README

This application demonstrates the use of Google Cloud to provide authentication, and authorization checks, for API access.

There are three pieces of Google Cloud participating in this solution:

• Identity Platform (Google Cloud Identity Platform or GCIP) for Authentication
• Apigee for API Management
• Cloud Run, hosting Open Policy Agent (OPA) running within for authorization decisions.

Descriptions for the other tabs in the UI follow.

The OPA tab

... allows you to connect to the OPA service, to read configuration, to read data provisioned to OPA, to modify that data with one of several pre-canned configurations, and to execute authorization checks.

There are data, as well as a policy file. The data describes the mapping of users or domans to roles ("user X has role Y"), and also the mapping of roles to permissions ("role Y has permisions A, B, and C"). The policy file evaluates the authorization policy using that data.

This tab uses the REST API for OPA to perform these tasks. Though the OPA REST API permits arbitrary update of the OPA Configuration, this page permits only update of the permissions data, to one of three different pre-canned settings. This is done with the aid of an Apigee API Proxy in front of OPA.

The API Tab

...allows you to authenticate against GCIP, then obtain an access token from Apigee, then use the access token in requests for service. Apigee acts as an API Gateway for the requests-for-service. When handling those requests, Apigee connects to OPA to check the authorization for the inbound request.

To authenticate, you can select Google Sign-in, signin via Okta, or a simple email/password authentication. This is all coordinated by GCIP. In GCIP, there are other signins possible, via any SAML or Open ID Connect Identity provider.

The available sample credentials are:

• Under the Google authentication option, you can use any Google account to signin. A gmail account works, but really any account registered with Google will also work. Because this app is published for testing only, you must connect with the app author to request that your specific Google account be registered as a test user before you can signin here with your own account.

  currently registered accounts:
  dchiesa001@gmail.com
  dpchiesa@hotmail.com

• Under the Okta authentication option:

  email	password
  areddy@example.com	HappyJoy1!
  arjunaz@example.com	HappyJoy1!

• Under the email/pw authentication option:

  email	password
  santosh@fake-company.com	Secret123!
  vishal@fake-partner.com	Secret123!
  person@investigators.com	HappyJoy1!

When you authenticate, you will be granted different authorization for the APIs, according to the data and policy configured in OPA, based either on the email address of the authenticated user, or the domain of the user's email.