I am wondering whether it is possible to implement a Cloud Foundry-hosted service that other CF applications can subscribe to, with the following requirements, and (more or less) within the existing CF facilities...
The context of the question is converting an existing CF Java based appication to a reusable service that can be deployed only once and reused by other (mulually unrelated) applications, instead of every application (or application set) having to incorporate a privately deployed instance of the service.
In a nutshell, subscribing applications should be able to store their data in the service, and interactive users to access this data. (An example of the data could be messages for a particular user, work items etc. sent by the subscribing applications, and the service is responsible for aggregating them on per-user basis and displaying to a logged-on user the summary of data targeted at him.)
Thus, requirements would be:
CF-hosted applications should be able to dynamically subscribe to (and later unsubscribe from) the service.
Subscribing applications may either share or have different identity providers (IdP's) and UAA instances.
The service has two kinds of endpoints:
- endpoints intended for app2service (REST etc.) calls by the subscribing applications
- endpoints intended for interactive access by users registred in the IdPs of the subscribing applications
Service's interactive endpoints are (preferably) protected by scopes. It must be (preferably) possible for the service to export its scope definitions to the UAAs of the subscribing applications (or rather for subscribing applications/UAAs to import them at the time of design, deployment or subscription), and for the administrator of a given UAA to assign service-defined scopes to appropriate users registered through this UAA/IdP combo (i.e. one associated with the subscribing application).
4.1. At the barest minimum, interactive endpoints may be left unprotected by scopes, but they should require and trigger authentication (e.g. having "intercept-url access=isAuthenticated()" in their Spring security descriptors). The servlet should be able to retrieve JWT token and identify the user making the request.
- There should be a way for a service to associate between userid namespaces and subscription ids.
Two different subscription contexts associated with two different IdP's may both have user "John" but these are two different Johns.
So when user John arrives to an interactive endpoint of the service, the service needs to be able to figure out which IdP/subscription set (and hence data set) this John maps to.
Or, conversely, when a subscribed app performs an app2service call, the service should be able to identify the subscription id of the caller, in an authenticated way, and then figure out which IdP it is associated with. Either way, it is essential that subscription mechanism provides for an establishment of a mapping between a subscription id and IdP used by a subscribing application; the service will need to know this mapping.
5.1. Not too sure how exactly things are to work out when two different UAA instances point to the same backing IdP.
Perhaps UAA can present its instance identity, but can it be made to present (in the generated JWT tokens) the identity of the backing IdP, and can the latter be signed?
Is it something that existing CF facilities provide for or that can be implemented on top of them with some ease?
Thanks.