ibm-cloud-docs / appid Goto Github PK

We should probably switch the docs to use ibmcloud-appid in the nodejs section:

$ npm install passport express bluemix-appid
npm WARN deprecated [email protected]: The usage of this package is deprecated. To leverage new App ID functionality, make a few small changes in your apps to use the ibmcloud-appid package.

https://cloud.ibm.com/docs/appid?topic=appid-rellinks#rellinks-custom

URLs in Custom sign-in experience are not working, both urls redirects you to https://www.ibm.com/blog/

In this Doc https://cloud.ibm.com/docs/appid?topic=appid-app&interface=ui

The curl command in the bottom of the doc is:

curl -X POST http://localhost:6002/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/token    -H 'Authorization: Basic base64Encoded{clientId:secret}'    -H 'Content-Type: application/x-www-form-urlencoded'    -d grant_type=client_credentials

This is wrong since is using localhost and a specific tenant id.

Please update it using this curl command:

curl -X POST https://<region>.appid.cloud.ibm.com/oauth/v4/<tenantID>/token -H 'Authorization: Basic base64Encoded{clientId:secret}' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials'

{"error":"invalid_request","error_description":"missing redirect_uri parameter"}

I'd appreciate if you could make it clear what regex dialect (Java? PCRE? ...) is in effect, in either the Defining password policies documentation or the API documentation. Apologies if its there and I missed it.

// mandatory option to be passed in if app not deployed on IBM Cloud
let options = [
    "oauthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/d8438de6-c325-4956-ad34-abd49194affd",
]

The options seems to have been cut, there is a trailing , but no more fields. This results in a warning that required fields are missing and the endpoint always responds with unauthorised.

Solution:

// mandatory option to be passed in if app not deployed on IBM Cloud
let options = [
    "oauthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/d8438de6-c325-4956-ad34-abd49194affd",
"tenantId": "d8438de6-c325-4956-ad34-abd49194affd",
"clientId": <client id here>
]

We just released a new tutorial using your service. You may want to link to it from the service documentation.

Here is the markdown for the toc:
[Apply end to end security to a cloud application](https://console.bluemix.net/docs/tutorials/cloud-e2e-security.html#apply-end-to-end-security-to-a-cloud-application)

In the third step of Tutorial: End-to-end flow with the Node.js SDK, the following code is shown:

const express = require('express'),
  passport = require('passport');

var app = express();
app.use(passport.initialize());

passport.use(new APIStrategy({
    oauthServerUrl: "https://<region>.appid.cloud.ibm.com/oauth/v4/<tenant-ID>",
    tenantId:"<tenant-ID>"
}));

app.get('/protected_resource',
    passport.authenticate(APIStrategy.STRATEGY_NAME, {session: false}),
    (req, res) => {
        res.send("Hello from protected resource");
});

Running this code causes an error that APIStrategy is not defined. The documentation should include this definition.

const express = require('express'),
  passport = require('passport'),
  APIStrategy = require("ibmcloud-appid").APIStrategy;

var app = express();
app.use(passport.initialize());

passport.use(new APIStrategy({
    oauthServerUrl: "https://<region>.appid.cloud.ibm.com/oauth/v4/<tenant-ID>",
    tenantId:"<tenant-ID>"
}));

app.get('/protected_resource',
    passport.authenticate(APIStrategy.STRATEGY_NAME, {session: false}),
    (req, res) => {
        res.send("Hello from protected resource");
});

It would be of great help to have more examples of how to accomplish backend resources protection with Liberty instead of just mentioning "OIDC" on the text.
The document I'm talking about is at: appid/protecting-resources.md

Hello,
I was able to clone git repository.
Could you check this?

git clone https://github.com/ibm-cloud-security/appid-sample-code-snippets/tree/master/export-import-cloud-directory-users.git

Do not use. Use "blocklist" (one word) instead.

https://cloud.ibm.com/docs/appid?topic=appid-branded

On Twitter, we received a complaint from a customer that a node.js example is incorrect. The incorrect information exists on the following page: https://console.bluemix.net/docs/services/appid/existing.html#adding-app-id-to-an-existing-app

Here is the information that needs to be addressed:
"Up til midnight trying to get AppID to work with node.js then find there was a typo in the Bluemix docs sample code"

"opening bracket missing for Node.js example code, on the line starting app.get("/protected"..."

