DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Authorization in Cloud-Native Apps in Istio via OpenID

Authorization in Cloud-Native Apps in Istio via OpenID

Use OpenID as an open-source method to authenticate your application using a variety of identity providers.

Niklas Heidloff user avatar by
Niklas Heidloff
CORE ·
Apr. 11, 19 · Tutorial
Like (1)
Save
Tweet
Share
5.40K Views

Join the DZone community and get the full member experience.

Join For Free

my colleague harald ueble and i are working on a repo to help developers, especially java developers, getting started with cloud-native applications. by doing this we have learned a lot ourselves.

the topic that has been the most time-consuming one for me to figure out is authentication and authorization. there are quite a number of samples, snippets, and articles available, but i couldn't find anything that describes the whole process end-to-end in one sample which you can simply install and run. that's why i have created a new sample which allows users to authenticate and to check for authorization.

get the code of cloud-native-starter from github.

openid connect and jwt

before i describe the sample, let me give you some background and explain my requirements.

in order to authenticate and authorize users, i'd like to use the standard openid connect 1.0 and oauth 2.0 which can be used with many existing identity providers. in the context of enterprise applications, you want to leverage existing organization directories. ibm app id , for example, acts as an identity provider or identity provider proxy. for simple tests, you can define test users in a cloud directory. for production usage, app id can be configured to work against third-party providers such as active directory federation services via saml.

identity providers also come with their own login pages which means that you, as a developer, don't have to implement yet another login page with user name and password fields and enterprise users get a consistent way to log in. with app id this login page can easily be customized.

the other nice thing about openid connect for developers is that you don't have to understand the internals of the different identity providers, but can use standardized and easy apis. as responses of successful oauth dances, you get access tokens and user tokens as json web token (jwt).

cloud-native sample application

there are five services in the application. the services, except of the managed one, run in kubernetes clusters with istio . in my case, i utilize minikube locally or the ibm cloud kubernetes service.

  • web-app: simple web application built with vue.js which provides login functionality for users and stores tokens locally
  • web-app hosting: nginx-based hosting of the vue.js resources
  • authentication: node.js microservice which handles the oauth dance and returns tokens to the web application
  • web-api: provides an unprotected endpoint /getmultiple to read articles and a protected endpoint create to create a new article
  • ibm app id: contains a cloud directory with test users and acts as an openid identity provider


check out my previous article, " authenticating web users with openid and jwt " that explains how the tokens are retrieved and how they are stored in the web application.

authorization via istio policies

istio provides end-user authentication via openid and jwt. however, in order to use this functionality, you need valid user tokens first (see my previous article ).

via yaml files, policies can be defined. in the sample, the endpoint /web-api/v1/create is protected, so that only authenticated users can access it.

demonstration

after the create endpoint has been protected, the invocation of /create returns a http status 401 "unauthorized" as expected.


from the web application, users can log in and create a new article which invokes the same endpoint.


this time the invocation works, since the bearer token is put into the http "authorization" header.

to see the whole flow in action, download and play this animated gif .

give it a try

if you want to try this functionality yourself, setup a local minikube environment and follow the instructions in our repo.

the setup shouldn't take longer than 30 minutes. an instance of ibm app id is created automatically if you have an ibm cloud lite account (free, no time restriction, no credit card required).

you can also use other openid identity providers. in this case check out the readme how to configure the web application and authentication service.

thanks to ahmed sayed hassan for helping me to figure out how to configure istio!


authentication app OpenID application Web Service Web application

Published at DZone with permission of Niklas Heidloff, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Develop a Portrait Retouching Function
  • How To Use Terraform to Provision an AWS EC2 Instance
  • PostgreSQL: Bulk Loading Data With Node.js and Sequelize
  • Top Five Tools for AI-based Test Automation

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: