Attribute | Details |
---|---|
Dapr runtime version | 1.5.0 |
Language | Javascript |
Environment | Kubernetes |
This tutorial shows a real use case of the Dapr middleware building block. It walks you through the steps of setting up the OAuth middleware to enable OAuth authorization on a Web API without modifying the application. This design separates authentication/authorization concerns from the application, so that application operators can adopt and configure authentication/authorization providers without impacting the application code.
NOTE: This sample uses Google Account as an example.
- Dapr enabled Kubernetes cluster
- Node.js version 8 or greater
- Docker
- kubectl
- Helm
- A working Google Account
This sample uses Nginx as the ingress controller. You can use the following Helm chart to add Nginx to your cluster:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install my-release ingress-nginx/ingress-nginx
- Clone the samples repo, then navigate to the middleware sample:
git clone [-b <dapr_version_tag>] https://github.com/dapr/samples.git
cd samples/middleware-oauth-google
- Examine the
echoapp/app.js
file. You'll see this is a simple Node.js Express web server with a single/echo
route that returns theauthorization
header and thetext
parameter client passes in:
app.get('/echo', (req, res) => {
var text = req.query.text;
console.log("Echoing: " + text);
res.send("Access token: " + req.headers["authorization"] + " Text: " + text)
});
In order for Dapr to acquire access token on your application's behalf, your application needs to be registered with the authorization server of your choice.
For example, to register with Google APIs, you should visit Google APIs Console to register your application:
- Log in to Google APIs Console using your Google account.
- If you don't have a project yet, you need to create a project first.
- On Google API Console, click on the Credentials link to the left. Then, click on the CREATE CREDENTIAL link at the top. And finally, click on the OAuth client ID option:
- Select the Web application type. Give a name to your account, and click on the Create button to create the client ID.
- Once the client ID is created, note down the Client ID and Client Secret - you'll need to enter these into the middleware configuration later.
- Edit the client ID settings and make sure http://dummy.com is added as one of the authorized redirect URIs:
NOTE: For this exercise, you'll set the
Redirect URL
tohttp://dummy.com
. This requires you to add a hostname entry to the computer on which you'll test out the scenario. In a production environment, you need to set theRedirect URL
to the proper DNS name associated with your load balancer or ingress controller.
To define a custom pipeline with the OAuth middleware, you need to create a middleware component definition as well as a configuration that defines the custom pipeline.
- Edit
deploy\oauth2.yaml
file to enter yourclient ID
andclient Secret
. You can leave everything else unchanged. - Change the directory to root and apply the manifests -
oauth2.yaml
defines the OAuth middleware andpipeline.yaml
defines the custom pipeline:
cd ..
kubectl apply -f deploy/oauth2.yaml
kubectl apply -f deploy/pipeline.yaml
Next, you'll deploy the application and define an ingress rule that routes to the -dapr
service that gets automatically created when you deploy your pod. In this case, all traffic is routed to the Dapr sidecar, which can reinforce various policies through middleware.
Note: 'dapr.io/sidecar-listen-addresses' annotation is added to echoapp deployment to allow external connections. Be cautious of using it in a production environment. To read more on this annotation see Dapr arguments and annotations for daprd, CLI, and Kubernetes
- Deploy the application and the ingress rule:
kubectl apply -f deploy/echoapp.yaml
kubectl apply -f deploy/ingress.yaml
Note: minikube users have to enable ingress as it's not supported by default.
minikube addons enable ingress
- Add a hostname entry to your local hosts file(
/etc/hosts
in linux andc:\windows\system32\drivers\etc\hosts
in windows) to allow thedummy.com
to be resolved to the public IP associated with your ingress controller:
<External IP of your ingress controller> dummy.com
- Open a browser and try to invoke the
/echo
API through Dapr:
http://dummy.com/v1.0/invoke/echoapp/method/echo?text=hello
-
If you haven't logged on to Google, you'll be redirected to the login page. Then, you'll be redirected to the consent screen to confirm access.
-
The browser redirects back to your application with the access token extracted from a (configurable)
authorization
header:
- Spin down kunernetes resources:
kubectl delete -f deploy/.
- Delete Nginx ingress from the cluster:
helm uninstall my-release
- Disable ingress addon:
minikube addons disable ingress
- Delete the credential created in the authorization server.
- Learn more about Dapr middleware
- How to configure API authorization with OAuth
- Explore additional samples