Challenge Overview
We are thinking about the simplify the communication between our services.
For example, If User A calles API B with JWT Token for authentication, but API B need to call API C, while API C requires autentication also, so we need to pass along the JWT Token of the User. But If API C is not updated logic for grant access, like it is only support admin access, this will be problemtic.
So we'd like to simplify the communication between services using machine to machine token, it should generally following this approach.
1. API B want to call API C, so calls auth0 to generate a machine to machine token (https://auth0.com/docs/api-auth/grant/client-credentials)
2. API C should validate the token and check the scope info to allow or deny the access.
3. Our APIs are based on two technologies - Java And NodeJS, for this challenge, we'd like to focus on Java version and make the token is supported in Core API, and demonstrate the usage in sample services.
General Requirement
1. JWT token sample
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9UbENOMFk0UVRWQlJERTJSRGt3TURneU56QkRSVFZFTjBGQ09VVTRSalF6T0RWQ016QkRSUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLW5ld2F1dGguYXV0aDAuY29tLyIsInN1YiI6IjVmY3RmamFMSkhkdk0wNGtTckNjQzh5bjBJNHQxSlRkQGNsaWVudHMiLCJhdWQiOiJodHRwczovL3d3dy50b3Bjb2Rlci5jb20iLCJpYXQiOjE1MjE1MjM4MDEsImV4cCI6MTUyMTUyNzQwMSwiYXpwIjoiNWZjdGZqYUxKSGR2TTA0a1NyQ2NDOHluMEk0dDFKVGQiLCJzY29wZSI6InJlYWQ6dXNlcl9wcm9maWxlcyIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.K4GIiiRwCtQY_00muNxBAPP95K4tzNrq-V5BMdo4nOUUfCoyZ8kSHjjzargJ3YkfaqQDLlK4skysti5DbwQKZjYadz3wyKtq43BNswnDygP1nZ1Sy58W4--MD38IdosAyPi81i1w5KIqoTP9AVSsGpBKJyS-nGSbkYKVHjWiuqmfcsjFkiLunS87E_-smHjSkhGpstnq-URGUDAoeHYTRk_d46lDCxFEpdcRewNxuu_tRNdUYRuRKud8b_BtqOaNl3VAnOVVLMLRQ_uQnyv_zO71DnrN_m7eqLLNcPg5SHvgWrBydOZO5XUK5PlW_eMEfqk_NvtwA1e2xeZ0rqnZ8w
if you use jwt.io to parse, the header will be
{
"typ": "JWT",
"alg": "RS256",
"kid": "OTlCN0Y4QTVBRDE2RDkwMDgyNzBDRTVEN0FCOUU4RjQzODVCMzBDRQ"
}
the payload will be
{
"iss": "https://topcoder-newauth.auth0.com/",
"sub": "5fctfjaLJHdvM04kSrCcC8yn0I4t1JTd@clients",
"aud": "https://www.topcoder.com",
"iat": 1521523801,
"exp": 1521527401,
"azp": "5fctfjaLJHdvM04kSrCcC8yn0I4t1JTd",
"scope": "read:user_profiles",
"gty": "client-credentials"
}
2. Update the CORE API to validate the token and generate a Special User (AuthUser should be properly created)
2.1 Use the existing validation approach for RS256
2.2 Revise the AuthUser to support Machine type user.
2.2.1 Add a isMachine() method to determine if it is a normal user or machine.
2.2.2 Add a List<String> getScope() method to return the scope for machine token, it should parse from the scope field, the string will be space delimited like read:user_profiles read:user_roles write:user_something
2.2.3 Following classes should be related
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/api/v3/util/jwt/JWTToken.java
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/auth/AuthUser.java
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/auth/JWTAuthenticator.java���
2.3 Unit Test should be created for this new logic
3. In order to properly test the changes, you can use the tech.core/tech.core.sample.dropwizard codebase, which has built the sample restful APIs for demonstration.
