This topic Develop Python App with Authentication and Authorization in Cloud Foundry will guide you through creating a Python application, setting up authentication checks and authorization checks in Cloud Foundry (for ease of reading “CF).

Since this is a large topic, in order to give you a better reading experience, I would like to divide it into 3 parts:

Part 1: Create and Deploy a Python Application

Part 2: Authentication Checks in Python Application

Part 3: Authorization Checks in Python Application

This blog post is Part 2.

The simplest way to add authentication is to leverage Application Router (approuter). We’ll create a separate Node.js micro-service with the package @Sisn/approuter, to act as an entry point for the Python application. As shown in the structure below, all the requests that come to the Application Router will trigger the process of authentication (and authorization). By default, the IdP is the pre-provided identity provider. You can also add your customized IdP as an identity provider as well. 

What is Application Router

• 1 Application Router for 1 business app


• The single entry point to the outside


• Serve as a reverse proxy to rewrite URL

Main functions of Application Router:

• Handles authentication for all apps of the application


• Authorization check


• Serves static resources


• Performs route mapping (URL mapping)


• Talk to XSUAA: In case of multi-tenancy, it derives the tenant information from the URL and provides it to the XSUAA, to redirect the authentication request to the tenant-specific IdP.

Step 1: Create an XSUAA instance

Create an xs-security.json file for your application with the following content:

{

   "xsappname":"myapp",

   "tenant-mode":"dedicated",

   "oauth2-configuration":{

      "redirect-uris":[

         "https://*.<custom-domain>/**"

      ]

   }

}

Replace <custom-domain> with the domain available in your org, you can check it by executing CF command cf domains.

For example:

{

   "xsappname":"myapp",

   "tenant-mode":"dedicated",

   "oauth2-configuration":{

      "redirect-uris":[

         "https://*.apps.sap-samples.scpcloud.top/**"

      ]

   }

}

Create an XSUAA service instance named myuaa via the following command:

cf create-service xsuaa application myuaa -c xs-security.json

You can check it either in the Cockpit or through CF command:

 

Step 2: Bind the XSUAA instance to the app

Add the myuaa service instance into the manifest.yml file as following:

---

applications:

- name: myapp

  host: <host>

  path: .

  domain: <custom-domain>

  memory: 128M

  command: python server.py

  services:

    - myuaa

The myuaa service instance will be bound to the myapp application during deployment later.

 

Step 3: Create Application Router app

Create a directory called approuter in the python-with-xsuaa directory.

Inside the approuter directory, create a sub-directory named resources, this directory will be used to provide the business application's static resources.

Inside resources, create an index.html file with the following content:

<html>

    <head>

        <title>Python with XSUAA</title>

    </head>

    <body>

        <h1>Python with XSUAA</h1>

        <a href="https://blogs.sap.com/myapp/">myapp</a>

    </body>

</html>

Create a package.json file in the approuter directory by executing:

npm init

Install the approuter packages into the approuter/node_modules/@sap by executing:

npm install @sap/approuter --save

Add the following scripts section to the package.json file in the approuter directory:

"scripts": {

      "start": "node node_modules/@sap/approuter/approuter.js"

}

For example:

{

  "name": "approuter",

  "version": "1.0.0",

  "description": "",

  "main": "index.js",

  "scripts": {

    "start": "node node_modules/@sap/approuter/approuter.js"

  },

  "author": "",

  "license": "ISC",

  "dependencies": {

    "@sap/approuter": "^8.0.0"

  }

}

Modify the manifest.yml file in the python-with-xsuaa directory with the following content at the end of it:

---

applications:

- name: myapp

  host: <host>

  path: .

  domain: <custom-domain>

  memory: 128M

  command: python server.py

  services:

    - myuaa

- name: approuter

  host: <host>

  path: approuter

  domain: <custom-domain>

  memory: 128M

  env:

    destinations: >

      [

        {

          "name":"myapp",

          "url":"<myapp-url>",

          "forwardAuthToken": true

        }

      ]

  services:

    - myuaa

Replace <host> with a unique name, so it does not clash with other deployed applications.
Replace <custom-domain> with the domain available in your org, you can check it by executing CF command cf domains.
Replace <myapp-url> with the URL of the myapp application as displayed by the cf apps command, and add the network protocol before the URL.
The <destinations> environment variable defines the destinations to the micro-services, the application router will forward requests to.


For example:

---

applications:

- name: myapp

  host: myapp-ixxxxxx

  path: .

  domain: apps.sap-samples.scpcloud.top

  memory: 128M

  command: python server.py

  services:

    - myuaa

- name: approuter

  host: approuter-ixxxxxx

  path: approuter

  domain: apps.sap-samples.scpcloud.top

  memory: 128M

  env:

    destinations: >

      [

        {

          "name":"myapp",

          "url":"https://myapp-ixxxxxx.apps.sap-samples.scpcloud.top",

          "forwardAuthToken": true

        }

      ]

  services:

    - myuaa

Create a xs-app.json file in the approuter directory with the following content:

{

  "routes": [

    {

      "source": "^/myapp/(.*)$",

      "target": "$1",

      "destination": "myapp"

    }

  ]

}

With this configuration, the incoming request path is connected with the destination where the request should be forwarded to. By default, every route requires OAuth authentication, so the requests to this path will require an authenticated user.

 

Step 4: Deploy the application onto Cloud Foundry

Navigate to the python-with-xsuaa directory and execute:

cf push

This command will update the myapp application and deploy the new approuter application as well.
From this point in the tutorial, the URL of the approuter application will be requested instead of the myapp URL. It will then forward the requests to the myapp application.

Step 5: Access the application

Check the URL of the approuter application via:

cf apps

Open a Firefox Developer Edition browser window and enter the URL of the approuter application, you should see the logon page for authentication:



Enter your SAP Email and domain Password, then you will see the welcome page you defined in the approuter application:

Click on the myapp link, you can see your myapp application:

Conclusion

This blog post shared how to leverage the Application Router and the XSUAA service in SAP Cloud Platform to realize authentication onto an existed app.

Special point for Alibaba Cloud:

For Alibaba Cloud, custom domain must be consumed, so the redirect URL redirect-uris needs to be specified in xs-security.json file.

The next part 3 will be published later, it will not take a long time, let's stay tuned.

Part 3: Authorization Checks in Python Application

If you would like to get more step-by-step hands-ons on SAP Cloud Platform Alibaba Cloud, please follow me!