Attribute | Details |
---|---|
Dapr runtime version | 0.10.0 |
Language | Javascript |
Environment | Kubernetes |
This tutorial walks you through the steps of setting up the OAuth middleware to enable a service to interact with external services requiring authentication. This design seperates the authentication/authorization concerns from the application.
NOTE: This sample uses Microsoft Identity Platform/Azure Active Directory and Microsoft Graph as an example.
- Dapr enabled Kubernetes cluster
- Node.js version 8 or greater
- Docker
- kubectl
- Helm
- A working [Azure Active Directory] with Administrator rights, alternatively you can create one
- Clone the sample repo, then navigate to the middleware sample:
git clone https://github.com/dapr/samples.git
cd samples/middleware-oauth-microsoftazure/msgraphapp
- Examine the
app.js
file. You'll see this is a simple Node.js Express web server with a single/users
route that returns the Microsoft Graph API result based on the input query parameterdisplayName
. Also you can see that the token saved in the request header calledmsgraph-token
will be forwarded as theAuthorization
header in the request towards the MS Graph API.
app.get('/users', (req, res) => {
var displayName = req.query.displayName;
// Calling Microsoft Graph API
// request headers
var args = {
parameters: { $filter: `displayName eq '${displayName}'` },
headers: { "Authorization": req.headers["msgraph-token"] }
};
// calling API
client.get("https://graph.microsoft.com/v1.0/users", args,
function (data) {
// parsed response body as js object
res.send(data);
});
});
In order for Dapr to acquire access token on your application's behalf, your application needs to be registered with your Azure Active Directory.
-
Login to Azure Portal
-
Navigate to
Azure Active Directory
-
Go to
App Registrations
in the menu -
Enter a name for your application e.g.
daprmsgraph
, selectsingle tenant
and clickRegister
-
Copy the values for
Application (client) ID
andDirectory (tenant) ID
into the corresponding placeholders in oauth2clientcredentials.yaml -
Click on
Certificates & Secrets
in the menu -
Click on
New Client Secret
, give it aDescription
, selectIn 1 year
, clickAdd
-
Click on the
copy button
next to the secret, use the value for the placeholder<Client secret>
in oauth2clientcredentials.yaml -
Search for
User.Read.All
and select it and clickAdd Permissions
-
Last but not least click on
Grant admin consent for <yourtenant>
and confirm withOK
(because of this step you need to be administrator for the AAD)
Now you are ready to deploy.
To define a custom pipeline with the OAuth middleware, you need to create a middleware component definition as well as a configuration that defines the custom pipeline.
- Edit
deploy\oauth2clientcredentials.yaml
file to enter yourClient ID
andClient Secret
,Token URL
. You can leave everything else unchanged. - Change the directory to root and apply the manifests -
oauth2clientcredentials.yaml
defines the OAuth middleware andmsgraphpipeline.yaml
defines the custom pipeline:
cd ..
kubectl apply -f deploy/oauth2clientcredentials.yaml
kubectl apply -f deploy/msgraphpipeline.yaml
Next, you'll deploy the application. This example has no public ingress endpoint due to the confidentiallity of the returned data by the service.
NOTE: In general this middleware component should be used to inject external service authentication tokens to your services, in order to use/pass them to the called external services. It is not meant for public endpoint authentication. Please see middleware sample for intractive public endpoint authentication flow.
- Deploy the application:
kubectl apply -f deploy/msgraphapp.yaml
- Start and attach to a container with curl installed in your k8s cluster
kubectl run -i -t curlbox --image=curlimages/curl --restart=Never --command -- /bin/sh
- Run the following command, exchange display name with an existing user in your AAD
curl http://msgraphapp-dapr:3500/v1.0/invoke/msgraphapp/method/users?displayName=gildong%20hong
- You should get a result similar to this
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","value":[{"businessPhones":[],"displayName":"Gildong Hong","givenName":null,"jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":null,"userPrincipalName":"[email protected]","id":"9392214b-c472-4c29-b59f-3efcb6051f50"}]}
- Spin down kunernetes resources:
kubectl delete -f deploy/.
- Delete the curlbox pod
kubectl delete pod curlbox
-
Delete the credential created in the AAD.
-
[Optional] Delete the AAD (if you created one just for this sample)