Demystifying Approuter and XSUAA in Cloud Foundry
This blogs provides a basic introduction Approuter , XSUAA and and how a request to application is getting served in CF environment.
Approuter
A application router also know as approuter is a nodejs application which serves as a single point of entry for all the other applications running in cloud foundry environment in SCP(now know as BTP i.e. Business Technology Platform).
Why do we need Application Router?
A application running in cloud foundry environment can consist of several different microservices. Thus a central point of access is required which will not only authenticate but also forward(route) the incoming request to the respective microservices.
Hmm,too many technical terms used in the definition. Let us address them one by one.
Cloud Foundry:
Cloud Foundry is an open source platform (PAAS*) for developing ,deploying, running and scaling applications on the cloud.
MicroServices:
Microservices is an architectural style wherein an application is structured as a collection of independent services.
Note:
Since the services/apis are directly accessible , they can be triggered directly without going via approuter, hence it is recommended to validate the JWT tokens and scope at the service/api layer.
Capability and Features of Approuter:
- Authentication and Authorisation Checks :
It basically checks for JWT token which is generated only when the user has already been authenticated .If the JWT token is present , approuter will validate the token and forward the request to the target services directly , if the JWT token is absent the request will be forwarded to XSUAA servers to carry out the authentication and authorisation flow .
- Reverse proxy :
It forwards the request to the relevant micro-services with the help of destination configuration. The rules determining which http request should be forwarded to which destination are called “routes”.
- Serve static contents :
It also serves the static contents like webpages with the help of “routes” configuration
XSUAA:
UAA :It is also known as CF UAA where UAA for “User Authentication and Authorization”. It is an open source identity management and authorisation service provided by cloud foundry.Its primary role is to serve as an oAuth2 provider , thus issuing access token to the client applications and validating these token for resource servers.
Note: UAA is a Java webservice , hence it can be run in any java compliant webserver
Refer :
https://docs.cloudfoundry.org/uaa/ for more information
XSUAA : It is an implementation of CF UAA from SAP where XSUAA stands for “Extended Services for UAA”. It acts as an “Authorisation Server” and authorisations of the applications are maintained with the help of technical roles (which then can be aggregate into business groups and role collection) assigned to the users . It will be used together with IDP to authenticate and authorise the user and provide access to the backend APIs.
A trust relationship is maintained between the identity provider (IDP) and the service provider (XSUAA) . Thus when the application receives an initial unauthenticated request , approuter redirects the request to the IDP for authentication. And once the authentication is successful, IDP responds back with a SAML assertion (also know as SAML Bearer assertion token) confirming the users identity . This SAML assertions are then used by the authorisation server (XSUAA) to determine the authorisations (roles and scopes) of the user. This complete flow is complex with a series of redirects which can be pictorially represented as :
Approuter XSUAA Flow Diagram
This article just provided an introduction to Approuter and XSUAA . In the subsequent blog posts you will learn in detail about how an approuter and xsuaa server work in tandem in BTP CF environment.