8. Azure AD Authorization Endpoint Azure AD Token Endpoint Arda APIs
Request authorization code
Sign-in via browser
Return authorization code
Get authorization code and require (via POST) access token for Arda API resource
Return access token and refresh token
Return Http Response
Call Arda API using the access token (inside header)
https://login.microsoftonline.com/common/oauth2/authorize https://login.microsoftonline.com/common/oauth2/token
Layer1:LoginLayer2:APIaccessAPIS PROTECTION FLOW USING
AZURE AD
Arda App (browser)
9. HOW WE DELIVER
Git Repositories
Arda
Arda.Main
Arda.Intelligence
Arda.Crowler
Build & Deploy
Web Apps
ACS (on going)
Release Management
Web Apps
ACS (on going)
11. CONCLUSIONS
We’ve tested Web Apps, Docker Host and ACS. I intent to try Service Fabric as well
Azure Web App is robust and make microservices environment management easy
Azure is a great platform to deliver microservices-based applications
Azure AD is an excelent option in order to provide security in different levels
Microservices can be a good architectural choice if:
Application must scale in separatedly way
Application is big and complex and break it will make things better
Company has a senior development team
Company has a mature DevOps process implemented
You would like to have a cross-technologies application (optional)
In other cases, monolithic layered architecture continues being a good option
After release 1.0, ASP.NET Core is recommended to production development
SQL Azure is strongly recommended to work with microservices
Microsoft deliver one great solution for DevOps (VSTS) but presents some limitations
Arda is a free management tool designed to help managers have some insights about workloads and time offenders for its teams.
We developed the first version specifically to Microsoft but with some small adjustments can be used for any time of companies and teams. Soon as possible we intend share the solution through Microsoft’s GitHub.
As we will see, Arda is fully developed with Microsoft’s technologies stack, is 100% microservices-based and fully hosted on Azure.
So... Let’s get started with Arda.
Link to production environment: https://ardaapp.azurewebsites.net.
This is the current architecture in which system run today:
Using browser the user access Arda. Every user final request is happen in “ardaapp” Web App
When the sign in process is requested, “ardaapp” goes to Azure AD and request the authorization for this user. If ok (user exists) Azure AD return the requested informations, Arda store this informations in a cookie and create an entry in Redis Cache
Each microservice can store data in it own Azure SQL Database in a 100% isonomic process
Each microservice can consume and share informations with any other
All this structure is managed for the the same Resource Group (Arda)
This is another option to deliver Arda microservices on Azure: using Docker containers
We have almost the same environment. The difference here is: we have a Virtual Machine running Ubuntu that acts how Docker Host. The Docker containers that run Arda microservices are hosted in this VM.
The request continues get in “ardaapp”. This microservice “ardaapp” direct their calls to public ports in Docker Host VM. Docker Engine convert this public ports to internal ports (NAT) and then the microservice can answer
We are trying this approach, making the first tests.
Next tests will be: ACS and Service Fabric
The Azure AD protection happens in two different moments:
1. When user request “sign in”
Arda application send a request for one “authorization code” to Azure AD. Azure AD verify if caller user exists. If “yes” the authorization code is returned to Arda. Arda store this authentication code in one cookie and creates a “session” with this information on Azure Redis Cache.
2. When an API needs to consume data from another API
Arda APIs are protected by Azure AD. This means that when a microservice need consume some information provided by other, the caller service must validate with AD if the caller have permissions to execute that access and if access is happening in a write way (the audience information is correct). What happens follow:
Caller service read cookie in order to get “authentication code”
Caller service request (doing a POST to AD Token Endpoint) for an “access token”. AD Token Endpoint consult related AD application to know what can be accessed by another service
Caller service get the returned “access token”
Caller service call target service sending “access token” on header. Target service validate information provided by “access token” and, if is everything ok, returns content requested. If not, return a 401 error (unauthorized)
This flow guarantee security on APIs access.