Protect example service

This section describes how to restrict access to authenticated users only as well as describes how to protect APIs using authorization policies.

To authenticate a user, open your browser and navigate to http://localhost:4000

Finntech app

What you can see is a Single Page App which is a frontend for example service and allows a user to authenticate, list transactions and dispute charge.

Click Login with Cloudentity, you will be redirected to Cloudentity™ Login Page where you need to authenticate.

Once you provide credentials and click Login, you need to authorize Finn Tech App to get access to your basic profile data.

Finntech consent

Click Authorize you will be redirected back to Finn Tech App.

NOTE: Organization in the URL, as well as the username, will be different in your case

You will get the following screen. Note that call to get transactions failed with a Not Found error which means that call has been rejected by MicroPerimeterâ„¢ Edge Gateway.

Finntech list not found

Let’s go back to MicroPerimeterâ„¢ Dashboard http://localhost:8000/dashboard -> Edge Gateway -> API & Protection.

Find GET /transactions/list endpoint and change Public access to Authenticated

Edge GW list transactions

Go back to Finn Tech App and refresh the page, you should see the following screen

Finntech success transaction

Let’s now apply some authorization policies

You can find a list of predefined authorization policies in Access policies tab

Edge GW policies

Go to MicroPerimeterâ„¢ Dashboard http://localhost:8000/dashboard -> Edge Gateway -> API & Protection.

Find PUT /transactions/{id}/dispute endpoint and change Public access to Authenticated and set DISPUTE_CHARGE_WITH_INVALID_SCOPE as Access Policy

Dispute with invalid scope

Go back to the Finn tech App refresh page and click on the dispute charge button.

Dispute fail

The call has been rejected. The access token issued for the user doesn’t include an invalid scope.

Let’s change the policy DISPUTE_CHARGE_WITH_INVALID_SCOPE to DISPUTE_CHARGE_WITH_SCOPE.

This time you should be able to dispute the charge, DISPUTE_CHARGE_WITH_SCOPE checks for profile scope, which the user has

Now let’s move on to a more advanced scenario.

To showcase Cloudentity’s MFA (Multi-Factor Authentication) capabilities, we’ll require the user to reenter their password when trying to dispute the charge.

To do this, change the policy DISPUTE_CHARGE_WITH_SCOPE to DISPUTE_CHARGE_WITH_MFA.

This policy checks if a user reentered their password within the last minute.

Try to dispute the charge again.

Dispute with mfa

As you can see, you are prompted to provide your password.

Enter your password in the popup

Dispute with mfa success

Success!