# improve-security-with-oauth2 **Repository Path**: mirrors_tomitribe/improve-security-with-oauth2 ## Basic Information - **Project Name**: improve-security-with-oauth2 - **Description**: No description available - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2020-09-26 - **Last Updated**: 2026-02-08 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README :encoding: UTF-8 :linkattrs: :sectlink: :sectanchors: :sectid: :imagesdir: media :leveloffset: 1 = Secure Microservices with OAuth 2.0 and JWT Time: 10 minutes == Learning objectives * Basics of OAuth 2.0 * Introduction to JSON Web Token (JWT) * How to secure a microservice with the Tribestream API Gateway (TAG) == Prerequisites * Docker installed and running. * Curl installed. == Run Docker Containers Before digging into OAuth2 using TAG you need run the docker containers of the Movies Microservice and TAG. === Run the Movies Microservice container If you went through the _Tribestream Quickstart Guide_ you can reuse the _movie-api_ docker container. To start the movie-api execute the following command: ``` docker start movie-api ``` However, if this is the first time you hear about the `movie-api`, open the terminal and execute the following command. ``` docker run -d -p 9090:9090 --name movie-api tomitribedev/movie-api ``` You can validate that the microservice is up and running by executing the command below: ``` curl -i http://localhost:9090/movie-api/api/movies ``` You should be able to see the movie-api microservice output: ``` HTTP/1.1 200 OK X-Powered-By: Express Content-Type: application/json; charset=utf-8 Content-Length: 907 ETag: W/"38b-nH1wH3YovzhC6d7xYfLwUga8Hf8" Date: Wed, 04 Jul 2018 11:16:42 GMT Connection: keep-alive [{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":2,"title":"John Rambo"},{"comments":[],"year":2008,"director":"Sylvester Stallone","genrer":"Action","rating":7,"id":52,"title":"John Rambo"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":1,"title":"The Matrix"},{"comments":[],"year":1999,"director":"Syl","genrer":"Sci-Fi","rating":9,"id":51,"title":"The Matrix"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":3,"title":"Starship Troopers"},{"comments":[],"year":1997,"director":"Paul Verhoeven","genrer":"Sci-Fi","rating":7,"id":53,"title":"Starship Troopers"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":4,"title":"Stargate"},{"comments":[],"year":1994,"director":"Roland Emmerich","genrer":"Sci-Fi","rating":7,"id":54,"title":"Stargate"}]% ``` === Run the Tribestream API Gateway (TAG) container If you went through the _Tribestream Quickstart Guide_ you can reuse the _TAG_ docker container. To start TAG execute the following command: ``` docker start tag ``` However, if this is the first time you run TAG, open the terminal and execute the following command. For linux: ``` docker run --net="host" -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway ``` For OSX: ``` docker run -e LICENSE=accept --name tag -p 8080:8080 tomitribe/tribestream-api-gateway` ``` TAG is ready when you see the following message in the logs: ``` INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8080"] INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-bio-8009"] INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18348 ms ``` == What is OAuth 2.0? OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service. The Tribestream API Gateway will help you to easily configure OAuth2 to protect your microservices using the OAuth2 Profile. TAG will receive your credentials, check them and issue an access token. This token can be used to call different routes to microservices multiple times until it expires. image::OAuth2.png[""] == What is JSON Web Token (JWT)? JSON Web Token is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. TAG emits a JWT access tokens. The token is a Base64 encoded JSON that has a header, a payload with the claims and the signature to guarantee data integrity. image::JWT.png[""] == How to secure a microservice with the Tribestream API Gateway (TAG) To learn how to do it let's go through the following scenario: _My name is John and as a streaming application owner, I want populate my Movie Streaming Website with a movies catalog, so users can have access to all the movies we can stream. This catalog is exclusive for USA and cannot be shared with other countries._ _You as a TAG Administrator need to protected an existing Movie Catalog Microservice, this microservice must be available only for USA and accessible for the Movie Streaming Website._ image::scenario.png[""] First step is to open the browser and navigate to