your Node.js web applications. {: shortdesc}
{: #web-configure-node-begin}
You must have the following prerequisites:
- An instance of the {{site.data.keyword.appid_short_notm}} service
- A set of service credentials
- NPM version 4 or higher
- Node version 6 or higher
- Your redirect URI set in the {{site.data.keyword.appid_short_notm}} service dashboard
Check out the following video to learn about protecting Node applications with {{site.data.keyword.appid_short_notm}}. Then, try it out yourself by using a simple Node sample app{: external}.
{: video output="iframe" data-script="none" id="about-appid" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen}
{: #web-nodejs-install}
-
By using the command line, change to the directory that contains your Node.js app.
-
Install the {{site.data.keyword.appid_short_notm}} service.
npm install --save ibmcloud-appid
{: codeblock}
{: #web-nodejs-initialize}
-
Add the following
requiredefinitions to yourserver.jsfile.const express = require('express'); const session = require('express-session') const passport = require('passport'); const WebAppStrategy = require("ibmcloud-appid").WebAppStrategy; const CALLBACK_URL = "/ibm/cloud/appid/callback";
{: codeblock}
-
Set up your express app to use express-session middleware.
const app = express(); app.use(session({ secret: "123456", resave: true, saveUninitialized: true })); app.use(passport.initialize()); app.use(passport.session());
{: codeblock}
You must configure the middleware with the proper session storage for production environments. For more information, see the express.js{: external}. {: note}
-
Obtain your credentials in one of the following ways.
-
By navigating to the Applications tab of the {{site.data.keyword.appid_short_notm}} dashboard. If you don't have an application in the list, you can click Add application to create a one.
-
By making a POST request to the
/management/v4/<tenantId>/applicationsendpoint{: external}.Request format:
curl -X POST \ https://us-south.appid.cloud.ibm.com/management/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/applications/ \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <IAMToken>' \ -d '{"name": "ApplicationName"}'
{: codeblock}
Example response:
{ "clientId": "111c22c3-38ea-4de8-b5d4-338744d83b0f", "tenantId": "39a37f57-a227-4bfe-a044-93b6e6060b61", "secret": "ZmE5ZDQ5ODctMmA1ZS00OGRiLWExZDMtZTA1MjkyZTc4MDB4", "name": "ApplicationName", "oAuthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61" }{: screen}
-
-
Optional: Decide how to format your redirect URI. The redirect can be formatted in two different ways.
- Manually in a new
WebAppStrategy({redirectUri: "...."}) - As an environment variable named
redirectUri
If neither are provided, the {{site.data.keyword.appid_short_notm}} SDK tries to retrieve the
application_uriof the app that is running on {{site.data.keyword.cloud_notm}} and append a default suffix/ibm/cloud/appid/callback. - Manually in a new
-
By using the information obtained in the previous steps, initialize the SDK.
passport.use(new WebAppStrategy({ tenantId: "<tenantID>", clientId: "<clientID>", secret: "<secret>", oauthServerUrl: "<oauthServerURL>", redirectUri: "<appURL>" + CALLBACK_URL }));
{: codeblock}
-
Configure passport with serialization and deserialization. This configuration step is required for authenticated session persistence across HTTP requests. For more information, see the passport docs{: external}.
passport.serializeUser(function(user, cb) { cb(null, user); }); passport.deserializeUser(function(obj, cb) { cb(null, obj); });
{: codeblock}
-
Add the following code to your
server.jsfile to issue the service redirects.app.get(CALLBACK_URL, passport.authenticate(WebAppStrategy.STRATEGY_NAME));
{: codeblock}
-
Register your protected endpoint by adding the following code snippet into your
app.jsfile.app.get(‘/protected_resource’, passport.authenticate(WebAppStrategy.STRATEGY_NAME), function(req, res) {res.json(req.user); });
{: codeblock}
For more information, see the {{site.data.keyword.appid_short_notm}} Node.js GitHub repository{: external}.
{: #web-configuring-liberty}
You can configure {{site.data.keyword.appid_short_notm}} to work with your Liberty for Java web applications. {: shortdesc}
{: #web-configure-liberty-before}
You must have the following prerequisites:
- An instance of the {{site.data.keyword.appid_short_notm}} service
- A set of service credentials
- Apache Maven 3.5 or higher
- Java 1.8
- A Liberty for Java web application
Check out the following video to learn about protecting Liberty for Java applications with {{site.data.keyword.appid_short_notm}}. Then, try it out yourself by using a simple Liberty for Java sample app{: external}.
{: video output="iframe" data-script="none" id="youtubeplayer" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen}
{: #web-liberty-install}
-
Add an OpenID Connect feature to your
server.xml.<featureManager> <feature>ssl-1.0</feature> <feature>appSecurity-2.0</feature> <feature>openidConnectClient-1.0</feature> </featureManager>
{: codeblock}
-
Obtain your credentials in one of two ways.
-
By navigating to the Applications tab of the {{site.data.keyword.appid_short_notm}} dashboard. If you don't already have one, you can click Add application to create a new one.
-
By making a POST request to the
/management/v4/<tenantID>/applicationsendpoint{: external}.Request format:
curl -X POST \ https://us-south.appid.cloud.ibm.com/management/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/applications/ \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <IAMToken>' \ -d '{"name": "ApplicationName"}'
{: codeblock}
Example response:
{ "clientId": "111c22c3-38ea-4de8-b5d4-338744d83b0f", "tenantId": "39a37f57-a227-4bfe-a044-93b6e6060b61", "secret": "ZmE5ZDQ5ODctMmA1ZS00OGRiLWExZDMtZTA1MjkyZTc4MDB4", "name": "ApplicationName", "oAuthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61" }{: screen}
-
-
Create an Open ID Connect Client feature and define the following placeholders. Use the service credentials to fill the placeholders.
<openidConnectClient clientId='{{site.data.keyword.appid_short_notm}} client_ID' clientSecret='{{site.data.keyword.appid_short_notm}} Secret' authorizationEndpointUrl='oauthServerUrl/authorization' tokenEndpointUrl='oauthServerUrl/token' jwkEndpointUrl='oauthServerUrl/publickeys' issuerIdentifier='Changed according to the region' tokenEndpointAuthMethod="basic" signatureAlgorithm="RS256" authFilterid="myAuthFilter" trustAliasName="ibm.com" />
{: codeblock}
Component Description clientID\nsecret\noauth-server-urlComplete step two to obtain your service credentials. authorizationEndpointURLAdd /authorizationto the end of youroauthServerURL.tokenEndpointUrl>Add /tokento the end of youroauthServerURL.jwkEndpointUrlAdd /publickeysto the end of youroauthServerURL.issuerIdentifierThe issuer identifier takes the following form: <region>>.cloud.ibm.com. Learn more about the available regions.tokenEndpointAuthMethodSpecified as "basic". signatureAlgorithmSpecified as "RS256". authFilteridThe list of resources to protect. trustAliasNameThe name of your certificate within your truststore. {: caption="Table 1. OIDC element variables for Liberty for Java apps" caption-side="top"}
{: #web-liberty-initialize}
-
In your
server.xmlfile, define an authorization filter to specify protected resources. If a filter is not defined{: external}, the service protects all resources.<authFilter id="myAuthFilter"> <requestUrl id="myRequestUrl" urlPattern="/protected_resource" matchType="contains"/> </authFilter>
{: codeblock}
-
Define your special subject type as
ALL_AUTHENTICATED_USERS.<application type="war" id="ProtectedServlet" context-root="/appidSample" location="${server.config.dir}/apps/libertySample-1.0.0.war"> <application-bnd> <security-role name="myrole"> <special-subject type="ALL_AUTHENTICATED_USERS"/> </security-role> </application-bnd> </application>
{: codeblock}
-
Download the
libertySample-1.0.0.warfile from GitHub{: external} and place it in your server's apps folder. For example, if your server is nameddefaultServer, the war file would go heretarget/liberty/wlp/usr/servers/defaultServer/apps/. -
Configure SSL by adding the following to your
server.xmlfile. You also need to create a truststore.<keyStore id="defaultKeyStore" password="myPassword"/> <keyStore id="appidtruststore" password="Liberty" location="${server.config.dir}/mytruststore.jks"/> <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="appidtruststore"/>
{: codeblock}
By default SSL configuration requires the truststore be configured for OpenID Connect. Learn more about configuring an OpenID Connect Client in Liberty{: external}. {: tip}
{: #web-configuring-spring-boot}
You can configure {{site.data.keyword.appid_short_notm}} to work with your Spring Boot applications. {: shortdesc}
{: #web-configure-spring-boot-before}
You must have the following prerequisites:
- An instance of the {{site.data.keyword.appid_short_notm}} service
- A set of service credentials
- A Java + Maven project
- Apache Maven 3.5 or higher
- Java 1.8
- Spring Boot 2.0 and Security OAuth 2.0 or higher
{: #web-spring-boot-initialize}
-
Add the following code between the
<project> </project>tags in your Mavenpom.xmlfile.<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.0.2.RELEASE</version> <relativePath/> </parent>
{: codeblock}
-
Add the following dependencies to your Maven
pom.xmlfile.<dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.security.oauth.boot</groupId> <artifactId>spring-security-oauth2-autoconfigure</artifactId> <version>2.0.0.RELEASE</version> </dependency> </dependencies>
{: codeblock}
-
In the same file, include the Maven plug-in.
<plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin>
{: codeblock}
{: #web-oauth-initialize}
-
Add the following annotations to your Java file.
@SpringBootApplication @EnableOAuth2Sso
{: codeblock}
-
Extend the class with
WebSecurityConfigurerAdapter. -
Override any security configuration and register your protected endpoint.
@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/protected_Resource").authenticated() .and().logout().logoutSuccessUrl("/").permitAll(); }
{: codeblock}
{: #web-spring-boot-credentials}
-
Obtain your credentials in one of the following ways.
-
By navigating to the Applications tab of the {{site.data.keyword.appid_short_notm}} dashboard. If you don't already have one, you can click Add application to create a new one.
-
By making a POST request to the
/management/v4/<tenantID>/applicationsendpoint.Request format:
curl -X POST \ https://us-south.appid.cloud.ibm.com/management/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/applications/ \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <IAMToken>' \ -d '{"name": "ApplicationName"}'
{: codeblock}
Example response:
{ "clientId": "111c22c3-38ea-4de8-b5d4-338744d83b0f", "tenantId": "39a37f57-a227-4bfe-a044-93b6e6060b61", "secret": "ZmE5ZDQ5ODctMmA1ZS00OGRiLWExZDMtZTA1MjkyZTc4MDB4", "name": "ApplicationName", "oAuthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61" }{: screen}
-
-
Add an
application.ymlconfiguration file to the/springbootsample/src/main/resources/directory. You can complete your configuration with the information from your service credentials.security: oauth2: client: clientId: <clientID> clientSecret: <clientSecret> accessTokenUri: <oauthServerURL>/token userAuthorizationUri: <oauthServerURL>/authorization resource: userInfoUri: <oauthServerURL>/userinfo
{: codeblock}
{: #web-other-languages}
With an OIDC-compliant client SDK, you can use {{site.data.keyword.appid_short_notm}} with other languages. Check out the list of certified libraries{: external} for more information.
{: #web-next}
With {{site.data.keyword.appid_short_notm}} installed in your application, you're almost ready to start authenticating users! Try doing one of the following activities next:
- Configure your identity providers
- Customize and configure the Login Widget
- Learn more about the Node.js SDK{: external}