User Authentication And Authorization

Its not a fair game that anyone can update your TO-DO List. So we need to secure our application with some mechanism.

Predix out of the box has UAA as Service Checkout this service by typing cf marketplace -s predix-uaa

This service is inspired by Cloudfoundry/UAA and API documentation here.

If you are not sure what OAuth2 / SAML works. Checkout some of the references given below.

Long story short.

  • Resource here is the entity to-do
  • The User's (Resource Owner) identity belongs to the some bigger ecosystem. For eg: Company SSO, Facebook, Google, Twitter, Yahoo etc.
  • todo-server is Resource Server's. These operate on Resource.
  • todo-client is the Client who wants to access the to-do list belonging to a particular Owner/User

What we want to accomplish

Design Guidelines

PS : This varies from project to project

  1. Client side gets the token from UAA
  2. Server side validates the token with UAA
  3. Server never creates a token
  4. Server never gets a hands on the User credentials (which could be possible with grant_type password, but I vote against it )