These are chat archives for spring-cloud/spring-cloud

15th
Jan 2015
Dave Syer
@dsyer
Jan 15 2015 09:24
I'm not 100% sure what you mean or are trying to do. I guess you need to implement a "home" page with a "login" link on it (or multiple links if you have multiple providers)?
If the authentication is external though (e.g. github) you wouldn't want the clear the user's authentication (otherwise you'd stop him doing other stuff on github)
William Gorder
@wgorder
Jan 15 2015 13:00
Ok @dsyer let me explain things a little better. We recently got pivotal cloud foundry in our own data centers (I am a software architect at a big company (in the fortune 25)). I am really familiar with the core Spring projects and have spent a lot of time going through the source code and understanding how it works, and extending it over the years, but I am a noob to oauth and cloud architecture and design patterns). Part of what I am trying to do is evaluate how we can use Spring cloud as we move forward with this initiative, as well as adhere to all the known patterns and best practices and avoid known pitfalls.
There are basically 2 use cases, and maybe for one of them I am misusing oauth and should be looking at something else. I'll just explain both briefly.
The first use case is internal applications:
In this case there may be many applications all using the auth server for an SSO type authentication. For this I think what I have almost works as this follows the github model you were talking about. The only part that is missing is the ability to log out of github itself (the other applications remain logged in of course). In other words I need to be able to log out of the auth server so that if I am logged out of the authserver, if a user logs out of an application they will not have the ability to simply login without logging back into the auth server.
The second use case is where I may be misusing things.
Dave Syer
@dsyer
Jan 15 2015 13:06
It's nothing to do with OAuth then
We just aren't agreeing on the meaning of "logged out"
William Gorder
@wgorder
Jan 15 2015 13:06
Well if I login to google
and I log into stackoverflow and 5 other sites using googles oauth
Dave Syer
@dsyer
Jan 15 2015 13:07
It's all part of the same SSO paradigm (nothing OAuth specific)
William Gorder
@wgorder
Jan 15 2015 13:07
if I logout of google I remain logged in to the other 5 sites
(that is fine) however if I logout of google and stack overflow and try to log back into stack overflow I must log back into google.
Dave Syer
@dsyer
Jan 15 2015 13:08
OK
William Gorder
@wgorder
Jan 15 2015 13:08
that was what I thought logged out meant
Dave Syer
@dsyer
Jan 15 2015 13:08
I guess it's more about "logged in" then
William Gorder
@wgorder
Jan 15 2015 13:09
maybe the problem I am trying to figure out is I login and go to the auth server provide my credentials (fine)
Dave Syer
@dsyer
Jan 15 2015 13:09
SO is obviously implemented in such a way that it has local authentcation checks and doesn't need to go to Google to check if a user is authenticated
William Gorder
@wgorder
Jan 15 2015 13:09
now I log out of my application I can just log back in without re-providing credentials (also fine)
Dave Syer
@dsyer
Jan 15 2015 13:10
Your app can do the same - in terms of the Angular samples we are looking at you just put the /user endpoint in the app, not in the auth server.
William Gorder
@wgorder
Jan 15 2015 13:10
but now how can a user truly log out there is no github, google or facebook that they can go logout of
Dave Syer
@dsyer
Jan 15 2015 13:11
There is (or else how did you delegate the authentication in the first place - where is your SSO server)?
William Gorder
@wgorder
Jan 15 2015 13:11
oh thats a good idea
I wanted to make the auth server my sso server I guess. Currently we use siteminder and all that junk which obviously does not work well with microservices on fat jars running in CF
Dave Syer
@dsyer
Jan 15 2015 13:13
It might be convenient for users though
You can still centralize the authentication probably
(If the auth server accepts siteminder tokens as authentication assertions)
But that's a different discussion
William Gorder
@wgorder
Jan 15 2015 13:14
yes siteminder has to be set up very carefully or its not secure at all
Dave Syer
@dsyer
Jan 15 2015 13:14
Yeah, so centralizing that is a good idea.
If you have PCF then using the UAA as an SSO server seems sensible at least as a first step
That's the use case that spring security cloud is supposed to work best for
William Gorder
@wgorder
Jan 15 2015 13:16
can the applications use that as well or is it only for actually managing user/group permission using PCF
Dave Syer
@dsyer
Jan 15 2015 13:16
Applications can use it if they can get tokens
Which means they have to be registered as clients
That's straightforward but there's no UI (until the UAA team finish working on the IaaS stuff)
William Gorder
@wgorder
Jan 15 2015 13:17
That also is an interesting thought. I might have to investigate that more. I am a noob with CF too :)
Dave Syer
@dsyer
Jan 15 2015 13:17
(cf the github UI for "registered applications")
William Gorder
@wgorder
Jan 15 2015 13:17
well for our internal applications users are maanaged through ldap
creds, roles etc
so it woudl just be registering the client app
and pointing it to ldap
for user creds
Dave Syer
@dsyer
Jan 15 2015 13:18
Not even LDAP. Point at the UAA (actually the Login Server in the current architecture).
William Gorder
@wgorder
Jan 15 2015 13:18
cool Ill look at that.
Dave Syer
@dsyer
Jan 15 2015 13:18
That's the command line tool that you use to register clients in a running CF
The admin credentials are in the PCF ops manager dashboard
William Gorder
@wgorder
Jan 15 2015 13:19
command line is fine with me, its all I use all day anyway :)
ok
Dave Syer
@dsyer
Jan 15 2015 13:19
But for app developers it will be nice to have a UI
William Gorder
@wgorder
Jan 15 2015 13:20
absolutely. The way they lock down stuff around here in production there will be a team that probably does it anyway. The app devs get access to dev, stage, test. We have a bit of connways law in action here.
the org structure needs to catch up with microservice architecture
Dave Syer
@dsyer
Jan 15 2015 13:20
I hear you
Who do you work for? I'll try and connect with some of the field engineers that are closest to you.
Or I'll come and visit myself if I'm anywhere near
William Gorder
@wgorder
Jan 15 2015 13:22
Ok so for the second use case we have a single public facing app (say acme.com) It needs to at least appear to work like a standard monolithic web app. A user logs in and logs out. However I wanted to take advantage of token relay to pass all that onto the microservices and still have the same single auth server. but it sounds like this is really the same as we just discussed.
Unfortunately I am not near you I am in Ohio USA
I work for Kroger
Dave Syer
@dsyer
Jan 15 2015 13:23
Not a place I go to often (indeed at all)
I see. OK.
William Gorder
@wgorder
Jan 15 2015 13:23
We had a bunch of pivotal guys here before the holidays
Dave Syer
@dsyer
Jan 15 2015 13:24
Great. Were they from New York?
William Gorder
@wgorder
Jan 15 2015 13:24
I talked with a few of them but I was on other engagements as well. They were mostly focused on getting a single application converted and running on PCF
Dave Syer
@dsyer
Jan 15 2015 13:24
Spring Cloud was just getting traction with them then as well
I think it's more generally known now
Back to your use case...
William Gorder
@wgorder
Jan 15 2015 13:25
Yeah they were not all that familiar with spring cloud
but I was so I am kind of pushing it
Dave Syer
@dsyer
Jan 15 2015 13:25
Remember any names?
There is one guy in NYC who is very keen
William Gorder
@wgorder
Jan 15 2015 13:25
I was just looking through my inbox I now fillepe was one guy I think he wrote a book once
Dave Syer
@dsyer
Jan 15 2015 13:26
I know the one.
William Gorder
@wgorder
Jan 15 2015 13:26
The other guy I talked to I forget but he was more on the CF side of things
Dave Syer
@dsyer
Jan 15 2015 13:26
Felipe Gutierrez
William Gorder
@wgorder
Jan 15 2015 13:27
there are still a couple guys over there it looks like (I am peeking over the wall) that I have not been introduced to yet
Yes that sounds right
I can get the other name later I just have to dig though my email
they were the first 2 that showed up.
Dave Syer
@dsyer
Jan 15 2015 13:27
I'll find out if there's someone who has been playing with Spring Cloud who can come and visit
William Gorder
@wgorder
Jan 15 2015 13:27
they are gone now and there are a few more foldks
I have been requested on getting at least 2 months full allocation to this stuff
right now its off the side of my desk, and they keep asking me questions
so I am trying to learn it
I am the local spring expert around here but I am out of my comfort zone with some of this
Dave Syer
@dsyer
Jan 15 2015 13:29
Well keep asking questions and we'll try and get you to where you need to go
Arni is the guy in NYC who was on top of cloud stuff before the rest. He moved into Product Management though I think.
William Gorder
@wgorder
Jan 15 2015 13:30
Great thanks. Ill try to get the names of the pivotal guys past and present that are here
so you have an idea
Arni does not sound familiar
Daniel Murray
Dave Malone
Manuel David (here for gemfire)
and Felipe Gutierrez
I guess Manuel is here for 3 more days but the rest have left already
but he is a gem fire expert so not knowledgable about this
Dave Malone is here until the beginning of february
Daniel and Felipe are gone as of shortly before XMAS they are the 2 I have talked with
Dave Syer
@dsyer
Jan 15 2015 13:38
Thanks
William Gorder
@wgorder
Jan 15 2015 14:28
So does the command line client use the implicit grant in UAA?
Dave Syer
@dsyer
Jan 15 2015 14:28
Which command line client?
William Gorder
@wgorder
Jan 15 2015 14:28
sorry the PCF stuff
Dave Syer
@dsyer
Jan 15 2015 14:28
The "cf" GO client?
