ibm-cloud-docs / appid Goto Github PK
View Code? Open in Web Editor NEWIBM Cloud App ID documentation
Home Page: https://cloud.ibm.com/docs/services/appid?topic=appid-gettingstarted#gettingstarted
IBM Cloud App ID documentation
Home Page: https://cloud.ibm.com/docs/services/appid?topic=appid-gettingstarted#gettingstarted
We should probably switch the docs to use ibmcloud-appid in the nodejs section:
$ npm install passport express bluemix-appid
npm WARN deprecated [email protected]: The usage of this package is deprecated. To leverage new App ID functionality, make a few small changes in your apps to use the ibmcloud-appid package.
https://cloud.ibm.com/docs/appid?topic=appid-rellinks#rellinks-custom
URLs in Custom sign-in experience are not working, both urls redirects you to https://www.ibm.com/blog/
In this Doc https://cloud.ibm.com/docs/appid?topic=appid-app&interface=ui
The curl command in the bottom of the doc is:
curl -X POST http://localhost:6002/oauth/v4/39a37f57-a227-4bfe-a044-93b6e6060b61/token -H 'Authorization: Basic base64Encoded{clientId:secret}' -H 'Content-Type: application/x-www-form-urlencoded' -d grant_type=client_credentials
This is wrong since is using localhost and a specific tenant id.
Please update it using this curl command:
curl -X POST https://<region>.appid.cloud.ibm.com/oauth/v4/<tenantID>/token -H 'Authorization: Basic base64Encoded{clientId:secret}' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials'
{"error":"invalid_request","error_description":"missing redirect_uri parameter"}
I'd appreciate if you could make it clear what regex dialect (Java? PCRE? ...) is in effect, in either the Defining password policies documentation or the API documentation. Apologies if its there and I missed it.
// mandatory option to be passed in if app not deployed on IBM Cloud
let options = [
"oauthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/d8438de6-c325-4956-ad34-abd49194affd",
]
The options seems to have been cut, there is a trailing ,
but no more fields. This results in a warning that required fields are missing and the endpoint always responds with unauthorised.
Solution:
// mandatory option to be passed in if app not deployed on IBM Cloud
let options = [
"oauthServerUrl": "https://us-south.appid.cloud.ibm.com/oauth/v4/d8438de6-c325-4956-ad34-abd49194affd",
"tenantId": "d8438de6-c325-4956-ad34-abd49194affd",
"clientId": <client id here>
]
We just released a new tutorial using your service. You may want to link to it from the service documentation.
Here is the markdown for the toc:
[Apply end to end security to a cloud application](https://console.bluemix.net/docs/tutorials/cloud-e2e-security.html#apply-end-to-end-security-to-a-cloud-application)
In the third step of Tutorial: End-to-end flow with the Node.js SDK
, the following code is shown:
const express = require('express'),
passport = require('passport');
var app = express();
app.use(passport.initialize());
passport.use(new APIStrategy({
oauthServerUrl: "https://<region>.appid.cloud.ibm.com/oauth/v4/<tenant-ID>",
tenantId:"<tenant-ID>"
}));
app.get('/protected_resource',
passport.authenticate(APIStrategy.STRATEGY_NAME, {session: false}),
(req, res) => {
res.send("Hello from protected resource");
});
Running this code causes an error that APIStrategy
is not defined. The documentation should include this definition.
const express = require('express'),
passport = require('passport'),
APIStrategy = require("ibmcloud-appid").APIStrategy;
var app = express();
app.use(passport.initialize());
passport.use(new APIStrategy({
oauthServerUrl: "https://<region>.appid.cloud.ibm.com/oauth/v4/<tenant-ID>",
tenantId:"<tenant-ID>"
}));
app.get('/protected_resource',
passport.authenticate(APIStrategy.STRATEGY_NAME, {session: false}),
(req, res) => {
res.send("Hello from protected resource");
});
It would be of great help to have more examples of how to accomplish backend resources protection with Liberty instead of just mentioning "OIDC" on the text.
The document I'm talking about is at: appid/protecting-resources.md
Hello,
I was able to clone git repository.
Could you check this?
Do not use. Use "blocklist" (one word) instead.
On Twitter, we received a complaint from a customer that a node.js example is incorrect. The incorrect information exists on the following page: https://console.bluemix.net/docs/services/appid/existing.html#adding-app-id-to-an-existing-app
Here is the information that needs to be addressed:
"Up til midnight trying to get AppID to work with node.js then find there was a typo in the Bluemix docs sample code"
"opening bracket missing for Node.js example code, on the line starting app.get("/protected"..."
FYI - @smguilia If you do not own this documentation, can you please redirect it to the correct person? Thanks!
Hi,
I want to create an App ID Instance via terraform/schematics and use my own kms configuration. Sadly I cannot find the parameters-configuration to use when creating the service.
