I have a web app which uses a business network model to read from the blockchain and display the assets + execute transactions.
I have already defined my ACL file. Using the playground, as admin, I can create new ID cards and then use these cards to restrict the access in transactions and assets to participants, but how can I associate these ID cards to my web application so the users can see only what they are allowed to see?
I used the generator-hyperledger-composer to generate my angular project.
Thanks
Use REST services from your application. Your angular project can connect to the REST server.
Set up REST server authentication and choose a Passport-based authentication mechanism/strategy that best suits your setup -> https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html and configure REST server multi-user mode -> https://hyperledger.github.io/composer/integrating/enabling-multiuser
The latter shows how (given that you've created business network cards that contain a user's blockchain identity) you can configure multi-user mode and interact witih the REST server - using a browser and Wallet in this example.
Info on deploying a REST server is here -> https://hyperledger.github.io/composer/integrating/deploying-the-rest-server
Related
I am currently working with spring boot micro services. To access those services I am using api gateway with Eureka client but I have one question to secure my service.
Consider I have below 4 microservice project hosted locally.
User :- hosted on http://localhost:8080/user
owner :- hosted on http://localhost:8081/owner
security :- hosted on http://localhost:8082/security
and api gateway :- hosted on http://localhost:9090/
so now to access services of owner I am first calling api gateway than security project after authenticating it is allowing me to access service of owner project .I am calling owner project from security project using feign client.
api gateway ---> security ---> owner
using url http://localhost:9090/security/owner
I am able to access owner project using that flow but now my question is I am also able to call directly owner project using it's own port. As shown below:-
http://localhost:8081/owner
How can I restrict that direct access to owner project?
The simplest solution would be for owner service to expect some kind of access token within the request. Such a token should be provided by security service (i.e. it could inject it within Authorization header), when it forwards request.
In more complex environment, in which multiple services may required different level of access to other services, more sophisticated solution would be required, i.e. involving mutual TLS where each service has its own certificate. But that would require much more setup. However that's worth doing on complex production systems.
One more element that could be used to control such access is the service mesh. You can read up on the topic - example: Istio.
In my project, there is a mobile app, an angular web app, 4 micro services and one api gateway. The users with role 'agent' can enroll customers using the mobile app. The web app is for users with role 'manager' to see the customer data and finalize on the customer enrollment.
Here, if I want to set up Keycloak for authentication, should I add
every micro service as a separate client ?
Should I add mobile app and web app as separate clients in keycloak ?
CLIENTS
The web and mobile app must be registered as separate OAuth clients. They will have a client ID but no client secret since they are public clients. They will use PKCE and have different redirect URIs, eg:
Web: https://www.example.com/callback
Mobile: com.example.app:/callback
APIs
By default APIs do not need to be registered as clients. In most setups related microservices can just forward JWT access tokens to each other, as explained in the scopes article. This is a secure way to maintain the user identity.
APIs sometimes act as clients though, eg if they need to do something like create users in Keycloak programmatically. Identity systems provide User Management Endpoints to enable this.
So one of your APIs, eg a Users Microservice, may need to be registered as a client. It would use the client credentials flow to get an access token with a SCIM related scope.
GATEWAY
It is common, and recommended, for a gateway to act as an introspection client. This enables data in access tokens returned to internet clients to be kept confidential. Read more about this in the phantom token pattern.
I have a request to restrict the access (access control) to a small user community in GCP.
Let me explain the question.
This is the current set up:
A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
Oauth client set up (tokens, authorized redirects URIs, etc.).
HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
The application was built using python + Django framework.
I have already deployed the application (GCP resources) and it is working smooth.
The thing is that, since we are working in GCP, all IAM users who has a valid userID#MyOrgnization.com can access the application (https://URL-for-my-Appl.com).
Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.
For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:
user1#MyOrganization.com
user2#MyOrganization.com
user3#MyOrganization.com
user4#MyOrganization.com
How could I do that, taking into account the info I sent earlier ?
thanks!
You can use Cloud IAP (Identity Aware Proxy) in order to do that.
Identity-Aware Proxy (IAP) lets you manage access to applications
running in App Engine standard environment, App Engine flexible
environment, Compute Engine, and GKE. IAP establishes a central
authorization layer for applications accessed by HTTPS, so you can
adopt an application-level access control model instead of using
network-level firewalls. When you turn on IAP, you must also use
signed headers or the App Engine standard environment Users API to
secure your app.
Note: you can configure it on your load balancer.
It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.
The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer
Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)
I'm building an SaaS application with octoberCMS. Basically, I want our client to be able to point their domain to our name servers and effectively the application will load their website template (which will vary from client to client).
It will also allow our clients' members to login to their account through their website and load all of their personal details.
How I can do that with https://laravel-tenancy.com/ ?
I have written a web application that is, typically, installed internally by customers (based on IIS/MSSQL server).
When a customer wants to provide external access to the application, we offer the following supported scenarios:
Publish the application in their DMZ (pretty standard deployment).
Use our own platform where we host the application in our own cloud infrastructure for them.
However, because I have more and more customers who misunderstand the requirements for publishing an internal application, I would like to add a "one click" way of providing that service.
My idea is to have a reverse proxy installed on the customer's web server that will connect to a cloud server we control. When the application starts, it will connect to our server, authenticate and maintain the connection. When a user wants to use the application, she will use an URL that directs it to our server (say https://myapp.mycompany.org/CustomerID or https://CustomerID.myapp.mycompany.org). The server will then lookup the list of connections from reverse proxy to find the one matching the customer ID and, if found, use that connection to relay the end user connection.
In essence, that is the same thing as what Azure Application proxy or TeamViewer do, only without the need for using Azure AD or TeamViewer.
Is there an existing framework I can use for building such a service ? I know I can write it on my own but that is quite a large development.