Join us at SpringOne in San Francisco, Dec 6–8, and build the apps that make the world run.
Live is streaming live. Watch now.

OAuth 2.0 and PCF SSO - Client

In the scenarios where APIs are consumed by other systems without involvement of user – batch processes, nightly schedules etc – Consumer application is authenticated using Oauth2.0 Client Credentials Flow – it provides the client_id, client_secret to OIDC/OAuth2 provider and receives back signed Access token with the scopes this application is authorized for. This access token is passed in the HTTP header to the API for validation and authorization according to JWT Bearer Profile and Authorization profile

Solution is based on WCF Client JWT Interceptor that will Connect PCF SSO and get Access Token and will embed it into HTTP Header for the service being invoked. Here is a simplified diagram:

JWT SSO Flow

WCF Services Clients

JWT interceptor implements WCF IClientMessageInspector to get and inject the JWT token. To allow for configuration based setup behavior extension - Steeltoe.Security.Authentication.CloudFoundryWcf.JwtHeaderEndpointBehavior is provided and could be configured in web.config for the endpoints.

Configuration

Install the JWT Library that authenticates and gets JWT Tokens

Install-Package Steeltoe.Security.Authentication.CloudFoundryWcf

Configure SSO service on PCF for Service-to-Service and bind it to your application. Add scopes that need to be requested by the client to your appSettings:

<appSettings>
  <add key="RequiredScopes" value="openid; your_app_permission_scope" />
</appSettings>

Configure JWT Behavior extension – Configure JWT endpoint behavior which will get Access_Token and add it to the HTTP Headers before calling webservice

<system.serviceModel>
  <behaviors>
    <endpointBehaviors>
      <behavior name="jwtBehavior">
        <jwtSSOBehavior />
      </behavior>
    </endpointBehaviors>
  </behaviors>
  <extensions>
    <behaviorExtensions>
      <add name="jwtSSOBehavior" type="Steeltoe.Security.Authentication.CloudFoundryWcf.JwtHeaderEndpointBehavior, Steeltoe.Security.Authentication.CloudFoundryWcf" />
    </behaviorExtensions>
  </extensions>
  <client>
    <endpoint address="http://<service>.svc" binding="basicHttpBinding" behaviorConfiguration="jwtBehavior" />
  </client>
</system.serviceModel>