FYI - @smguilia If you do not own this documentation, can you please redirect it to the correct person? Thanks!

Hi,

I want to create an App ID Instance via terraform/schematics and use my own kms configuration. Sadly I cannot find the parameters-configuration to use when creating the service.

Links:

• HowTo via UI: https://cloud.ibm.com/docs/appid?topic=appid-mng-data#enable-customer-keys-kp
• A Stackoverflow with a maybe answer: https://stackoverflow.com/q/73441732/568291
• good docs example for hyper-protect-dbaas-for-mongodb: https://cloud.ibm.com/docs/hyper-protect-dbaas-for-mongodb?topic=hyper-protect-dbaas-for-mongodb-create-service&interface=cli#cli-create-service
• less good docs example for sql-query: https://cloud.ibm.com/docs/sql-query?topic=sql-query-terraform

The Sample Java Web application does not run. I get:
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.

I added the following to the pom.xml:

<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

And got this error:
[ERROR] Failed to execute goal io.openliberty.tools:liberty-maven-plugin:3.2.1:start (default-cli) on project libertySample: CWWKM2002E: Failed to invoke [/Users/ronther1/Development/app-id-sample-java-master/WebApplication/target/liberty/wlp/bin/server, start, sample]. RC= 22 but expected=[0, 1]. -> [Help 1]

Hi Team,

Can we get the public App ID documentation updated?

The Identity Provider - IBMid - documentation link is link to test.cloud.ibm.com.
I have a support case open for this documentation issue too. CS3449179

https://cloud.ibm.com/docs/services/appid?topic=appid-tutorial-roles

In the page above, there are some curl command snippets with an error.
curl option -d is used for specifying body of POST request, but there is an extra space between - and d in 4 places below. Therefore, this code snippets do not work.

3. Make a POST request to create a user profile for the new user that contains the staff attribute. Be sure that you can access and validate the email that you use.

curl --request POST \
https://us-south.appid.cloud.ibm.com/management/v4/{{APPID_TENANT_ID}}/users \
--header 'Authorization: Bearer <iam-access-token>' \
--header 'Content-Type: application/json' \
- d '{
  "idp": "cloud_directory",
  "idp-identity": “[email protected]“,
  "profile": {
    "attributes": {
      “role”: “staff”
    }
  }
}'

1. Update the profile.

curl --request PUT \
https://us-south.appid.cloud.ibm.com/management/v4/<tenant-id>/users/<user-id>/profile \
--header 'Authorization: Bearer <iam-access-token>' \
--header 'Content-Type: application/json' \
- d '{
  "profile": {
    "attributes": {
      “role”: “manager”
    }
  }
}'

1. Make a request to the token configuration endpoint.

curl --request PUT \
https://us-south.appid.cloud.ibm.com/management/v4/{{APPID_TENANT_ID}}/config/tokens \
--header 'Authorization: Bearer <iam-access-token>' \
--header 'Content-Type: application/json' \
- d '{
    "access": {
        "expires_in": 3601
    },
    "refresh": {
        "enabled": false,
        "expires_in": 2592001
    },
    "anonymousAccess": {
        "expires_in": 2592001
    },
    "accessTokenClaims": [
    {
    "source": "attributes",
    "sourceClaim": "role"
    }
    ]
}'

4. Sign in by using the APIs to obtain your access token information. The token that is returned is encoded.

curl --request PUT \
https://appid.cloud.ibm.com/oauth/v4/<tenant-ID>/token \
--header 'Authorization: Basic <encoded-clientID>:<encoded-client-secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header `Accept: application/json`
- d 'grant_type=password&username=<user-email>%40<user-email-domain>&password=<user-password>

[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.
[INFO] 2 errors

The page https://cloud.ibm.com/docs/appid?topic=appid-getting-started
suggests to download a sample. I can't find a link to it tho.

