Protect example service
This section describes how to restrict access to authenticated users only as well as describes how to protect APIs using authorization policies.
To authenticate a user, open your browser and navigate to http://localhost:4000
What you can see is a Single Page App which is a frontend for example service and allows a user to authenticate, list transactions and dispute charge.
Click Login with Cloudentity, you will be redirected to Cloudentity™ Login Page where you need to authenticate.
Once you provide credentials and click Login, you need to authorize Finn Tech App to get access to your basic profile data.
Click Authorize you will be redirected back to Finn Tech App.
NOTE: Organization in the URL, as well as the username, will be different in your case
You will get the following screen. Note that call to get transactions failed with a Not Found
error which means that call has been rejected by MicroPerimeterâ„¢ Edge Gateway.
Let’s go back to MicroPerimeterâ„¢ Dashboard http://localhost:8000/dashboard -> Edge Gateway -> API & Protection.
Find GET /transactions/list
endpoint and change Public access to Authenticated
Go back to Finn Tech App and refresh the page, you should see the following screen
Let’s now apply some authorization policies
You can find a list of predefined authorization policies in Access policies tab
Go to MicroPerimeterâ„¢ Dashboard http://localhost:8000/dashboard -> Edge Gateway -> API & Protection.
Find PUT /transactions/{id}/dispute
endpoint and change Public access to Authenticated
and set DISPUTE_CHARGE_WITH_INVALID_SCOPE
as Access Policy
Go back to the Finn tech App refresh page and click on the dispute charge button.
The call has been rejected. The access token issued for the user doesn’t include an invalid
scope.
Let’s change the policy DISPUTE_CHARGE_WITH_INVALID_SCOPE
to DISPUTE_CHARGE_WITH_SCOPE
.
This time you should be able to dispute the charge, DISPUTE_CHARGE_WITH_SCOPE
checks for profile
scope, which the user has
Now let’s move on to a more advanced scenario.
To showcase Cloudentity’s MFA (Multi-Factor Authentication) capabilities, we’ll require the user to reenter their password when trying to dispute the charge.
To do this, change the policy DISPUTE_CHARGE_WITH_SCOPE
to DISPUTE_CHARGE_WITH_MFA
.
This policy checks if a user reentered their password within the last minute.
Try to dispute the charge again.
As you can see, you are prompted to provide your password.
Enter your password in the popup
Success!