Links:
The Sample Java Web application does not run. I get:
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.
I added the following to the pom.xml:
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
And got this error:
[ERROR] Failed to execute goal io.openliberty.tools:liberty-maven-plugin:3.2.1:start (default-cli) on project libertySample: CWWKM2002E: Failed to invoke [/Users/ronther1/Development/app-id-sample-java-master/WebApplication/target/liberty/wlp/bin/server, start, sample]. RC= 22 but expected=[0, 1]. -> [Help 1]
https://cloud.ibm.com/docs/services/appid?topic=appid-tutorial-roles
In the page above, there are some curl command snippets with an error.
curl option -d
is used for specifying body of POST request, but there is an extra space between -
and d
in 4 places below. Therefore, this code snippets do not work.
staff
attribute. Be sure that you can access and validate the email that you use.curl --request POST \
https://us-south.appid.cloud.ibm.com/management/v4/{{APPID_TENANT_ID}}/users \
--header 'Authorization: Bearer <iam-access-token>' \
--header 'Content-Type: application/json' \
- d '{
"idp": "cloud_directory",
"idp-identity": “[email protected]“,
"profile": {
"attributes": {
“role”: “staff”
}
}
}'
curl --request PUT \
https://us-south.appid.cloud.ibm.com/management/v4/<tenant-id>/users/<user-id>/profile \
--header 'Authorization: Bearer <iam-access-token>' \
--header 'Content-Type: application/json' \
- d '{
"profile": {
"attributes": {
“role”: “manager”
}
}
}'
curl --request PUT \
https://us-south.appid.cloud.ibm.com/management/v4/{{APPID_TENANT_ID}}/config/tokens \
--header 'Authorization: Bearer <iam-access-token>' \
--header 'Content-Type: application/json' \
- d '{
"access": {
"expires_in": 3601
},
"refresh": {
"enabled": false,
"expires_in": 2592001
},
"anonymousAccess": {
"expires_in": 2592001
},
"accessTokenClaims": [
{
"source": "attributes",
"sourceClaim": "role"
}
]
}'
curl --request PUT \
https://appid.cloud.ibm.com/oauth/v4/<tenant-ID>/token \
--header 'Authorization: Basic <encoded-clientID>:<encoded-client-secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header `Accept: application/json`
- d 'grant_type=password&username=<user-email>%40<user-email-domain>&password=<user-password>
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.
[INFO] 2 errors
The page https://cloud.ibm.com/docs/appid?topic=appid-getting-started
suggests to download a sample. I can't find a link to it tho.
Thank you very much
Roberto
I follow the instructions for the containerised apps with Ingress on OpenShif. I manage to do everything but nothing happens on my app. I am not sure how to figure out what I am doing wrong or if I just need to restart a specific pod. I tried the Istio option as well and had the same result
Currently i'm getting 'invalid token' error after entering credentials in App Id login screen. This app id service is integrated with angular appliation. I have this application in location and it'working fine but same application deployed to cloud and while testing i'm getting 'invalid token' error.
Using quotes leads to:
Error: Unknown authentication strategy "APIStrategy.STRATEGY_NAME"
at attempt (/Users/andreafrittoli/nodejs/node_modules/passport/lib/middleware/authenticate.js:186:37)
at authenticate (/Users/andreafrittoli/nodejs/node_modules/passport/lib/middleware/authenticate.js:362:7)
at Layer.handle [as handle_request] (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/layer.js:95:5)
at next (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/layer.js:95:5)
at /Users/andreafrittoli/nodejs/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/index.js:335:12)
at next (/Users/andreafrittoli/nodejs/node_modules/express/lib/router/index.js:275:10)
at initialize (/Users/andreafrittoli/nodejs/node_modules/passport/lib/middleware/initialize.js:53:5)
The correct code is:
app.get('/protected', passport.authenticate(APIStrategy.STRATEGY_NAME,
Please fix Step-3 as that mixer policy is deprecated and doesn't work on ocp-4.3. I'm stuck on Waiting for resources to become ready...
after trying
istioctl manifest apply --set values.global.disablePolicyChecks=false --set values.pilot.policy.enabled=true
https://cloud.ibm.com/docs/services/appid?topic=appid-cd-sso#cd-sso-log-out
Under the "By Using the Node.js Server SDK" header, the docs read as follows:
app.get('/logoutSSO', (req, res) => { res.clearCookie("refreshToken"); webAppStrategy.logoutSSO(req,res, { "redirect_uri": "https://my-app.com/after_logout" }); });
The page, https://cloud.ibm.com/docs/appid?topic=appid-kube-auth, tutorial-kubernetes-auth.md, some text that gave us a lot of confusion and made it take a long time to correctly set up AppID with Kubernetes Ingress.
The step:
"Optional: If your app supports the web app strategy in addition to, or instead of, the API strategy, add the nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-<App_ID_service_instance_name>/start?rd=$escaped_request_uri annotation.