link:http://localhost:8080/tag[,window="_blank"]. Login into the TAG dashboard using *username* admin , *password* admin . image::login.gif[""] === Create the Client Account Create the client account to identify the Streaming Website, following the steps below: * Click on the _Accounts_ * Click the _Plus button_ (+) * Select _Account_ Fill the Account information with the following data: * *Username*: _streaming-website_ * *Email*: _streaming-website@email.com_ * *Full Name*: _Streaming Website_ image::create-client-account.png[""] After clicking _Save_ you will be redirected to a page with all the _streaming-website_ account information. Add a Client Secret with the following steps: + * Click _..._ * Select _Add Client Secret_ on the menu Use the following data in the _Add Client Secret_ window: + * *New Client Secret*: _12345678_ * *Re-type*: _12345678_ * *OAuth Security Profile*: _OAuth2 Profile_ * Click _Save_ image::add-client-secret.png[""] === Create the User Account You also need to create a user for the Streaming Website owner. * Go back to the _Accounts_ * Click the _Plus button_ (+) * Select _Account_ Fill the Account information with the following data: * *Username*: _john_ * *Email*: _john@email.com_ * *Full Name*: _John_ image::create-user.png[""] You will be redirected to the Account page with John's information. * Click _..._ * Select _Add password_ * Type password _abcde123_ * Click _Save_ Now you have both the client for the website configured and the user account for John also configured. === Create a secure route with the OAuth2 Security Profile Now let’s create a secured OAuth2 route to the Movies Catalog Microservice and give access only to applications with the _USA_ role. This means that, if an application has a role different than USA, for example BRA which stands for Brazil, it will not be able to access the route. On the Dashboard page execute the following steps: * Click on the _Routes_ * Click the _Plus button_ (+) * Select _MOD_REWRITE ROUTE_ Then fill the form with the following data: * *Name*: _Movies Catalog USA_ * Add the *MOD_REWRITE* description ``` RewriteRule "^/movies-catalog$" "http://localhost:9090/movie-api/api/movies" [P,NE,auth] ``` * *Security Profiles*: _OAuth2 Profile_ * *Roles*: _USA_ NOTE: If you are using OSX as the operating system, replace in *MOD_REWRITE* _localhost_ for _host.docker.internal_. image::create-route.png[""] After clicking _Save_ you will be on the page of your created route. You now have a route _/movies-catalog_ secured with OAuth2 and only calls from accounts with the role _USA_ will be proxied to the Movies Catalog Microservice. === Calling the Movies Catalog Route You can test the behavior of the TAG configuration directly from the Route screen. * Click _..._ * Click _Test_ This will open the _Test Routes_ screen, set the *Scenario name* to _Movies Catalog_ and the *Resource URL* to _/movies-catalog_. image::test-window.png[""] Add OAuth2 Authentication with the following steps: * Click _..._ * Select _Add OAuth 2.0_ * Scroll down to the OAuth2 section * The *Grant Type* _password_ is already filled * Fill *Username* with _john_ * Fill *Password* with _abcde123_ * Fill *Client Id* with _streaming-website_ * Fill *Client Secret* with _12345678_ image::test-window-with-oauth2.png[""] After that click _Test_. You will get back a http status *403* and the reason is that the client must have the role _USA_ to be authorized to access the route. image::test-window-with-oauth2-403.png[""] So now, scroll to the top and save the test scenario _Movies Catalog_. image::save-test.png[""] Then go back to streaming-website client account to add the role. * Go to the _Dashboard_ * Click _Accounts_ * Click _STREAMING WEBSITE_ * Add _USA_ to *Roles* * Save Then go to the route _Movies Catalog Route_: * Go to the _Dashboard_ * Click _Routes_ * Click _MOVIES CATALOG USA_ * Click _..._ * Select _Test_ In the Test Routes window, search for scenario _Movies Catalog_. You will get saved information back, now click _Test_. You will now receive a http status *200* in the response, which means you were able to get a token, use this token to call the _/movies-catalog_ and you were authorized to use the route successfully as you had the necessary role to do it. Therefore the request will be proxied and if you check the _PAYLOAD_, the microservice returned the catalog of movies for the Streaming Website. image::test-window-with-oauth2-200.png[""] == Stop the Docker containers After executing this tutorial stop all docker images so it does not overload your computer. ``` docker stop tag docker stop movie-api ```