Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
98 lines (55 sloc) 3.72 KB

Demo: Authentication and Authorization

In order to authenticate users, you need an OpenID identity provider.

You can use IBM App ID or you can use an OpenID identity provider of your choice.

Before running the scripts below, make sure you can access the IBM Cloud.

Create new App ID service instance

Run the following command to create these artifacts:

  • App ID service instance 'app-id-cloud-native'
  • App ID Cloud Foundry alias 'app-id-cloud-native'
  • App ID credentials
  • App ID test user 'user@demo.email, verysecret'
  • App ID test admin 'admin@demo.email, verysecret'
  • App ID redirect URL
$ ibm-scripts/create-app-id.sh

Reuse an existing App ID service instance

The IBM Cloud lite plan only allows one App ID instance in your organization. If you have an App ID instance, you can use it rather than creating a new one.

In this case paste the App ID credentials in authentication-nodejs/.env. Check out authentication-nodejs/.env.template for an example.

Use another OpenID identify provider

You can use any OpenID identity provider. In this case paste the endpoint URLs in authentication-nodejs/.env. Check out authentication-nodejs/.env.template for an example.

Set up the Demo

Invoke the following commands to set up the demo. Skip the commands you've already executed.

$ cd $PROJECT_HOME
$ scripts/check-prerequisites.sh
$ scripts/delete-all.sh
$ scripts/deploy-articles-java-jee.sh
$ scripts/deploy-web-api-java-jee.sh
$ scripts/deploy-authors-nodejs.sh
$ scripts/deploy-authentication-nodejs.sh
$ scripts/deploy-web-app-vuejs-authentication.sh
$ scripts/deploy-istio-ingress-v1.sh
$ scripts/show-urls.sh

Open the web application with the URL that is displayed as output of 'scripts/show-urls.sh'. When you click 'Login', use the credentials of the demo user.

After the login, the Vue.js application stores the id_token if the Vuex state.

Check out the animated gif to see the authentication flow.

Authorization via Istio

Invocations of the endpoint 'create' of the 'web-api' service have been protected via Istio. Only authenticated users can invoke this endpoint by passing in the bearer token in the HTTP header.

When you invoke the endpoint without bearer token, you get an exception.

When you log in from the web application, the token is stored in Vuex. After this 'Create Article' can be invoked from the dropdown.

This screenshot shows the page to enter information about a new article:

When the REST API is invoked, the bearer is added:

Watch the animated gif to see the flow in action.

Authorization via MicroProfile

In order to protect functionality on a more fine-grained level, authorization can be handled in the business logic of microservices.

From the web application's dropdown 'Manage Application' can be invoked which triggers the endpoint 'manage' of the 'web-api' microservice.

Only the user 'admin@demo.email' is allowed to invoke this endpoint.

to be done

You can’t perform that action at this time.