Technical Articles
[SAP Cloud Platform on Alibaba Cloud series] Develop Python App with Authentication and Authorization in Cloud Foundry – Part 3
This topic Develop Python App with Authentication and Authorization in Cloud Foundry will guide you through creating a Python application, setting up authentication checks and authorization checks in Cloud Foundry (for ease of reading “CF).
Since this is a large topic, in order to give you a better reading experience, I would like to divide it into 3 parts:
This blog post is Part 3.
@sap/approuter
package was added to provide a central entry point for the business application and enable authentication. Now to extend our sample app, authorization will be added. The authorization concept includes elements such as Roles, Scopes, and Attributes provided in the security descriptor file xs-security.json
of XSUAA, more details can be found here:
Step 1:
cfenv
.
Besides, you need to set restrictions on the content you serve as well. The sap_xssec
security library can do this.
Thus, let’s add these two dependencies to the requirements.txt
Flask==1.1.0
cfenv==0.5.3
sap_xssec
sap_xssec
- https://support.sap.com/en/my-support/software-downloads.html,
- select
Access downloads
located underSupport Packages and Patches
, - in the search bar type
XS PYTHON
, - select the
XS PYTHON 1.0
XS_PYTHON
archive and extract it in a local directory, for example: sap_dependencies
sap_xssec
pip download -d vendor -r requirements.txt --find-links ./sap_dependencies
Step 2:
xs-security.json
file in the python-with-xsuaa
directory with scopes
and role-templates
{
"xsappname":"myapp",
"tenant-mode":"dedicated",
"scopes":[
{
"name":"$XSAPPNAME.Display",
"description":"display"
}
],
"role-templates":[
{
"name":"Viewer",
"description":"View Hello World",
"scope-references":[
"$XSAPPNAME.Display"
]
}
],
"oauth2-configuration":{
"redirect-uris":[
"https://*.<custom-domain>/**"
]
}
}
myuaa
cf update-service myuaa -c xs-security.json
Step 3:
xs-app.json
file in the approuter
directory with scope
{
"routes": [
{
"source": "^/myapp/(.*)$",
"target": "$1",
"destination": "myapp",
"scope": "$XSAPPNAME.Display"
}
]
}
Push your app again via:
cf push
approuter
application and click into the myapp
link, you should see 403 Forbidden
Step 4:
Security
, click on Role Collections
, create a new Role Collection named Myapp Administrator
by clicking on the New Role Collection
Myapp Administrator
Role Collection, add roles you defined by clicking on the Add Role
Step 5:
Trust Configuration
under Security
, then click on sap.default
Enter your email in the E-Mail Address
field, and click on the Show Assignment
button.
Assign Role Collection
approuter
application and click into the myapp
link again. You will find you got the access permission to myapp
Step 6:
myapp
application directly without approuter
server.py
import os
from flask import Flask
from flask import request
from flask import abort
from cfenv import AppEnv
from sap import xssec
app = Flask(__name__)
env = AppEnv()
port = int(os.environ.get('PORT', 3000))
uaa_service = env.get_service(name='myuaa').credentials
@app.route('/')
def hello():
if 'authorization' not in request.headers:
abort(403)
access_token = request.headers.get('authorization')[7:]
security_context = xssec.create_security_context(access_token, uaa_service)
isAuthorized = security_context.check_scope('openid')
if not isAuthorized:
abort(403)
return "Hello World"
if __name__ == '__main__':
app.run(host='0.0.0.0',port=port)
Push your app again via:
cf push
myapp
Hello World
Conclusion
This blog post shared how to leverage XSUAA service in SAP Cloud Platform to:
- define scopes and add the scope checks to your services
- define roles and assign them to users
Moreover, this blog post shared how to protect backend services from outside.
Until now, all the parts on the topic Develop Python App with Authentication and Authorization in Cloud Foundry have been shared.
If you would like to get more step-by-step hands-ons on SAP Cloud Platform Alibaba Cloud, please follow me!