cancel
Showing results for 
Search instead for 
Did you mean: 

User authentication via XSUAA in Kyma Environment

francbele
Explorer
0 Kudos

Hello,

I am using Kyma Environment momentarily only in my Trial Account so I can test it's features and implementations.

I deployed a dummy app so far. I would like to access this app only by authenticating an user via XSUAA but I really can't find a good example on how to do that. I have created an Authorization & Trust Management Instance (XSUAA) and I can successfully create a binding between the app and the XSUAA instance.

If I test the binding with the Postman using the bindings client id and client secret I can successfully "log in" and get the token, but later on I don't know how to "protect" my app so it won't be directly accesible without an authentication. So the binding is there, sucessfully created and working, but the app is still publicly available. Are there any settings to be made in "API Rules" segment? If I use "Allow" or "noop" my app is always accessible. What configuration should I make to achieve this?

Thanks for any help in advance.

Accepted Solutions (0)

Answers (2)

Answers (2)

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

In case you want to issue JWT tokens with the XSUAA from the SAP BTP, please have a look at this post here where I run an approuter in the Kyma environment.

Please be aware that here the approuter takes care of the access management and the Kyma API rule is just exposing that app without handling the permission checks itself.

francbele
Explorer
0 Kudos

Hi Marius,

thank you for your help and pointing me the direction where to follow. I have tried your solution but I run in to issues with the first deployment. I am getting this error.

Also, isn't here supposed to be a path to a specific Docker image?

Thanks.

Kind regards,

Franc

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

The snippet with user/image is just for illustration. The actual file is further down in the handson section

francbele
Explorer
0 Kudos

Hi Marius,

sorry for the late reply. So, I followed your instructions and after a small adjustment in deployment.yaml file, that is that I updated the value of the resources needed for the deployment to 512M, everything got deployed and running.

I actually tried to deploy the application two times, the second time I only changed the names, however, I found out that when I changed the names, the app could retrieve the data from Northwind service anymore.

Would you be willing to check what I configured wrong in my deployment.yaml file? This is the file I used with the second deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ui5auth
  labels:
    app: xsuaa-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: xsuaa-app
  template:
    metadata:
      labels:
        app: xsuaa-app
    spec:
      volumes:
        - name: destination
          secret:
            secretName: destination-service-binding
        - name: xsuaa
          secret:
            secretName: uaa-service-binding
      containers:
        - image: iobert/dockerized-sapui5-app
          imagePullPolicy: Always
          name: xsuaa-app
          ports:
            - name: http
              containerPort: 5000
          volumeMounts:
            - name: destination
              mountPath: "/etc/secrets/sapcp/destination/ui5auth_destination"
              readOnly: true
            - name: xsuaa
              mountPath: "/etc/secrets/sapcp/xsuaa/ui5auth_uaa"
              readOnly: true
          resources:
            limits:
              memory: 512M
            requests:
              memory: 512M

---
apiVersion: v1
kind: Service
metadata:
  name: ui5auth
  labels:
    app: xsuaa-app
spec:
  ports:
    - name: http
      port: 5000
  selector:
    app: xsuaa-app

---
apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
  labels:
    app: xsuaa-app
  name: ui5auth
  apirule.gateway.kyma-project.io/v1alpha1: xsuaa-app
spec:
  gateway: kyma-gateway.kyma-system.svc.cluster.local
  service:
    host: xsuaa-app.d7841ee.kyma.shoot.live.k8s-hana.ondemand.com
    name: ui5auth
    port: 5000
  rules:
    - path: /.*
      methods: ["GET", "POST"]
      accessStrategies:
        - handler: noop
      mutators:
        - handler: header
          config:
            headers:
              x-forwarded-host: xsuaa-app.d7841ee.kyma.shoot.live.k8s-hana.ondemand.com
              x-forwarded-proto: https

---
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: uaa-service-instance
spec:
  clusterServiceClassExternalName: xsuaa
  clusterServicePlanExternalName: application
  parameters:
    xsappname: ui5auth-kyma
    tenant-mode: dedicated
    oauth2-configuration:
      redirect-uris:
        - https://*/**

---
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: uaa-service-binding
spec:
  instanceRef:
    name: uaa-service-instance

---
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: destination-service-instance
spec:
  clusterServiceClassExternalName: destination
  clusterServicePlanExternalName: lite

---
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: destination-service-binding
spec:
  instanceRef:
    name: destination-service-instance

Thank you.