William Gorder
@wgorder
Jan 15 2015 14:28
yes
Dave Syer
@dsyer
Jan 15 2015 14:29
It uses password grant
It used to support implicit as well
But the UAA deprecated or dropped the implicit channel for that
William Gorder
@wgorder
Jan 15 2015 14:29
I see your name all over this stuff. Must have been what you worked on previous to boot and cloud
Dave Syer
@dsyer
Jan 15 2015 14:29
Yes
William Gorder
@wgorder
Jan 15 2015 14:42
It appears UAA and a customized login server backed by ldap would be suitable for what I need to back our internal applications
Dave Syer
@dsyer
Jan 15 2015 14:42
Customized in what way?
William Gorder
@wgorder
Jan 15 2015 14:43
well branded and the credential store would need to be ldap not postgres
Dave Syer
@dsyer
Jan 15 2015 14:43
It already supports LDAP
William Gorder
@wgorder
Jan 15 2015 14:43
oh I must not have got to that part yet
Dave Syer
@dsyer
Jan 15 2015 14:43
FYI the login server is being merged with the UAA (I don't think the re-branding use case was strong enough)
William Gorder
@wgorder
Jan 15 2015 14:43
this SCIM stuff is interesting never had heard of it
Dave Syer
@dsyer
Jan 15 2015 14:44
But if you have an opinion you should contact the PM
William Gorder
@wgorder
Jan 15 2015 14:44
sure. Well all that really needs to be branded is the login page itself
Dave Syer
@dsyer
Jan 15 2015 14:45
And the user approval page
William Gorder
@wgorder
Jan 15 2015 14:45
yes
Dave Syer
@dsyer
Jan 15 2015 14:45
(There are 3 HTML templates and one CSS source file I think)
I don't know what the plan is for PCF
I assume there is one
William Gorder
@wgorder
Jan 15 2015 14:45
it looks like a more mature version of the auth server we have in the spring-cloud examples
Dave Syer
@dsyer
Jan 15 2015 14:45
Yes. In some ways.
It is stuck on pre-Boot technology
William Gorder
@wgorder
Jan 15 2015 14:46
Yes there is that mature in features only
Dave Syer
@dsyer
Jan 15 2015 14:46
BUt it has a lot of features
William Gorder
@wgorder
Jan 15 2015 14:48
Off topic a little bit but when you test applications using this, what is the best way to 'spoof' security. Since siteminder was all header based it was pretty simple (just put the roles and username etc on the header).
with spring boot we have now started to do a little more integration style testing where we actually load the whole context security and all
Dave Syer
@dsyer
Jan 15 2015 14:50
I guess if you are testing a resource server you can use MockMvc without the security to test the features
And then run up a quick integration test to verify that adding security actually protects the resources you want it to
Then if you want to test security rules in detail you need to be able to create tokens
Spring OAuth2 has some JUnit support for declarative integration testing
William Gorder
@wgorder
Jan 15 2015 14:52
Yes, and if I am using the UAA and login server I would have to do those tests on CF. It looks like they can be run locally as well though
I have to play more with docker, I am sure there has to be a nice way to do it
Dave Syer
@dsyer
Jan 15 2015 14:53
Locally you would need an auth server. But that's quite cheap to set up with Spring Boot as you've seen.
Or you could just point at the UAA if you had a CF running
William Gorder
@wgorder
Jan 15 2015 14:53
Cool thanks.
I am starting to get a feel for how all this works. Another architect wanted me to explore the spring-cloud-config more as well.
Dave Syer
@dsyer
Jan 15 2015 14:54
Good
William Gorder
@wgorder
Jan 15 2015 14:54
Kroger has to have everything in house so we don't use github
Dave Syer
@dsyer
Jan 15 2015 14:54
We have quite a few people kicking the tyres
I don't think we'll hold up the 1.0.0 release unless you have major issues
But there are some good ideas in the pipeline for 1.1 already
You could use github in house
Or git at least
William Gorder
@wgorder
Jan 15 2015 14:55
and since they are bought in with atlassian we have stash ( which sucks compared to github)
Dave Syer
@dsyer
Jan 15 2015 14:55
There's even a free clone of github
William Gorder
@wgorder
Jan 15 2015 14:56
yeah gitlabs I think it is
Dave Syer
@dsyer
Jan 15 2015 14:56
I hate pretty much everything from Atlassian
That's the one
William Gorder
@wgorder
Jan 15 2015 14:56
Yeah I am stuck with stash
I may end up contributing something on that end
for the poor souls like me :)
I cant imagine it would be to much of an adaption
its still just git
Well Ill keep kicking the tires and let you know thanks for all the pointers
Dave Syer
@dsyer
Jan 15 2015 14:59
Stash is backed by git AFAIK so it should work fine
I guess it might depends on the authentication