Thank you very much

Roberto

I follow the instructions for the containerised apps with Ingress on OpenShif. I manage to do everything but nothing happens on my app. I am not sure how to figure out what I am doing wrong or if I just need to restart a specific pod. I tried the Istio option as well and had the same result

Currently i'm getting 'invalid token' error after entering credentials in App Id login screen. This app id service is integrated with angular appliation. I have this application in location and it'working fine but same application deployed to cloud and while testing i'm getting 'invalid token' error.

Using quotes leads to:

Error: Unknown authentication strategy "APIStrategy.STRATEGY_NAME"
    at attempt (/Users/andreafrittoli/nodejs/node_modules/passport/lib/middleware/authenticate.js:186:37)
    at authenticate (/Users/andreafrittoli/nodejs/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/layer.js:95:5)
    at next (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/layer.js:95:5)
    at /Users/andreafrittoli/nodejs/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/index.js:335:12)
    at next (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/index.js:275:10)
    at initialize (/Users/andreafrittoli/nodejs/node_modules/passport/lib/middleware/initialize.js:53:5)

The correct code is:

app.get('/protected', passport.authenticate(APIStrategy.STRATEGY_NAME, 

Please fix Step-3 as that mixer policy is deprecated and doesn't work on ocp-4.3. I'm stuck on Waiting for resources to become ready... after trying
istioctl manifest apply --set values.global.disablePolicyChecks=false --set values.pilot.policy.enabled=true

https://cloud.ibm.com/docs/services/appid?topic=appid-cd-sso#cd-sso-log-out

Under the "By Using the Node.js Server SDK" header, the docs read as follows:
app.get('/logoutSSO', (req, res) => { res.clearCookie("refreshToken"); webAppStrategy.logoutSSO(req,res, { "redirect_uri": "https://my-app.com/after_logout" }); });

1. webAppStrategy should be capitalized (WebAppStrategy)
2. I get an error that states WebAppStrategy.logoutSSO() isn't a function

The page, https://cloud.ibm.com/docs/appid?topic=appid-kube-auth, tutorial-kubernetes-auth.md, some text that gave us a lot of confusion and made it take a long time to correctly set up AppID with Kubernetes Ingress.

The step:
"Optional: If your app supports the web app strategy in addition to, or instead of, the API strategy, add the nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-<App_ID_service_instance_name>/start?rd=$escaped_request_uri annotation.
"
is confusing because of the terms "web app strategy" and "API strategy". It confused us because we were somewhat familiar with the WebAppStrategy and APIStrategy auth methods with passport as noted on the "Backend Apps" and "Web Apps" pages in the AppID doc:

var APIStrategy = require('ibmcloud-appid').APIStrategy; 
const WebAppStrategy = require("ibmcloud-appid").WebAppStrategy;

Since we were enabling a web application with auth through Ingress and did not want to change this app's code to use WebAppStrategy we did not do this optional step, but this step ends up being REQUIRED if you have a web app that you want to secure with AppID and K8s ingress.

I would suggest removing the terms "web app strategy" and "API strategy" from the two sections in the Ingress doc and replacing them with more general terms such as:
"If your app is a web app, in addition to or instead of providing APIs, add ..."

and similar change lower in the doc in the "Verify that App ID authentication is enforced for your apps" section.

The IAM links to IBM Cloud don't work and return a 404

In section 'Deleting a profile with the API' step 3 says:

3. By using the ID that you obtained in the previous step, make a DELETE request to the /users endpoint to see their full user profile.

Should that be like this instead?

3. By using the ID that you obtained in the previous step, make a DELETE request to the /users endpoint to delete the profile.

I am create Custom UI Login screen and communicate with AuthorizationDelegate using AppId services but i didn't able to find out how can I use my own custom SignUp UI with AppId. Please let me know how we can integrate custom sign up UI with AuthorizationDelegate.

In my backend service, I require a token that contains the "roles" claim in the client credentials flow. So I've tried to setup App ID as described in the article about Assigning roles to an application, unfortunately, I didn't succeed in this.
Could you please help me to figure out is it a defect in the documentation or I'm just missing some steps in the setup procedure?

