This repository was archived by the owner on May 5, 2023. It is now read-only.

maximthomas/blazewallPublic archive

NotificationsYou must be signed in to change notification settings
Fork5
Star17

Open Source Single-Sign-On and Access Management platform built in microservice architecture

License

Apache-2.0 license

17 stars 5 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 55 Commits
auth-service		auth-service
docs/img		docs/img
gateway-service		gateway-service
protected-service		protected-service
session-service		session-service
user-service		user-service
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
docker-compose.yaml		docker-compose.yaml

Repository files navigation

BLAZEWALL

BLAZEWALL is an Open Source Single Sign-On and Access Management platform built with microservice architectureand released under Apache 2.0 license.

Solution architecture

The solution architecture is shown in the diagram below:

Services:

Service	Description
auth-service	Authentication service, responsible for signing up or signing in users
gateway-service	Proxies all user requests to protected resources. Gateway insures if a user request does not violate the security policy enriches the request with the user session info and passes the request to the protected resource. If the request violates the policy, gateway service denies this request and redirects the user to the authentication
session-service	Stores and manages user sessions
user-service	Responsible for user account management
protected-service	Test service with unsecured and secured zone

Processes

Authentication process diagram

Access Protected Resource

Quick Start

Quick start with docker-compose.

Add following entry to/etc/hosts file on an Unix-based OS orc:\Windows\System32\Drivers\etc\hosts on Windows:

127.0.0.1 example.com auth.example.com

Start all services locally with docker-compose:

docker-compose up --build

After all the services started, go tohttp://example.com:8080/, you will see an entry point page that is available to all users. Click on theTry to Authenticate button. You will be redirected to the pagehttp://example.com:8080/user protected bygateway-service.

gateway-service checks whether the user is authenticated or not, if he is not, redirects him to theauth-servicehttp://auth.example.com:8081/auth-service/v1/users

Enter default credentials: loginadmin and passwordpassword to authenticate.

After authentication succeded, you will be redirected back to the protected resourcehttp://example.com:8080/user.

Protecting Your Own Site

Let us describe how to protect your service step by step using Docker.

Create network

docker network create blazewall-network

Deploy Your Service to Protect

We will takeprotected-service as an example.Let us run the service in a Docker container.

docker run --name protected-service -h protected-service --network=blazewall-network -d blazewall/protected-service

There is no port forwarding, so the site cannot be accessed from an external network.

Configuregateway-service

Create or modify the gateway-service yaml configuration ingateway-config.yaml file. You can find a configuration sample ingateway-config-test.yaml

Create a config file for gateway-service namedgateway-config.yaml to set up hosts, paths, and policies:

protectedHosts:#array of hosts  -requestHost:example.com:8080#gateway host and porttargetHost:'http://protected-service:8080'#tagret host and portpathsConfig:#paths and policies config      -policyValidator:type:authenticated#could also be 'realms' 'allowed', 'denied',urlPattern:/user#protected urlauthUrl:'http://auth.example.com:8081/auth-service/v1/login?realm=users'#auth-service url. If request violates the policy user will be redirected to this url for authenticationsessionID:BlazewallSession#session cookieendpoints:sessionService:http://session-service:8080/session-service/v1/sessions# session-service endpoint

Start the gateway service:

docker run --name gateway-service \-v$(pwd)/gateway-config.yaml:/app/config/gateway-config.yaml \-p 8080:8080 \--network=blazewall-network \blazewall/gateway-service \-d \./main -yc /app/config/gateway-config.yaml

And check if the protected service can be accessed via gatewayhttp://example.com:8080.

Configureauth-service

Create or modify the auth-service yaml configuration inauth-config.yaml file. You can find a configuration sample inauth-config-test.yaml:

realms:#set of realms  -name:users#realm nameredirectOnSuccess:"http://example.com:8080/user"#redirect location after successfull authenticationauthConfig:#authenctication configyration      -type:userService#authenticate via user-service, shows login and password pageparameters:#authentication parametersendpoint:http://user-service:8080/user-service/v1#user-service endpoingrealm:users#user service realm  -name:staffredirectOnSuccess:"http://example.com:8080/user"authConfig:      -type:userServiceparameters:endpoint:http://user-service:8080/user-service/v1realm:staffcookieDomains:#array of cookie domains, where cokie should set  -.example.com  -localhostsessionID:BlazewallSession#blazewall session cooke name, should be the same as in gateway-serviceendpoints:sessionService:http://session-service:8080/session-service/v1/sessions#session service endpoint

docker run --name auth-service \-v$(pwd)/auth-config.yaml:/app/config/auth-config.yaml \-p 8081:8080 \--network=blazewall-network \-d \blazewall/auth-service \./main -yc /app/config/auth-config.yaml

Configuresession-service

The session service utilizes Redis in order to store session data. You must set following environment variables to connect to Redis:

REDIS_ADDRES - redis database address (default localhost:6379)
REDIS_PASS - redis DB password (default empty)
REDIS_DB - redis DB number (default 0)

Let us build a docker image and run it with Redis:

Start Redis:

docker run --name redis --network=blazewall-network -h redis redis

Start session-service:

docker run --name session-service \--env REDIS_ADDRES=redis:6379 \--network=blazewall-network \-d \blazewall/session-service

Configureuser-service

The current version of the user service could supports only MongoDB.You can configureuser-service using an yaml file.There are connection settings for each realm in the yaml file.You can find a configuration sample inuser-config-test.yaml

Createuser-config.yaml file:

realms:#realms for user service, to use different user databases  -realm:users#realm nametype:mongodb#database typeparameters:#database connection parametersuri:'mongodb://root:example@mongo:27017'db:userscollection:users

Run MongoDB:

docker run --name mongo \--env MONGO_INITDB_ROOT_USERNAME=root --env MONGO_INITDB_ROOT_PASSWORD=example \-d \--network=blazewall-network -h mongo mongo

Run user-service:

docker run --name user-service \-v$(pwd)/user-config.yaml:/app/config/user-config.yaml \--network=blazewall-network \-d \blazewall/user-service \./main -yc /app/config/user-config.yaml

In the request headerX-Blazewall-Session you will see all the session info in JSON format, for instance:

{"id":"5c02e842-7844-40f5-a90b-2fec3f6dd8d4","userId":"admin","realm":"users","properties":{"firstname":"John","lastname":"Doe","roles":"[\"admin\",\"manager\"]"}}

About

Open Source Single-Sign-On and Access Management platform built in microservice architecture

Movatterモバイル変換

License

maximthomas/blazewall

Folders and files

Latest commit

History

Repository files navigation

BLAZEWALL

Table of Contents

Solution architecture

Services:

Processes

Authentication process diagram

Access Protected Resource

Quick Start

Protecting Your Own Site

Create network

Deploy Your Service to Protect

Configuregateway-service

Configureauth-service

Configuresession-service

Configureuser-service

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages0

Uh oh!

Contributors3

Uh oh!

Languages

Packages