Kind regards,

Franc

francbele
Explorer
0 Kudos

Sorry to bother you, but I have already figured it out.

I needed to create a new Destination in CF, somehow it wasn't there. I also didn't know that it needs to be created in CF in order for it to work in Kyma. So the Destination service in Kyma is, as far as I understand, only kind of proxy to the destionations that are configured in CF.

Anyway, now it's working fine.

Thanks anyway.

Kind regards,

Franc

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

I'm glad you made it run!

I think you are mixing up two things. There's no such notion as a "CF destination" - at least not anymore. There are subaccount-level destinations and instance-level destinations. In the past we sometimes referred to subaccount destination as "CF destinations" because CF was the only runtime in such a subaccount.But now we also have more runtimes that all belong to the same subaccount.

francbele
Explorer
0 Kudos

I see, thank you for the time and additional explanation on the matter!

I have another question if you would be so kind to answer to it. In your case above we covered the xsuaa authentication just for one business application (SAPUI5 app). Now let's say that we want that this app communicates with another Node.js middleware app, which is deployed on the same runtime in the same namespace. Should this Node.js app also have the same service bindings like they were made for the SAPUI5 app? I think so, but just to make sure.

Also, I would like to get information of the logged in user in my Node.js app and send it to the SAPUI5 app. Would you kindly point me in the right direction or tell me how could I achieve that?

Thank you.

Kind regards, Franc

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

Hi Franc,

yes, that assumption is correct. And you can use the user api service in case you use a standalone approuter. 🙂

francbele
Explorer
0 Kudos

Hi Marius,

I am really glad and thankful for your help and support!

So I am trying to deploy an Angular App (probably it doesn't really matter, but still) that is running on default port (80) and I just can't figure it out why it doesn't route through XSUAA approuter. When I open an URL I just land straight in the app, without being redirected asked for a login.
Would you kindly help me and take a look at my deployment.yaml? Basically what I did is just changed the port to 80, renamed the deployment and instances, removed the Destination instance as I don't need it and that's it.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: fe-test
  labels:
    app: fe-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fe-auth
  template:
    metadata:
      labels:
        app: fe-auth
    spec:
      volumes:
        - name: xsuaa
          secret:
            secretName: fe-test-binding
      containers:
        - image: docker/image/location
          imagePullPolicy: Always
          name: fe-auth
          ports:
            - name: http
              containerPort: 80
          volumeMounts:
            - name: xsuaa
              mountPath: "/etc/secrets/sapcp/xsuaa/fe-test_uaa"
              readOnly: true
          resources:
            limits:
              memory: 512M
            requests:
              memory: 512M

---
apiVersion: v1
kind: Service
metadata:
  name: fe-test
  labels:
    app: fe-auth
spec:
  ports:
    - name: http
      port: 80
  selector:
    app: fe-auth

---
apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
  labels:
    app: fe-auth
  name: fe-test
  apirule.gateway.kyma-project.io/v1alpha1: fe-test
spec:
  gateway: kyma-gateway.kyma-system.svc.cluster.local
  service:
    host: fe-test.d7841ee.kyma.shoot.live.k8s-hana.ondemand.com
    name: fe-test
    port: 80
  rules:
    - path: /.*
      methods: ["GET", "POST"]
      accessStrategies:
        - handler: noop
      mutators:
        - handler: header
          config:
            headers:
              x-forwarded-host: fe-test.d7841ee.kyma.shoot.live.k8s-hana.ondemand.com
              x-forwarded-proto: https

---
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: fe-test-instance
spec:
  clusterServiceClassExternalName: xsuaa
  clusterServicePlanExternalName: application
  parameters:
    xsappname: fe-test-kyma
    tenant-mode: dedicated
    oauth2-configuration:
      redirect-uris:
        - https://*/**

---
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: fe-test-binding
spec:
  instanceRef:
    name: fe-test-instance

I would really appreciate your help and sorry for the inconvenience that I cause.

Kind regards,
Franc

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

Hi Franc,

that file looks ok. What exactly is happening in your docker image? Is it possible that this is just the plain Angular app and that it doesn't use the approuter at all (I'm asking because you said "xsuaa approuter" which does not exist. There is an xsuaa service that needs to be bound to an approuter)?
I guess I would need to see the entire codebase to get a better understanding of what is happening. Can you upload the project to a GitHub repo?

francbele
Explorer
0 Kudos

Hi Marius,

I can do that but can I send the link to you on some email address? Or can I find you on https://messages.sap.com?

Are there additional configurations to be made in the codebase itself in order for to get the xsuaa to work?

