0

within Cumulocity (hosted) we have our own application with plugins written using AngularJS.

From this application we want to send a request to a microservice that we have running as well.

However, the microservice ask for authorization information when sending a get request. (How) Can we overcome this?

The reason we have decided to do it like this is so that we do not have to expose critical information.

Thanks

marceltrapman
  • 1
  • 1

2 Answers2

0

All microservice invocations require authentication with a valid user in the tenant.

If you really want to expose something without authentication, you can create a dummy user with no other permissions in the tenant and hardcode the credentials of that user in your AngularJS code. However, this is a risk for you, as it makes it easy for malicious users to bombard your tenant with potentially charged API requests (depending on your service provider pricing model).

If the information that you want to expose is not dynamic (maybe tenant configuration or so), you could upload such information as part of a web application. E.g., you upload a "config" application with a single file "config.json" and load that from your AngularJS application using the URL /apps/config/config.json. Not sure if that is your case.

André
  • 668
  • 6
  • 11
  • Cumulocity is our hosting partner :) The microservice was suggested as a 'middleman' between our application and an external microservice that we need to authorise against as well. We don't want to expose that information though. Would the config.json hide the information from 'prying eyes' or is the risk just as big? – marceltrapman Feb 15 '19 at 12:16
  • That's certainly a valid architecture, but I do not know your use case why you want to not have authentication on the microservice? For example, when Cumulocity talks to third party connectivity providers, it will authenticate the logged in user and check if they may use the microservice, and then call the third party service with the credentials of the third party service. – André Feb 15 '19 at 14:11
  • If there would be a way to retrieve the user/password information of the user from within the application the login to the microservice could be made transparent. As far as I understand this is not possible. Another option would be to retrieve the sessionid and check it both in the application and the microservice (which is an application). – marceltrapman Feb 15 '19 at 14:25
  • It is a standard pattern that microservices manage credentials for external services. How and where to best store these credentials largely depends on your use case and the granularity you are planning. – l2p Feb 18 '19 at 09:57
0

All requests to Cumulocity including those to microservices must be authenticated fully. There is no way to access a microservice without valid credentials.

The platform needs this information to determine if the user and tenant have sufficient access rights to perform the requested action. Even if your microservice does not require special permissions to access. Cumulocity will at least need to check if the originating tenant is allowed to use the microservice.

l2p
  • 420
  • 3
  • 9
  • I understand. I had hoped that the microservice would be aware of that information but I guess that there is more separation going on than I had hoped for. – marceltrapman Feb 15 '19 at 12:18