Skip to content

README.md

Latest commit

 

History

History
101 lines (80 loc) · 6.25 KB

README.md

File metadata and controls

101 lines (80 loc) · 6.25 KB

Steeltoe Application Security Client-side Authentication and Authorization

This application shows how to use the Steeltoe security libraries for authentication and authorization with OpenID Connect against Single Sign-On for Tanzu and using client certificates provided by Cloud Foundry or Steeltoe (when running locally).

General pre-requisites

  1. Installed .NET 10 SDK
  2. Optional: Tanzu Platform for Cloud Foundry (optionally with Windows support) with Single Sign-On for Tanzu and Cloud Foundry CLI

Running locally

  1. Start a UAA Server docker container
  2. dotnet run both AuthWeb and AuthApi
  3. Please note that some of the links in the menu won't work until you also start the AuthApi application

Running on Tanzu Platform for Cloud Foundry

  1. Install Single Sign-On for Tanzu
  2. Deploy UAA with the Steeltoe Samples configuration
  3. Create a service plan
  4. Configure federated authentication on the service plan
    1. Add the UAA server from step 2 to the service as an OIDC Provider
      • Name the identity provider steeltoe-uaa (or update SSO_IDENTITY_PROVIDERS in manifest.yml accordingly)
      • Credentials for connecting to the UAA server can be found or customized before deployment in uaa.yml
    2. Save changes, but keep this page open
  5. Create a service instance:
    • cf create-service p-identity your-plan sampleSSOService --wait
  6. Push AuthApi to Cloud Foundry
    1. cf target -o your-org -s your-space
    2. cd samples/Security/src/AuthApi
    3. cf push
    • When deploying to Windows, binaries must be built locally before push. Use the following commands instead:
    dotnet publish -r win-x64 --self-contained
cf push -f manifest-windows.yml -p bin/Release/net10.0/win-x64/publish
  7. Return to the service plan setup page and add an External Group Mapping with these values:
    • OIDC Groups Claim Name = scope
    • External Group Name = openid
    • Permissions = sampleapi.read (If this option isn't available, ensure AuthApi has been deployed)
  8. Push AuthWeb to Cloud Foundry
    1. cf target -o your-org -s your-space
    2. cd samples/Security/src/AuthWeb
    3. cf push
    • When deploying to Windows, binaries must be built locally before push. Use the following commands instead:
    dotnet publish -r win-x64 --self-contained
cf push -f manifest-windows.yml -p bin/Release/net10.0/win-x64/publish

Note

The provided manifests will create apps named auth-client-web-sample and auth-server-sample and attempt to bind both to the SSO service sampleSSOService.

RedirectUri and Scope access

The RedirectUri and Scope access settings should be automatically configured via the settings in manifest.yml.

If you want to access the sso dashboard, run the following command and go to the URL listed in dashboard url property:

cf service sampleSSOService

name:            sampleSSOService
guid:            ea8b8ac0-ce85-4726-8b39-d1b2eb55b45b
type:            managed
broker:          identity-service-broker
offering:        p-identity
plan:            steeltoe
tags:
offering tags:
description:     Provides identity capabilities via UAA as a Service
documentation:   https://docs.pivotal.io/p-identity/index.html
dashboard url:   https://p-identity.sys.cf-app.com/developer/identity-zones/15aaabfa-0697-4ad7-96a8-ed81c0a286a7/instances/ea8b8ac0-ce85-4726-8b39-d1b2eb55b45b/
...

What to expect

At this point the app is up and running. You can access it at https://localhost:7072 or https://auth-client-web-sample.`YOUR-CLOUDFOUNDRY-APP-DOMAIN`/.

Note

To see the logs on Cloud Foundry as the app runs, execute this command: cf logs auth-client-web-sample

From the website's menu, click on the Log in menu item and you should be redirected to the UAA server's login page. Enter testuser and password, and you should be authenticated and redirected back to the auth client home page.

The menu of the application includes links for testing the permissions of the user in the current application and interact with another service that has been secured with JWT and client certificates.

  • The JWT menu item uses the current user's token to communicate with the backend service.
  • The "SameSpace" and "SameOrg" menu items interact with the backend service using an identity certificate that belongs to the application.
    • Locally, certificates for both the client and server are created by Steeltoe.
    • On Cloud Foundry, certificates are provisioned by the platform, with OrgId and SpaceId populated based on where the applications are deployed.
  • While logged in, view information about the testuser account by clicking on "Hello testuser!" next to the "Log out" link.
  • If needed, sign out of the UAA server using the dropdown menu in the top right corner at http://localhost:8080 (locally) or use the command cf app steeltoe-uaa to get the address of the server deployed to Cloud Foundry.

See the Official Steeltoe Security Documentation for more detailed information.