Steps were done for setup:

1. Register the application with a "regular web application" type
2. Create a role
3. Assing role to the application like described in docs
4. Extend token config with

"accessTokenClaims": [
    {
      "source": "roles"
    }
  ]

5. Retrieve token for by Postman
   Used parameters:

• URL: https://eu-de.appid.cloud.ibm.com/oauth/v4/{tenantid}/token
  Body: form data and form data encoded(tried both)
• grant type: client_credentials;
• Basic auth: username: client_id; password: client_secret
  I also tried to use the body with form data and form data encoded(tried both)
• grant type: client_credentials;
• client_id: client_id
• client_secret: client_secret

In this paragraph: https://cloud.ibm.com/docs/appid?topic=appid-branded#branded-technically
The link:Authorization Grant flow and Resource Owner Password Credentials flow opens a not found page:

    \          SORRY            /
     \                         /
      \    This page does     /
       ]   not exist yet.    [    ,'|
       ]                     [   /  |
       ]___               ___[ ,'   |
       ]  ]\             /[  [ |:   |
       ]  ] \           / [  [ |:   |
       ]  ]  ]         [  [  [ |:   |
       ]  ]  ]__     __[  [  [ |:   |
       ]  ]  ] ]\ _ /[ [  [  [ |:   |
       ]  ]  ] ] (#) [ [  [  [ :===='
       ]  ]  ]_].nHn.[_[  [  [
       ]  ]  ]  HHHHH. [  [  [
       ]  ] /   `HH("N  \ [  [
       ]__]/     HHH  "  \[__[
       ]         NNN         [
       ]         N/"         [
       ]         N H         [
      /          N            \
     /           q,            \
    /                           \

Describe the bug
The source is incorrectly documented as HPCS whereas it should have been App ID service in Service-to-Service Authorization section

To Reproduce
Steps to reproduce the behavior:

1. Go to the link and see point 4, element b
   https://cloud.ibm.com/docs/appid?topic=appid-mng-data#enable-customer-keys-hpcs
2. See error

Expected behavior
Expected to see App ID as the source instead of HPCS

Screenshots

Desktop (please complete the following information):
NA

Smartphone (please complete the following information):
NA

Additional context

The keyword
{{{site.data.keyword.appid_short_notm}}
is not replaced in the generated doc.

See section:
https://cloud.ibm.com/docs/appid?topic=appid-custom-auth#custom-auth-tech

FYI @jigneshkvp I've moved this issue to the App ID area.

Original issue opened here ibm-cloud-docs/overview#10

Hello,

The link to Mobile App with serverless backend on the AppId home page does not work.

This topic is about App ID but mentions Security and Compliance Center in the first paragraph.

https://cloud.ibm.com/docs/services/appid?topic=appid-customizing-tokens#customizing-tokens

The table below in the page above has a couple of issues.

1. Value type in the actual configuration is actually seconds. e.g. default access token expiration value is 3600 (seconds = 60 minutes).
2. Options for Refresh/Anonymous is "Any value between 1 and 9" in this table, but the default value is 30.

You can customize your tokens in the GUI or by using the API{: external} by setting the lifespan validity or by adding custom claims to your tokens. Check out the following table to see how lifespan is configured or continue reading to learn about mapping custom attributes.

Please set video in doc as public to see what it is about.

Hi,

In this AppID doc, it states: "With IBM Cloud® App ID, you can consistently enforce policy-driven security by using the Ingress networking capability in IBM Cloud Kubernetes Service or Red Hat OpenShift on IBM Cloud"

As one of the steps needed is to enable alb-oauth-proxy, however this is not supported on Openshift clusters only Kubernetes. Can the doc be edited to reflect this?

"With IBM Cloud® App ID, you can consistently enforce policy-driven security by using the Ingress networking capability in IBM Cloud Kubernetes Service"

https://cloud.ibm.com/docs/appid?topic=appid-kube-auth

Proof ALB-Oauth is not supported: https://cloud.ibm.com/docs/openshift?topic=openshift-supported-cluster-addon-versions

Software desk