Challenge Overview
We are thinking about the simplify the communication between our services.
For example, If User A calles API B with JWT Token for authentication, but API B need to call API C, while API C requires autentication also, so we need to pass along the JWT Token of the User. But If API C is not updated logic for grant access, like it is only support admin access, this will be problematic - we have used manually generated admin user long lived tokens for this purpose.
So we'd like to simplify the communication between services using machine to machine token, it should generally following this approach.
1. API B want to call API C, so calls auth0 to generate a machine to machine token (https://auth0.com/docs/api-auth/grant/client-credentials)
2. API C should validate the token and check the scope info to allow or deny the access.
3. Our APIs are based on two technologies - Java And NodeJS, for this challenge, we'd like to focus on NodeJs version and make the token is supported in tc-core-library-js, and demonstrate the usage in sample services. Java services were updated in a previous challenge
tc-core-library-js is a custom express middleware we are using in all of our nodeJs services that will validate user token and add the decoded payload into req.authUser so it's available in all routes. We want to make several updates to this library in this challenge
1. Update jwtAuthenticator.js to add a "isMachine:bool" flag to req.authUser if the token is a m2m token. See the java code example on how to determine if the token is machine token or not
2. Update jwtAuthenticator.js to add a "scopes:String" array to the req.authUser that contain the scopes from the decoded auth token. Scopes are available in the scope field in JWT, the string will be space delimited like read:user_profiles read:user_roles write:user_something
3. Create and expose (export) methods in the library to get a new m2m token from auth0 using clientId and secret (demo credentials provided in the forums). The token should be cached (in memory) for a configurable time period (default to 24 hrs) and if expired, get and return a new token from auth0. Sample call to this method would be getMachineToken(clientid, client secret)
5. Add relevant logging and exception handling to all the methods
6. Create unit tests for the new features added in this challenge
We want to demo the library features on one existing topcoder service - tc-notifications. It is a NodeJs service that uses the core auth library and makes calls to the member service using a manually generated admin token. This should be replaced by the m2m token generated by the auth library. Member microservice is already updated to support m2m tokens and scopes. Calls to other topcoder services should remain as is, with admin token as they aren't updated yet.
Base code for tc-core-library is available here - use dev-auth0 branch
https://github.com/topcoder-platform/tc-notificationsBase code for tc-notifications service is available here - use dev branch
Final Submission Guidelines
Submit the updated core auth library codeSubmit updated tc-notifications code
Submit a short Deployment/verification guide