User Authentication And Authorization

Its not a fair game that anyone can update your TO-DO List. So we need to secure our application with some mechanism.

Predix out of the box has UAA as Service Checkout this service by typing cf marketplace -s predix-uaa

This service is inspired by Cloudfoundry/UAA and API documentation here.

If you are not sure what OAuth2 / SAML works. Checkout some of the references given below.

Long story short.

• Resource here is the entity to-do
• The User's (Resource Owner) identity belongs to the some bigger ecosystem. For eg: Company SSO, Facebook, Google, Twitter, Yahoo etc.
• todo-server is Resource Server's. These operate on Resource.
• todo-client is the Client who wants to access the to-do list belonging to a particular Owner/User

What we want to accomplish

• Create Predix UAA Instance
• Talking to UAA Instance
• Registering Client
• Create Dummy Users
• Getting Token For A User

Design Guidelines

PS : This varies from project to project

1. Client side gets the token from UAA
2. Server side validates the token with UAA
3. Server never creates a token
4. Server never gets a hands on the User credentials (which could be possible with grant_type password, but I vote against it )

References

• SAML What it is
• OAuth2
• OAuth 2 Simplified