4. Latest source code will be posted in Challenge Forum
- Verification Steps Showing that the Machine to Machine Token can be properly handled in the new version of CORE API
For example, If User A calles API B with JWT Token for authentication, but API B need to call API C, while API C requires autentication also, so we need to pass along the JWT Token of the User. But If API C is not updated logic for grant access, like it is only support admin access, this will be problemtic.
So we'd like to simplify the communication between services using machine to machine token, it should generally following this approach.
1. API B want to call API C, so calls auth0 to generate a machine to machine token (https://auth0.com/docs/api-auth/grant/client-credentials)
2. API C should validate the token and check the scope info to allow or deny the access.
3. Our APIs are based on two technologies - Java And NodeJS, for this challenge, we'd like to focus on Java version and make the token is supported in Core API, and demonstrate the usage in sample services.
General Requirement
1. JWT token sample
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9UbENOMFk0UVRWQlJERTJSRGt3TURneU56QkRSVFZFTjBGQ09VVTRSalF6T0RWQ016QkRSUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLW5ld2F1dGguYXV0aDAuY29tLyIsInN1YiI6IjVmY3RmamFMSkhkdk0wNGtTckNjQzh5bjBJNHQxSlRkQGNsaWVudHMiLCJhdWQiOiJodHRwczovL3d3dy50b3Bjb2Rlci5jb20iLCJpYXQiOjE1MjE1MjM4MDEsImV4cCI6MTUyMTUyNzQwMSwiYXpwIjoiNWZjdGZqYUxKSGR2TTA0a1NyQ2NDOHluMEk0dDFKVGQiLCJzY29wZSI6InJlYWQ6dXNlcl9wcm9maWxlcyIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.K4GIiiRwCtQY_00muNxBAPP95K4tzNrq-V5BMdo4nOUUfCoyZ8kSHjjzargJ3YkfaqQDLlK4skysti5DbwQKZjYadz3wyKtq43BNswnDygP1nZ1Sy58W4--MD38IdosAyPi81i1w5KIqoTP9AVSsGpBKJyS-nGSbkYKVHjWiuqmfcsjFkiLunS87E_-smHjSkhGpstnq-URGUDAoeHYTRk_d46lDCxFEpdcRewNxuu_tRNdUYRuRKud8b_BtqOaNl3VAnOVVLMLRQ_uQnyv_zO71DnrN_m7eqLLNcPg5SHvgWrBydOZO5XUK5PlW_eMEfqk_NvtwA1e2xeZ0rqnZ8w
if you use jwt.io to parse, the header will be
{
"typ": "JWT",
"alg": "RS256",
"kid": "OTlCN0Y4QTVBRDE2RDkwMDgyNzBDRTVEN0FCOUU4RjQzODVCMzBDRQ"
}
the payload will be
{
"iss": "https://topcoder-newauth.auth0.com/",
"sub": "5fctfjaLJHdvM04kSrCcC8yn0I4t1JTd@clients",
"aud": "https://www.topcoder.com",
"iat": 1521523801,
"exp": 1521527401,
"azp": "5fctfjaLJHdvM04kSrCcC8yn0I4t1JTd",
"scope": "read:user_profiles",
"gty": "client-credentials"
}
2. Update the CORE API to validate the token and generate a Special User (AuthUser should be properly created)
2.1 Use the existing validation approach for RS256
2.2 Revise the AuthUser to support Machine type user.
2.2.1 Add a isMachine() method to determine if it is a normal user or machine.
2.2.2 Add a List<String> getScope() method to return the scope for machine token, it should parse from the scope field, the string will be space delimited like read:user_profiles read:user_roles write:user_something
2.2.3 Following classes should be related
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/api/v3/util/jwt/JWTToken.java
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/auth/AuthUser.java
- tech.core/tech.core.api/src/main/java/com/appirio/tech/core/auth/JWTAuthenticator.java���
2.3 Unit Test should be created for this new logic
3. In order to properly test the changes, you can use the tech.core/tech.core.sample.dropwizard codebase, which has built the sample restful APIs for demonstration.
4. Latest source code will be posted in Challenge Forum
Final Submission Guidelines
- Code Change For the CORE API- Verification Steps Showing that the Machine to Machine Token can be properly handled in the new version of CORE API