Add option to disable mpJWT checking
jwalcorn opened this issue · 2 comments
We use JSON Web Tokens (JWTs) for Single Sign-On (SSO) purposes in the various backend microservices, once the login happens in Trader and the initial JWT is issued. This is great for production-style scenarios, and certainly should be the default. However, there are some scenarios where having the option to disable this, during development and during unit tests that should happen during a pipeline build for each microservice, would be desirable. We already have a jwt
stanza in the CR yaml; I'm proposing adding an enabled
boolean to that (which would default to true
if not specified, to preserve existing behavior). We could implement this via the same approach we use today for conditionally including server.xml
stanzas like for PostgreSQL or MS SQL Server or IBM DB2 or whatever (at least for the Liberty-based microservices).
Since this will mean surgery on nearly every microservice, I'll probably use this as an opportunity to move up to Open Liberty 23.0.0.12 across the board, and the latest versions of Maven dependencies (like for JDBC jars and JMS rars). And perhaps adopting Instant-On, that finally exited beta earlier this year.
I ended up just adding a new none
value to the auth
enum in the global
stanza instead. Otherwise, I was going to get into a situation where I was multiplying the number of auth enum values by 2, as in "basic-jwt" and "basic-nojwt", "ldap-jwt" and "ldap-nojwt", etc., for the options for the file name to be included by the server.xml. Note I'm not rewriting the Trader UI to remove its login page (when "none" is selected); I'm just making it so that the downstream microservices have the option not to check for a valid JWT in the http request header. The default will still be to require a JWT, unless the new "none" enum value is specified in global.auth
.
Note I now have it working (took some config work in each microservice). So now, if you set global.auth=none
, you can call a backend microservice without needing to construct and attach a JWT. that said, you do still need to send basic auth credentials (like via the -u
param to curl
), as seen here (where I had done a docker run -p 9080:9080 -e TEST_MODE=true -e AUTH_TYPE=none broker:m1
):
jalcorn@Johns-MBP stock-quote % curl -u stock:trader http://localhost:9080/broker
[{"balance":0.0,"cashAccountBalance":0.0,"commissions":0.0,"free":0,"loyalty":"Basic","nextCommission":0.0,"owner":"John","total":1234.56},{"balance":0.0,"cashAccountBalance":0.0,"commissions":0.0,"free":0,"loyalty":"Bronze","nextCommission":0.0,"owner":"Karri","total":12345.67},{"balance":0.0,"cashAccountBalance":0.0,"commissions":0.0,"free":0,"loyalty":"Bronze","nextCommission":0.0,"owner":"Ryan","total":23456.78},{"balance":0.0,"cashAccountBalance":0.0,"commissions":0.0,"free":0,"loyalty":"Silver","nextCommission":0.0,"owner":"Raunak","total":98765.43},{"balance":0.0,"cashAccountBalance":0.0,"commissions":0.0,"free":0,"loyalty":"Gold","nextCommission":0.0,"owner":"Greg","total":123456.78},{"balance":0.0,"cashAccountBalance":0.0,"commissions":0.0,"free":0,"loyalty":"Platinum","nextCommission":0.0,"owner":"Eric","total":1234567.89}]
jalcorn@Johns-MBP stock-quote %