This article discusses how to authenticate to Infosys Equinox at the Orchestration and Microservice levels.

Overview

Authentication / Authorization happens several different ways in Infosys Equinox:

  • The core underlying mechanism is always a JSON Web Token (JWT), which combines authentication and authorization.
  • At the Orchestration layers we login, issue a session token, and link that to the JWT at the microservice layer.
    • In current platform, there are three (3) role-based tokens (i.e. Super Admin, Business Admin, End User).  Infosys Equinox is moving to fine grained CRUD (Create, Read, Update, and Delete) level permissions in future Platform release increments.
  • At the Microservice layers, a JWT is always required, which effectively serves as authorization (the claim in the token controls what resources you can access).
  • API Keys
    • API keys are needed to penetrate web application firewall (WAF) filters and access actual endpoints.
    • When an implementation is using a Infosys Equinox frontend, API keys are not required because the Infosys Equinox frontend will be within our firewall.
    • When an implementation is headless or integrated with a non-Infosys Equinox frontend, API keys are needed to access endpoints.

Two (2) Primary Deployment Models for Orchestration

Cloud Deployment

  • Cloud deployment of Storefront (SF) Orchestration and Microservices
  • API keys are not needed for access to Orchestration
  • API keys are not needed for access to Microservices

Local (Outside) Deployment

  • Local deployment of Storefront Orchestration (SFO)
  • API keys are not needed to access orchestration
  • API keys are needed for access to microservices endpoints

Interacting with Orchestration Endpoints and Microservices

  • Almost any call from outside a deployed instance needs an x-api-key which matches the WAF, which secures the endpoints it wants.
  • Interacting with Orchestration:
    • Unlike the underlying microservices, the orchestration has a stateful session
    • Need to login and get the session
    • Need both session and API keys to perform operations
  • Interacting with Microservices:
    • Need JWT with valid claims on the resources you’re going to manage
    • JWTs link claims and user to the microservices

Note: When the orchestration is deployed locally, we still need the API key, as orchestration needs it when calling the cloud-hosted microservices and the API key is passed through on requests.

Visual Example at Orchestration Level

Outside Deployment

  1. Login Call
  2. Authorization issues Session Id and JWT
  3. WTS is cached and Session is returned
  4. Session saved
  5. Session used to call SFO
  6. SFO retrieves JWT for call to cart

Note: All calls use api-key.

Cloud Deployment

Visual Example at Microservice Level

Outside Deployment

  1. Get Shared Secret and API key out of band
  2. Generate JWTs
  3. Call with API Key and JWTs
  4. Cart Microservice validates JWTs with Authorization

Logging in as an Orchestration User

Login on the orchestrated user path, as if we are the user:

Using a JSON Web Token (JWT) to Access Microservices

Generate a JWT and use it:

  • Needed:
    • SDK (orchestration dependency in POM)
    • API Gateway Keys from business admin associated with your store
    • Shared Business Secret Keys from business admin associated with your store
    • JWT token generator and claims to match the system’s expectation
  • There are two (2) documents describing the code samples:

 

Revision History
2022-04-10 | JP – Fixed link and http issues.
2020-03-27 | JP – Minor edits.
2019-07-03 | PLK – Slides converted to native text and copyedited.
2019-06-21 | PLK – Content updated.
2019-06-09 | PLK – Content uploaded.
2019-06-03 | PLK – Page added.