Gluu Cloud Admin UI: Application Architecture - GluuFederation/gluu-admin-ui GitHub Wiki
Overview
Gluu Admin-UI is a graphical user interface for the administrators to manage configuration and other properties of Jans Auth Server. This GUI interacts with Jans Auth Server via the rest APIs layer called Jans Config Api. It follows a flexible plugin architecture in which the new features can be added to Admin-UI using extensions called plugins without altering the application itself.
Admin UI comprises the following components:
Gluu Admin-UI
This is a user-facing GUI developed using React and Redux.
Jans Config Api
Jans Config Api
enables access and updates to the configuration properties of Jans Authorization Server
. This is a java based rest API using JAX-RS and WELD.
Jans Authorization Server
Jans Authorization Server
is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). The project also includes OpenID Connect Client code which can be used by websites to validate tokens. The server currently implements all required aspects of the OpenID Connect stack, including an OAuth 2.0 authorization server, Simple Web Discovery, Dynamic Client Registration, JSON Web Tokens, JSON Web Keys, and User Info Endpoint.
Accessing Gluu Admin UI
- When trying to access
Gluu Admin UI
(frontend) on a web browser, it will follow Authorization code flow and will redirect to the authorization Server (jans-auth-server-1
) login page for user authentication. - The authorization server (
jans-auth-server-1
) authenticates the End-User and obtains End-User Consent/Authorization. - If the authentication is successful then the authorization code and state will be sent from the
jans-auth-server-1
to the frontend. The state is verified at thefrontend
. - The
frontend
requests for user-info jwt (UJWT
) response using the authorization code to Admin UI Backend (backend
). Please note thatAdmin UI Backend
is a plugin of jans-config-api. - Using authorization code the backend first fetches access_token (
AT1
) from the token endpoint of the authorization server. Then it fetchesUJWT
(from authorization server ) usingAT1
and forwards it to the frontend. - The frontend stores
UJWT
/ Claims fromUJWT
in the redux store.
api-protection
token (AT2) and enabling/disabling features at frontend
Generating - The
UJWT
contains UserRole
(jansAdminUIRole
) and other claims. - To generate an api-protection token (
AT2
)frontend
requests Token-server (jans-auth-server-2
) via.backend
. - At
jans-auth-server-2
an introspection script is enabled which validatesUJWT
and also contains role-scope mapping. - The introspection script will validate
UJWT
and include the scopes inAT2
as per the role of the user. - This
AT2
/Scopes is sent back tofrontend
viabackend
. - The features at
frontend
are enabled/disabled as per scopes from AT2.
Accessing Janssen Config Api endpoints
- To access
config-api
endpointsfrontend
first request forAT2
fromjans-auth-server-2
via.backend
. - Then
frontend
sends the request to theconfig-api
endpoint usingAT2
at authorization header and other request parameters. - At
config-api
AT2 is validated and scopes are verified (checked if required scope for the endpoint is present). - If the above step is successful the result is fetched from
jans-auth-server-1
and forward tofrontend.
Complete sequence diagram
(Source)
References: