Protect example service

This section describes how to restrict access to authenticated users only as well as describes how to protect APIs using authorization policies.

To authenticate a user, open your browser and navigate to http://localhost:4000

Finntech app

What you can see is a Single Page App which is a frontend for example service and allows a user to authenticate, list transactions and dispute charge.

Click Login, you will be redirected to Cloudentity™ Login Page where you need to authenticate.

Once you provide credentials and click Login, you need to authorize Finn Tech App to get access to your basic profile data.

Finntech consent

Click Authorize you will be redirected back to Finn Tech App.

NOTE: Organization in the URL, as well as the username, will be different in your case

You will get the following screen. You can see all transactions because in previous step of the tutorial GET /transactions/list is set to Authenticated

Finntech success transaction

Let’s now apply some authorization policies.

You can find a list of predefined authorization policies in Access policies tab.

Edge GW policies

Go to MicroPerimeterâ„¢ Dashboard http://localhost:8000/dashboard -> Edge Gateway -> API & Protection.

Find PUT /transactions/{id}/dispute endpoint and change Public access to Authenticated and set DISPUTE_CHARGE_WITH_INVALID_SCOPE as Access Policy.

Dispute with invalid scope

Go back to the Finn tech App refresh page and click on the dispute charge button.

Dispute fail

The call has been rejected. The access token issued for the user doesn’t include an invalid scope.

Let’s change the policy DISPUTE_CHARGE_WITH_INVALID_SCOPE to DISPUTE_CHARGE_WITH_SCOPE.

This time you should be able to dispute the charge, DISPUTE_CHARGE_WITH_SCOPE checks for profile scope, which the user has.

Now let’s move on to a more advanced scenario.

To showcase Cloudentity’s MFA (Multi-Factor Authentication) capabilities, we’ll require the user to reenter their password when trying to dispute the charge.

To do this, change the policy DISPUTE_CHARGE_WITH_SCOPE to DISPUTE_CHARGE_WITH_MFA.

This policy checks if a user reentered their password within the last minute.

Try to dispute the charge again.

Dispute with mfa

As you can see, you are prompted to provide your password.

Enter your password in the popup.

Success!

Dispute with mfa success