Call Bluemix service from outside app - ibm-cloud

I've built a simple translate service with Node-Red and Watson. The service is ok when called directly from the browser but I have an error ( CORS ) when call the service via http from my Angular app.
Does Bluemix allow CORS ?
Thanks in advance.

Generally speaking Bluemix supports applications that are composed of many independent services deployed to different hostnames. For each application (which can be a service API) that you push to Bluemix, the name you provide will be prepended to .mybluemix.net. If your application follows the best practices of a microservices architecture you will probably have two or more subcomponents that live on different hostnames. Now if you have a front-end that needs to aggregate information from these other Bluemix apps (your AngularJS app) by default the access to other subdomains will be forbidden.
The solution is to take advantage of the standard HTTP headers that are available to control cross-origin resource sharing (CORS) on the Bluemix services that you wish to provide to JavaScript clients:
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Take a look at the following blog post: Cross-origin resource sharing for Bluemix APIs.

add these code lines in your bluemix-settings.js and repush your app
// The following property can be used to configure cross-origin resource sharing
// in the HTTP nodes.
// See https://github.com/troygoode/node-cors#configuration-options for
// details on its contents. The following is a basic permissive set of options:
httpNodeCors: {
origin: "*",
methods: "GET,PUT,POST,DELETE"
},
Add this code after " functionGlobalContext: { }, "

Related

Metaflow: "Missing authentication token" when accessing the metadata/metaflow service URL in the browser

I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.

Retrieve logged user information from cloud foundry web application

We developed a web application using SAP Web-IDE Full Stack; we need to retrieve the details of the user logged into application (as defined in SAP Cloud Platform Identity Authentication Administration), for example display name and assigned groups.
We tried the userapi/currentUser API, but it seems to work only on NEO environment, for this reason is working fine while debugging in Web-IDE, but we get a 404 error when deploying the app on Cloud Foundry.
Do we need to add a new destination to make userapi work also on CF? Or is there some kind of similar solution available on Cloud Foundry?
I highly suggest using the SAP S/4HANA Cloud SDK for such tasks. It is an SDK developed to make building applications for SAP Cloud Platform easy, by providing easy to use mechanisms for all the Cloud Platform mechanisms.
Regarding your task at hand, there is a UserAccessor class that you can use like this:
final Optional<User> user = UserAccessor.getCurrentUser();
This works on Neo as well as on Cloud Foundry, i.e. there is a single interface for both platforms, which allows you to develop your app in a platform agnostic way.
If this sounds like it could solve your problem, I recommend checking out this blog post series to get started.
Alternatively, you can also simply add the following dependency to your project to start testing the SDK:
<dependency>
<groupId>com.sap.cloud.s4hana.cloudplatform</groupId>
<artifactId>scp-neo</artifactId>
<version>2.7.0</version>
</dependency>
For Cloud Foundry use scp-cf instead of scp-neo.
Hope this helps!
P.S.: To answer your question also on a technical level, Cloud Foundry uses so-called JWTs for authentication and authorization. You can check whether a JWT is present by looking at the Authorization header of the request. The JWT should hold the information you're looking for.
In SAP Cloud Foundry if you develop a MTA using XSUAA service to manage User Authentication and Admistration, defined for example in the mta.yaml,
...
resources:
- name: uaa_myapp
parameters:
path: ./xs-security.json
service-plan: application
service: xsuaa
type: org.cloudfoundry.managed-service
...
you can use the UAA API published from XSUAA service self to manage user authentication and authorization (e.g.: retrieve user info, groups assigned, password management etc..). also in the case the application is federated with another IDP.
To consume this API for example to retrieve user info you need to:
Determine the XSUAA endpoint bound to your app (SCP Cockpit > XSUAA service detail > take the value url)
Create a destination (xsuaa_api_destination) of type OAuth2TokenExchange bound to your app with url url took before, and fill OAuth2 authentication parameters with the data contained in XSUAA service detail (step 1).
From your app execute the call xsuaa_api_destination/userinfo, for example using an ajax if you are using JS.
You can find other info in Account and Authentication Service of the Cloud Foundry Environment SAP doc.

IBM Weather REST API 401 Keep getting CORS issues when access

I am getting a 401 and some cross domain issues when trying to access IBM Weather REST API from either client (browser) or server.
If I generate a URL and try and access it directly from a browser (eg paste it in it works fine and the JSON weather report is returned).
When I try and run the Javascript HTTP request from either the browser or server it seems like it's only allowed to run from an ibm.com domain.
Failed to load https://twcservice.au-syd.mybluemix.net/api/weather/v1/geocode/-33.00/151.00/forecast/daily/7day.json?units=m&language=en-US: The 'Access-Control-Allow-Origin' header contains multiple values 'https://*.ibm.com, https://*.ibmcloud.com', but only one is allowed. Origin 'http://localhost:3000' is therefore not allowed access.
I am using the free service on Bluemix. Is this restricted to only run via a Bluemix server? or are there some options I can pass when I create the service on Bluemix
Note, when I make the request I am using the credentials supplied via the Bluemix console. Again, this works via the browser URL bar, but not via code.
Update/More info: if I hit past the URL above into the browser (with creds) it works as above, then if hit it via the web app in the same session it works.
Hmmm. So the IBM server is sending the following response header:
Access-Control-Allow-Origin: https://*.ibm.com, https://*.ibmcloud.com
That's an invalid response from IBM. Unfortunately, I think your only option is to complain to IBM, and convince them to
Return a valid Access-Control-Allow-Origin response header (with only one value)
Allow people outside of IBM to access it
Without that, I fear you're out of luck.

Implementing aws apigateway

I am trying to test an implementation of aws apigateway on an existing webapplication's REST endpoint on aws. This endpoint is for bulk updates using POST/PATCH methods
Looking into the vast and lengthy documentation on AWS site, it talk about IAM roles for authentication.
Any high-level tips on implementing API gateways will be appreciated, to get started.
Choosing IAM Role in Authorization and also Choosing Other Authorizers (Lambda or Cognito) are also optional.
Do simple Steps and you are ready.
Create an API.
Goto Resources>>Actions>>create Method (POST/PATCH).
Integration Type Choose HTTP and enter your endpoint Url
Resources >> Action >> Deploy API
It will deploy apigateway application and provide you Endpoint url to use.
Again:
Choosing Models, API Keys, Client Certificates, Custom Domain, Authorizers and VPC setup all are optional.
Its simple and easy.

Managing multiple REST APIs in Azure API Management

I am building REST APIs with MicroServices, which means I have different services for providing different resources. Suppose I have below services:
ServiceA is providing resources resourcesA and resourcesA1 with below URLs
https://my-internal-endpoint-for-serviceA/resourcesA
https://my-internal-endpoint-for-serviceA/resourcesA1
ServiceB is providing resources resourcesB and resourcesB1 with below URLs
https://my-internal-endpoint-for-serviceB/resourcesB
https://my-internal-endpoint-for-serviceB/resourcesB1
Now, I want to manage them in Azure API Management. To publish them (by importing the Swagger document from services), API Management portal need an API path for publishing. So, serviceA and serviceB can be published as below:
https://my-api-azure-api.net/serviceA/resourcesA
https://my-api-azure-api.net/serviceA/resourcesA1
https://my-api-azure-api.net/serviceB/resourcesB
https://my-api-azure-api.net/serviceB/resourcesB1
But to be more resources based API management, I am expecting the published APIs to be more like below:
https://my-api-azure-api.net/resourcesA
https://my-api-azure-api.net/resourcesA1
https://my-api-azure-api.net/resourcesB
https://my-api-azure-api.net/resourcesB1
Unfortunately, API management does not allow me for pubshing 2 APIs (serviceA and serviceB) to same path (root path in this case). I don't want to put the service name (or something equivalent) in the URL path as the service name is something duplication of the resource name provided by it. How do I workaround this?
The Azure API Management Policies can help you here, in particular the control flow with the ability to forward requests. The documentation is here: https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-reference
I would approach this by setting up the resources as a single API, by adding one via swagger and then adding in the other services to this one to make it complete (as you want it to appear as a single complete service). Once this is in place you are then free to apply the policies.
Note: you may have to expand the resource path in the following way
https://my-api-azure-api.net/mynewservice/resourcesA
https://my-api-azure-api.net/mynewservice/resourcesA1
https://my-api-azure-api.net/mynewservice/resourcesB
https://my-api-azure-api.net/mynewservice/resourcesB1
Maybe the answer to this question can help:
How to chain APIs using Azure API management
You can use the same policy to map several operations of the same API in API Management to different backend APIs.
But in general all APIs are exposed as <myGateway>.azure-api.net/<myApi>/<myOperation>.