Open APMIFEMA opened 4 days ago
yang-xiaodong
commented
3 days ago Hi,
The /stats api only serves the CAP dashboard, you can utilize IMonitoringApi to get the data and provide your external anonymous APIs.
private IMonitoringApi MonitoringApi => _serviceProvider.GetRequiredService<IDataStorage>().GetMonitoringApi();
APMIFEMA
commented
3 days ago Thanks for the quick response :) !!
The IMonitoringApi interface looks great. With this service I can effectively incorporate this functionality into our service's API, but as the intention is to do it in all our APIs, we would be doing it over and over again...
I think it could be good to add to the dashboard the ability to add this API as a rest service with an independent access policy to the dashboard, for example with the Bearer and OAut authentication schemes as used by our APIs.
This way all users of this fantastic library could take advantage of it.
The option could be to add two more parameters to the dashboard to activate this functionality. bool PublishMonitoringApi string MonitoringApiPolicy
Would it be okay if we made a change proposal to incorporate the functionality?
yang-xiaodong
commented
3 days ago All interfaces used by the dashboard (except /index.html and static resources) are provided by IMonitoringApi and authorization is set using AuthorizationPolicy, do you mean to add a separate authorization policy for index.html only?
yang-xiaodong
commented
3 days ago We don't want to add more options to the configuration, as we said above we provide IDataStorage, if you need just extend it, everyone may have different needs when using it, adding more and more configurations will bring complexity and learning cost.
APMIFEMA
commented
3 days ago I'll give you some additional context
In our company we have many event-oriented integrations.
We have APIs that can produce events And consumers to perform integrations between systems
To be able to know at all times what status the integrations are in, we have a dashboard, which indicates the dead events existing in each of the consumers we have.
In this way we have a quick way of knowing which integrations we have to concentrate our efforts on.
In order to feed this dashboard we have a batch process that from time to time calls the "stats" method of each consumer to find out the dead events and send them to elasticsearch.
Finally, with this data we make the dashboard in kibana.
I'll give you an example of the dashboard.
When we have activated security in the consumer dashboard with OpenId, integrated with our Azure AD, we can no longer call the stats method from our batch process to get the dead events of each consumer.
Of course we can do something for ourselves using this service as you indicate, but the proposal seemed to us a good way to give back to this fantastic library some of the value that it has brought us, helping to incorporate functionalities like this that we believe could be useful to other companies.
But if you don't see that it could be useful to other companies, no problem, in any case thank you very much for your work!!
yang-xiaodong
commented
2 days ago Hi @APMIFEMA,
I've updated the sample code for Sample.Dashboard.Auth, check out the method AddCapWithOpenIdAndCustomAuthorization.
In the following line of code, different policies will be in effect to allow both authentication (interactive user and service user)
APMIFEMA
commented
2 days ago You're amazing, I didn't know that you could configure several different authentication schemes in the same policy.
I've tried your proposal and the only thing I've had to change after testing is the order of the schemes, since the OpenId one must be the last one for the openid challenge to be triggered.
This is how the policy looks for us.
options.AddPolicy(cappolicy, policy => policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme) .RequireRole(caproladmin) .RequireAuthenticatedUser());
Thank you very much!!!!
Hi,
In our company we have several apis with the cap dashboard configured with OpenId authentication and a Cookie.
This works like a charm.
The problem is that we need to periodically get the cap status from a monitoring service by calling the api /api/stats
When trying without a cookie, the api redirects us to Azure AD authentication.
Which option do you see as best?
Change the dashboard policy settings to allow both authentication methods (interactive user and service user) The problem with this option is that I can't think of how.....
Add to the dashboard options something like
_builder.MapGet(prefixMatch + "/stats", Stats).AllowAnonymousIf(_options.AllowAnonymousAccessToStats , _options.AuthorizationPolicy);
Thank you very much