"
is confusing because of the terms "web app strategy" and "API strategy". It confused us because we were somewhat familiar with the WebAppStrategy and APIStrategy auth methods with passport as noted on the "Backend Apps" and "Web Apps" pages in the AppID doc:
var APIStrategy = require('ibmcloud-appid').APIStrategy;
const WebAppStrategy = require("ibmcloud-appid").WebAppStrategy;
Since we were enabling a web application with auth through Ingress and did not want to change this app's code to use WebAppStrategy we did not do this optional step, but this step ends up being REQUIRED if you have a web app that you want to secure with AppID and K8s ingress.
I would suggest removing the terms "web app strategy" and "API strategy" from the two sections in the Ingress doc and replacing them with more general terms such as:
"If your app is a web app, in addition to or instead of providing APIs, add ..."
and similar change lower in the doc in the "Verify that App ID authentication is enforced for your apps" section.
In section 'Deleting a profile with the API' step 3 says:
- By using the ID that you obtained in the previous step, make a DELETE request to the /users endpoint to see their full user profile.
Should that be like this instead?
- By using the ID that you obtained in the previous step, make a DELETE request to the /users endpoint to delete the profile.
I am create Custom UI Login screen and communicate with AuthorizationDelegate using AppId services but i didn't able to find out how can I use my own custom SignUp UI with AppId. Please let me know how we can integrate custom sign up UI with AuthorizationDelegate.
In my backend service, I require a token that contains the "roles" claim in the client credentials flow. So I've tried to setup App ID as described in the article about Assigning roles to an application, unfortunately, I didn't succeed in this.
Could you please help me to figure out is it a defect in the documentation or I'm just missing some steps in the setup procedure?
Steps were done for setup:
"accessTokenClaims": [
{
"source": "roles"
}
]
In this paragraph: https://cloud.ibm.com/docs/appid?topic=appid-branded#branded-technically
The link:Authorization Grant flow and Resource Owner Password Credentials flow opens a not found page:
\ SORRY /
\ /
\ This page does /
] not exist yet. [ ,'|
] [ / |
]___ ___[ ,' |
] ]\ /[ [ |: |
] ] \ / [ [ |: |
] ] ] [ [ [ |: |
] ] ]__ __[ [ [ |: |
] ] ] ]\ _ /[ [ [ [ |: |
] ] ] ] (#) [ [ [ [ :===='
] ] ]_].nHn.[_[ [ [
] ] ] HHHHH. [ [ [
] ] / `HH("N \ [ [
]__]/ HHH " \[__[
] NNN [
] N/" [
] N H [
/ N \
/ q, \
/ \
Describe the bug
The source is incorrectly documented as HPCS whereas it should have been App ID service in Service-to-Service Authorization section
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected to see App ID as the source instead of HPCS
Desktop (please complete the following information):
NA
Smartphone (please complete the following information):
NA
Additional context
The keyword
{{{site.data.keyword.appid_short_notm}}
is not replaced in the generated doc.
See section:
https://cloud.ibm.com/docs/appid?topic=appid-custom-auth#custom-auth-tech
FYI @jigneshkvp I've moved this issue to the App ID area.
Original issue opened here ibm-cloud-docs/overview#10
Hello,
The link to Mobile App with serverless backend on the AppId home page does not work.
This topic is about App ID but mentions Security and Compliance Center in the first paragraph.
https://cloud.ibm.com/docs/services/appid?topic=appid-customizing-tokens#customizing-tokens
The table below in the page above has a couple of issues.
You can customize your tokens in the GUI or by using the API{: external} by setting the lifespan validity or by adding custom claims to your tokens. Check out the following table to see how lifespan is configured or continue reading to learn about mapping custom attributes.
Token type | Value type | Default | Options |
---|---|---|---|
Access | Minutes | 60 | Any value between 5 and 1440 |
Identity | Minutes | 60 | Any value between 5 and 1440 |
Refresh | Days | 30 | Any value between 1 and 9 |
Anonymous | Days | 30 | Any value between 1 and 9 |
Please set video in doc as public to see what it is about.
Hi,
In this AppID doc, it states: "With IBM Cloud® App ID, you can consistently enforce policy-driven security by using the Ingress networking capability in IBM Cloud Kubernetes Service or Red Hat OpenShift on IBM Cloud"
As one of the steps needed is to enable alb-oauth-proxy, however this is not supported on Openshift clusters only Kubernetes. Can the doc be edited to reflect this?
"With IBM Cloud® App ID, you can consistently enforce policy-driven security by using the Ingress networking capability in IBM Cloud Kubernetes Service"
https://cloud.ibm.com/docs/appid?topic=appid-kube-auth
Proof ALB-Oauth is not supported: https://cloud.ibm.com/docs/openshift?topic=openshift-supported-cluster-addon-versions
Software desk
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.