Thanks.

Kind regards,
Franc

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

GitHub would be better

francbele
Explorer
0 Kudos

Hi Marius

You can find the base code in this link: https://github.com/fbele/angular-test

Is it also possible to get the source of the SAPUI5 app that you used in your tutorial?

Thank you.

Kind regards,
Franc Bele

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

Yes, this is the problem that I assumed. You are using a plain Angular app here and there's not approuter involved. You need to add one and push the built Angular resource within the approuter or in the HTML5 app repo service.

I don't have the sample code of that particular tutorial but there are a few general samples here. I recommend that you have a look at them.

francbele
Explorer
0 Kudos

Hi Marius,

Thank you for your help.
As much as I want to understand and figure it out by myself, I'm not sure how to come forward. How do I involve ann approuter? Does what you say mean, that I need to add the xs-app.json file to the root of the Angular app and configure it? I did that like so:

{
    "welcomeFile": "./index.html",
    "authenticationMethod": "route",
    "routes": [
        { 
            "source": "^(.*)$",
            "target": "$1",
            "localDir": "./",
            "authenticationType": "xsuaa"
        }
    ]
}

Unfortunately, that doesn't change anything, the request to the app still doesn't get routed via xsuaa. For my test I was using this xs-app-json file in combination with the deployment.yaml file from before.

I'm struggeling as I don't know what more do I need to do.

mariusobert
Developer Advocate
Developer Advocate
0 Kudos

Yes and no. You need to file in your project when you want to store it in the HTML5 app repo.
I'd suggest that you read up on the application router as that would be too much content for this question here (sorry).

Here are a few links:

Blog post about app router

Blog post about React apps in BTP

Talk 1

jamie_cawley
Advisor
Advisor
0 Kudos

Hi Franc,

For user based authentication an apirule will only validate a jwt, it will not issue them. For user based authentication/authorization you can find an example at

https://github.com/SAP-samples/kyma-runtime-extension-samples/tree/master/app-auth-proxy

This app will be exposed to the internet and configured with xsuaa to authenticate/authorize users. After this takes place it will proxy a connection to the k8s service of you app, so there is no need to expose your app via an apirule. The example is currently setup to work with some of the other examples in the repo, so you would need to modify the configmap to work with your app. If you have any questions please ping me on https://messages.sap.com/

Regards,

Jamie

francbele
Explorer

Hi Jamie,

Thank you for the swift reply!

I have seen this example before and I thought that it's being used in some other scenarios. I'll definitely give it a try!

Kind Regards,

Franc

francbele
Explorer
0 Kudos

Hi Jamie,

I managed to make your example to work. Thank you!

Can I use Approuter User API Service with this solution in order to get user information? Is it going to work?

Thank you.

Kind regards,
Franc

francbele
Explorer
0 Kudos

Hi Jamie,

One more thing that I've noticed is that since the solution doesn't seem to work with Postman.

I use the secret generated by the Credentials of app-auth-proxy (in your example), then I use Grant type Password and my user details. The scope remains blank or it's set to "openid" as it is always "openid". I successfully get back the generated token, but then when I make the request using this generated token I always get a response as HTML which is the Login site of the XSUAA.

Do you know how to access the resources using the OAuth Access Token?

Thank you.

Kind regards,
Franc

jamie_cawley
Advisor
Advisor
0 Kudos

The app has two endpoint to get user info /auth/user and /auth/groups. I am not so sure that postman supports open id connect authentication.

Regards,

Jamie

cupertino
Discoverer
0 Kudos

Hi jamie.cawley ,

is there any way to control access to the target service / endpoint through the app-auth-proxy?

At the moment any user of my kyma cluster seem to be authorized when using routes.http_method_scopes.scope: "*" within config.json

Playing around with the scope value is not really working. "$XSAPPNAME.runtimeNamespaceAdmin" for example leads to "Unauthorized." response despite the fact that my user (i.e. Email) is actually set as namespace admin.

Am I missing something?

Edit: Is it possible to set up custom role-collections, role-templates and scopes within the xsuaa service instance configuration? If so, how must the scope value be set in config.json (configmap.yaml respectiveliy)?

Thank you.

Regards,

Josef

jamie_cawley
Advisor
Advisor
0 Kudos

The scopes would be based on the service instance created under Create XSUAA Service Instance, see the link under step 7. Kyma roles are no longer assigned within BTP, they are done within the cluster, so runtimeNamespaceAdmin would no longer be valid.

Regards,

Jamie