Dynamic User Routing
How to route OAuth requests to a user's home region, in a global deployment.
This ensures that Personally Identifiable Information (PII) never gets stored in the wrong region.
Install Prerequisites
- Install Docker Desktop and configure memory resources of 8GB
- Install ngrok
- Install jq
- Copy a valid
license.json
file into the idsvr folder
Deploy the System
Run one of these commands, supplying the name of the reverse proxy you want to use.
Copy the ngrok URL when prompted, for providing to OAuth Tools.
- ./run.sh nginx
- ./run.sh kong
Then press enter to open OAuth Tools and to deploy the Docker components.
The Reverse Proxy will be deployed, along with Identity Server instances for EU and US regions.
Access the System
Once the system is up, select 'Use Webfinger' in OAuth tools and enter the ngrok URL.
The Curity Identity Server runtime nodes are accessed via the Reverse Proxy, which uses the ngrok URL.
Administer the system via the admin node, signing in as user admin
and password Password1
.
Component | Base URL | URL Type |
---|---|---|
Reverse Proxy | https://5036fca5f99d.eu.ngrok.io | External |
Curity Admin Node | https://localhost:6749/admin | External |
Curity Europe Runtime | http://internal-curity-eu:8443 | Internal |
Curity USA Runtime | http://internal-curity-us:8443 | Internal |
Test Regional Logins
In OAuth Tools, run a Code Flow login for the following client, then redeem the code for tokens.
The login will begin in the EU region, then may switch to the US region once the user is identified.
- Client ID: tools-client
- Client Secret: Password1
- Sign in as 'testuser.eu' or 'testuser.us' with password 'Password1'
- Verify from logs that you are routed to the expected Curity instance
View Logs
If required, run one of the following commands to view logs for some or all components:
- ./logs.sh nginx
- ./logs.sh kong
- ./logs.sh curity
- ./logs.sh all
Cloud Reverse Proxies
If you use a cloud Reverse Proxy, have a look at the CLOUD.md document to learn how to configure Dynamic User Routing in such a case.