Learn about application protection patterns you can use for apps built with Cloud Pak for Applications.
The IBM Cloud Pak for Applications provides a complete and consistent experience to speed development of applications built for Kubernetes, using agile DevOps processes. You can easily modernize your existing applications with IBM’s integrated tools and develop new cloud native applications faster for deployment on any cloud.
No matter what kind of applications you're building, whether you want to leverage Service Mesh, Ingress Controller, or simply use application SDKs, we got you covered. You can easily use App ID for all these scenarios and start enjoying the superb experience of easily adding user authentication to your app, protecting applications running on Kubernetes or OpenShift clusters, getting administrative and authentication events in Activity Tracker, and more.
Running on Red Hat OpenShift, IBM Cloud Pak for Applications provides a hybrid, multicloud foundation built on open standards, enabling workloads and data to run anywhere. A self-service environment combines open source tools with your existing middleware for continuous compliance and visibility across secure, hybrid, multicloud environments.
Setting up application security can be complicated. For most developers, it can be one of the hardest parts of creating an app. How can you be sure that you are securely storing your users' information? How can you be sure your system cannot be infiltrated? How do you manage access controls? How do you ensure that you address any and all vulnerabilities? What if your application runs on different cloud providers with completely different security systems?
In most cases, developers prefer to focus on delivering the business value while leaving any security aspects to experts and specialized products. In this blog post, I'm going to cover several ways of using IBM Cloud App ID to protect applications built with Cloud Pak for Applications.
What is IBM Cloud App ID?
IBM Cloud App ID is a cloud service that allows developers to easily add authentication and authorization capabilities to their applications while all the operational aspects of the service are handled by the IBM Cloud Platform. App ID is intended for developers that don't need or want to know anything about various security protocols. The service provides capabilities like Cloud Directory (a highly scalable user repository in the cloud), enterprise identity federation, social login, SSO, customizable Login Widget UI, flexible access controls and user profiles, multi-factor authentication, a set of open-sourced SDKs for easy app instrumentation, and more.
There are many benefits of using App ID. One of the major ones is the deep integration with other IBM Cloud components that creates a seamless experience for easy protection of cloud native applications, including IBM Cloud Kubernetes Service, Cloud Functions, Cloud Foundry, API Connect, Activity Tracker, and more. Another benefit is the fact that App ID is a managed service, fully operated by IBM in all regions of IBM Cloud, and it is compliant with many certifications, such as GDPR, HIPAA, SOC, ISO, PCI, and more.
Using App ID to protect applications built with Cloud Pak for Applications
So, the question that brought you to this blog: How do I protect my apps with App ID? Depending on the current state of your application and your project cloud maturity, you have two options—the declarative approach or a programmatic one.
The programmatic approach
Most developers are fairly familiar with the programmatic approach. You pull an SDK into your app, you change some code, you do some configurations, and voila, your app is protected. This approach has existed for ages, and while it is a valid one, it has some scaling concerns.
Imagine having a microservices-based architecture with dozens, or even hundreds, of microservices. Instrumenting each one with SDK would work but the overhead will grow fast as your ecosystem evolves. Each time you need to update the SDK version, you'll need to update all your microservices' code and redeploy them.
The declarative approach
The declarative approach is a more modern, recommended way of protecting your distributed apps. With the declarative approach, in most cases, you wouldn't need to change a single line in your application in order to protect it or even redeploy. You just need to "declare"—hence the name—that you want your app to be protected instead.
The declarative approach is fully language-agnostic, it helps you to scale more easily, and allows to have a centralized way of managing security settings for all your apps and microservices. Updating security settings is also significantly easier with the declarative approach since you simply update the configuration, which is immediately applied without changing or redeploying your apps.
Declaratively protecting your apps
If you're running your apps on managed Red Hat OpenShift on IBM Cloud, the easiest approach is to use the declarative Ingress annotation. Add a single line to your Ingress resource YAML file, and your app is protected. See the full documentation here and a video tutorial below:
Running OpenShift on other clouds? Or do you just prefer using Istio Service Mesh in your OpenShift cluster? In this case, you can install App Identity and Access adapter and leverage declarative application protection regardless who your cloud provider is. Once again—without changing any code or redeploying the app. See the documentation here and the video demo below:
Programmatically protecting your apps
Protecting your apps with a programmatic approach can be different depending on what language and/or what web framework you're using. The concept is the same—add an SDK to your app (or use the one bundled within your framework), configure it, and you're done. However, different SDKs and framework are configured in different ways. The list below covers most popular scenarios but, in general, you can use App ID with any other web application framework that supports OAuth2 and OpenID Connect.
- Creating a new application from scratch using Cloud Pak for Applications? In this case, we have a set of templates that you can use with Appsody/Kabanero. See the video tutorial below:
- Need to protect an existing Node.js application, be it web application or backend? Read the docs here and see the two linked video tutorials:
- Need to protect an existing Java application running on Liberty server, be it web application or backend? Read the docs here and see the two linked video tutorials:
- Need to protect an existing Spring Boot application, be it web application or backend? Read the docs here and see the two linked video tutorials below:
No matter what kind of applications you're building, whether you want to leverage Service Mesh, Ingress Controller, or simply use application SDKs, we got you covered. You can easily use App ID for all these scenarios and start enjoying the superb experience of easily adding user authentication to your app, protecting applications running on Kubernetes or OpenShift clusters, getting administrative and authentication events in Activity Tracker, and more!
Feedback and resources
We’d love to hear from you with feedback and questions.
- Reach out directly to the development team on Slack.
- If you have technical questions about App ID, post your question on Stack Overflow and tag your question with
- For questions about the service and getting started instructions, use the IBM Developer Answers forum. Include the
- Open a support ticket in the IBM Cloud menu.
To learn more about the service and getting started, check out the following links: