Introduction
This guide is a walk through to setup a BrowZer application to access Mattermost.
To learn more about BrowZer see Getting started with BrowZer
Prerequisites
- A Cloud Ziti Network up and running.
- Having a Mattermost instance up and running with an edge router that has network access. Please follow Appendix instructions to install Mattermost(preview) if you don't already have a Mattermost instance up and running. Please note the Mattermost preview is not an production instance, when using a production setup the ER will be separate from the Mattermost instance. If you need instructions on how to deploy Mattermost, please review their documentation here.
Deployment
Part 1: Setup Needed Items to support a BrowZer Application
In this section:
- Create a WSS enabled NetFoundry Hosted Edge Router
- Create an Edge Router Policy
- Create the Service
- Create a Service Policy
In the Console, Create a NetFoundry Hosted Edge Router with the WSS Listener enable. BrowZer requires at least one Edge Router with the WSS Listener enabled. Launching a NF Hosted is recommended.
In the Console, Create an Edge Router Policy to make ensure this router is available for your Identities(Endpoints).
In the Console, Create the Service you want to access Mattermost. We recommend using an Advance Service. For the FORWARD ADDRESS, use the container name "mattermost" or the container's IP address. The FORWARD PORT should be 8065.
In the Console, Create a Service Policy(AppWan) to allow the access to the specified clients we’ll create later.
Part 2: Auth0 & JWT Signer
In this section:
- Create an Auth0 Account
- Create an Auth0 Application(SPA)
- Add callback & logout
- Create an Auth0 API
- Create an Auth0 Custom Trigger
- Gather Information from Auth0 needed
- Create a new JWT Signer
- Create a new Authentication Policy
- Create or update the Identities(Endpoints)
This tutorial follows the Auth0 settings. Other IDP must have their own settings. If you don't already have an account you can sign up for a free account at https://auth0.com/signup
Adding a new Application in Auth0
Once you have an account setup you can add a new "Application":
Then click on the "Create Application":
Then Create a "Single Page Web Application":
Adding the callback & logout URL to your BrowZer App(s) you created
All BrowZer Apps have the following template:
https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io
where:
- APP_NAME, is the name we’ll assign to the BrowZer app we’ll create.
- NET_NAME, is the name we’ll assign the first time you click on “BrowZer Apps”.
In Auth0, under the Application/Settings you'll find "Allowed Callback URLs" & "Allowed Logout URLs"
You can add one callback URL for all apps are created under the same NET_NAME In this case, NET_NAME=natashell. The URL needs to be in this format: https://*.<NET_NAME>.browzer.cloudziti.io
For example:
https://*.mattermost-demo.browzer.cloudziti.io
For Example:
Adding a JWT Signer & Authentication Policy
Create an API
Now you can add a new "API":
Click on Create API
Fill out the form using the URL
https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io
Create a custom trigger
Under Actions select "Triggers":
Click on "post-login":
Click on the + symbol & select "Build from Scratch":
Name the a new Action "Add Email to Access Token":
Remove the prefilled out content & past the following:
/**
* Handler called during a PostLogin flow.
*
* @param {Event} event - Details about the user and the
* context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be
* used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
api.accessToken.setCustomClaim(`email`, event.user.email);
}
};
then click on "Deploy":
Return to "post-login" & click on "Custom"
Click and drag your Add Email to Access Token Action onto the Trigger, then drop it into place, then click Apply in the top right.
Gathering Information from Auth0
In order to setup the new JWT Signer we'll need to get some information from the new Auth0 Application that was just created.
Scroll down to the Advanced Settings and click on Endpoints
You’ll also need to write down the OAuth Token URL that will be used on the BrowZer App creation and the JSON Web Key Set.
Create the JWT Signer
In the Console, Create a new JWT Signer
Using the values from Auth0 fill out the information in the new JWT Signer dialog.
For the ISSUER, use the “Domain” value.
https://<Domain>/
(Please make sure to add the trailing slash).
For the Audience, use the Identifier you used when creating the API above.
For the JWKS Endpoint, use the "JSON Web Key Set URL" value.
For the External Auth URL, use the "OAUTH Token URL" value.
Finally set the JWT Claim "email" & the Identities to "External Id".
Create the Authentication Policy
In the Console, Create a new Authentication Policy
In this example we disable the certificate options & only use the JWT Signer as the Authenticator.
Create or Assign Identities(Endpoints) to the Authentication Policy
In the Console, Create or update the Identities(Endpoints) that will have the access to BrowZer. Please ensure you have add the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.
Finally make sure it has an Authentication Policy you created for BrowZer
Part 3: The BrowZer Application
In this section:
- BrowZer Getting Started
- Create a new BrowZer Application
- Access the Application
Make sure to complete the BrowZer Getting Started by clicking on the BrowZer Apps in the navigation menu.
Create a BrowZer Application
In the MOP Console, Create a new BrowZer Application.
For the App Entry, Select the service you created on Part 1.
For the Public URL, you’ll set a name for your app (APP_NAME), this name creates the whole URL you’ll use to access your service securely. In this case, APP_NAME=app and the URL is
For example:
https://app.mattermost-demo.browzer.cloudziti.io/
Set the OIDC Base URL to the “Domain” value from Auth0 in Part2, in the format:
https://<domain>
(This time without any slash at the end)
Set the ClientID to the "ClientId" value you got from Auth0 in Part 2.
Access your Application
Mattermost Changes
Site URL
Mattermost requires you to set the "Site URL". This value should be set to the URL used to access the application, in this case: https://app.mattermost-demo.browzer.cloudziti.io/
CORS
Since we are configuring Mattermost to be accessed from a URL that will likely not match the address used to actually access the service, CORS needs to be adjusted to allow cross-origin requests.
To update the CORS configuration, please refer to the official docs. We recommend listing each domain or configuring the with the "*".
APPENDIX
Create Your Own Mattermost Preview Instance
Prerequisites
A Linux/Windows Machine with docker & docker-compose installed.
Create a working directory for the Mattermost instance. We’ll call this directory WORK_DIR.
Change directory into WORK_DIR
Create a directory called ziti_router
Create a file called .env.
The .env file also holds the registration key for the edge router. You need to create an customer hosted edge router on the CloudZiti console and enter the registration key (REG_KEY) into this file.
Please follow this guide for the detail information on how to deploy edge router. In this example, our customer hosted edge router is named "Mattermost-ER"
REG_KEY=ONETIMEKEY
Create a docker compose file (docker-compose.yaml) in your WORK_DIR, where you can define the services needed for Mattermost. In the following docker compose example, we showed two containers:
- mattermost
- edge router (er)
version: '3'
services:
mattermost:
container_name: mattermost
image: mattermost/mattermost-preview
ports:
- "127.0.0.1:8065:8065"
er:
container_name: netfoundry-er
image: netfoundry/autonomous-router:latest
restart: unless-stopped
env_file: .env
volumes:
- ./ziti_router:/etc/netfoundry
After you have created the file, start your Mattermost instance with the command:
docker-compose up -d