Demo: Authentication and Authorization
In order to authenticate users, you need an OpenID identity provider.
You can use IBM App ID or you can use an OpenID identity provider of your choice.
Before running the scripts below, make sure you can access the IBM Cloud.
Create new App ID service instance
Run the following command to create these artifacts:
- App ID service instance 'app-id-cloud-native'
- App ID Cloud Foundry alias 'app-id-cloud-native'
- App ID credentials
- App ID test user 'firstname.lastname@example.org, verysecret'
- App ID test admin 'email@example.com, verysecret'
- App ID redirect URL
Reuse an existing App ID service instance
The IBM Cloud lite plan only allows one App ID instance in your organization. If you have an App ID instance, you can use it rather than creating a new one.
Use another OpenID identify provider
Set up the Demo
Invoke the following commands to set up the demo. Skip the commands you've already executed.
$ cd $PROJECT_HOME $ scripts/check-prerequisites.sh $ scripts/delete-all.sh $ scripts/deploy-articles-java-jee.sh $ scripts/deploy-web-api-java-jee.sh $ scripts/deploy-authors-nodejs.sh $ scripts/deploy-authentication-nodejs.sh $ scripts/deploy-web-app-vuejs-authentication.sh $ scripts/deploy-istio-ingress-v1.sh $ scripts/show-urls.sh
Open the web application with the URL that is displayed as output of 'scripts/show-urls.sh'. When you click 'Login', use the credentials of the demo user.
After the login, the Vue.js application stores the id_token if the Vuex state.
Check out the animated gif to see the authentication flow.
Authorization via Istio
Invocations of the endpoint 'create' of the 'web-api' service have been protected via Istio. Only authenticated users can invoke this endpoint by passing in the bearer token in the HTTP header.
When you invoke the endpoint without bearer token, you get an exception.
When you log in from the web application, the token is stored in Vuex. After this 'Create Article' can be invoked from the dropdown.
This screenshot shows the page to enter information about a new article:
When the REST API is invoked, the bearer is added:
Watch the animated gif to see the flow in action.
Authorization via MicroProfile
In order to protect functionality on a more fine-grained level, authorization can be handled in the business logic of microservices.
From the web application's dropdown 'Manage Application' can be invoked which triggers the endpoint 'manage' of the 'web-api' microservice.
Only the user 'firstname.lastname@example.org' is allowed to invoke this endpoint.
to be done