![\"infra](\"/9475f7e05b9e351f919a2b693d2812da/infra1.webp\")
In this blog, we’ll see how to create and validate a JWT(JSON Web Token) in Deno. For this, we’ll be using djwt, the absolute minimum library to make JSON Web Tokens in deno and Oak framework
\nThis tutorial assumes you have:
\nJSON Web Token is an internet standard used to create tokens for an application. These tokens hold JSON data and are cryptographically signed.
\nHere is how a sample Json Web Token looks like
\neyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im9sYXR1bmRlZ2FydWJhQGdtYWlsLmNvbSIsImJWT is a good way of securely sending information between parties. Because JWTs can be signed—for, you can be sure the senders are who they say they are. And, as the signature is generated using the header and the payload, you can also verify that the content hasn't been tampered with.
\nJWT can contain user information in the payload and also can be used in the session to authenticate the user.
\nIf you want to know more about JSON Web Token, We have a very good article about it.
\nFirst, let's set up a Deno server to accept requests, for it, we are using Oak framework, it is quite simple and few lines of codes as you can see below.
\n// index.ts\nimport { Application, Router } from "https://deno.land/x/oak/mod.ts";\n\nconst router = new Router();\nrouter\n .get("/", (context) => {\n context.response.body = "JWT Example!";\n })\n\nconst app = new Application();\napp.use(router.routes());\napp.use(router.allowedMethods());\n\nawait app.listen({ port: 8000 });Once our program is ready for accepting request Let's import djwt functions to generate JWT token, In below code we can use a secret key, expiry time for JWT token in 1 hour from the time program will run and we are using HS256 algorithm.
\nAdd the below code in index.ts and update the router as shown below, you can now get a brand new token on http://localhost:8000/generate
// index.ts\n...\n\nimport { makeJwt, setExpiration, Jose, Payload } from "https://deno.land/x/djwt/create.ts";\n\nconst key = "secret-key";\nconst payload: Payload = {\n iss: "Jon Doe",\n exp: setExpiration(new Date().getTime() + 60000),\n};\nconst header: Jose = {\n alg: "HS256",\n typ: "JWT",\n};\n\n\nconst router = new Router();\nrouter\n .get("/", (context) => {\n context.response.body = "JWT Example!";\n })\n .get("/generate", (context) => {\n context.response.body = makeJwt({ header, payload, key }) + "\\n";\n })\n\n...Once you get a JWT token you can validate the token by validateJwt function in djwt, let us import the validateJwt and add one more route /validate/:token
Now you can verify any token by passing it to a route like - http://localhost:8000/validate/jwt_token (jwt_token is a placeholder, please replace it with a real JWT token)
// index.ts\n...\n\nimport { validateJwt } from "https://deno.land/x/djwt/validate.ts";\n\n...\n\nrouter\n .get("/", (context) => {\n context.response.body = "JWT Example!";\n })\n .get("/generate", (context) => {\n context.response.body = makeJwt({ header, payload, key }) + "\\n";\n })\n .get("/validate/:token", async (context) => {\n if ( context.params && context.params.token && (await validateJwt(context.params.token, key)).isValid) {\n context.response.body = "Valid JWT\\n";\n } else {\n context.response.body = "Invalid JWT\\n";\n }\n });\n\n...Now you know how to generate and verify a JWT token in Deno, you can easily use it in your application, The complete source code used in this blog can be found in this Github Repo
\n","frontmatter":{"date":"July 10, 2020","updated_date":null,"description":null,"title":"How to create and validate JSON Web Tokens in Deno","tags":["Deno","JWT","JSON Web Token"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.492537313432836,"src":"/static/2ca148ad6e08643634262607131d918e/58556/deno_jwt.webp","srcSet":"/static/2ca148ad6e08643634262607131d918e/61e93/deno_jwt.webp 200w,\n/static/2ca148ad6e08643634262607131d918e/1f5c5/deno_jwt.webp 400w,\n/static/2ca148ad6e08643634262607131d918e/58556/deno_jwt.webp 800w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Puneet Singh","github":"puneetsingh24","avatar":null}}}},{"node":{"excerpt":"Cloud Cost Optimization is the method of reducing the total cloud spending by finding mismanaged capital and scale-up of Right Sizing…","fields":{"slug":"/engineering/cloud-cost-optimization/"},"html":"Cloud Cost Optimization is the method of reducing the total cloud spending by finding mismanaged capital and scale-up of Right Sizing computing services. CCO only charge for the services you use, the cloud gives companies infinite scalability and lower IT costs.
\nOn-Premise Infrastructure was only option around 10 years ago but managing On-premise Infrastructure include the extra cost with other challenges, Challenges are Network, Hardware, Cooling, Power, Space also needed technical staff for taking care all infrastructure
\nThe Colocation is when a business places its own server in a third-party data center and uses its infrastructure services. Colocation takes responsibility for Network, Hardware, Cooling, Space also business not need to worry about technical man force for managing servers
\nStill business have more challenges OS software, Application security, Data storage
\nThe Cloud service provider is providing solutions for all the challenges. The cloud service provider takes total responsibility for hardware, network, space, power, maintaining, and security also they are managing all technical workforce for the whole infrastructure
\n
Reducing Cloud cost is not a one time task. it is a recurring process. We need to identify underutilized resources, Right size machine, reserving capacity for higher discounts also need to optimization Application for reducing hardware cost. Let's start
\nCloud infrastructure is increasing day by day. Choosing the right cloud provider is the most important decision for long term success. The big three cloud providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These three cloud providers are providing mostly services so they might be confused about choosing the right cloud provider. We can easily evaluate the right cloud provider from the following steps
\nAll Big Cloud Providers are providing discounted Instances or spot instances. Spot instances are unused instances. Cloud Providers offered up to 90% discount on these instances compared to on-demand or reserved instances. The majority of organizations have some workloads that are not critical, We can reduce the cost for not critical workload by using spot instances. AWS, Azure, and Google (GCP) all provide the option to use Spot Instances.
\nIdentify the right size for the Instance, not an easy task. We need to configure multiple matrices in our cloud service provider. Key metrics to look for are CPU and memory usage. Identify instances with a maximum CPU usage and memory usage of the month.
\nGenerally, people make mistakes during checking metrics. Most of the people prefer averages in monitoring but averages mislead the measurement. Let understand this by example
\nYou are running an online technology tutorial site. Suppose 1million active users on your website in normal days. Now you are hosting weekly technology webinars in your platform. During webinars time your platform traffic should increase. At that time CPU usages and memory usages should be high compared to the rest of the time. Now suppose you have checked the 24 hours average CPU usages and memory usages. It was around 40% and you have decided this is underutilized and scale down the lower size instance. It can impact you 5% - 10% traffic Let’s look at a real-world example. This chart shows the overall CPU usages
\n ![\"image](\"/205f2fae49dd4ac8281b545c5341d6ce/image1.webp\")
First Image showing Average CPU utilization. You can see Maximum CPU was 18.6 %
\nNow, let’s check the CPU 99th percentile:\n![\"image](\"/6c898bdf0b5b329e83f2c089d0b71b28/image2.webp\")
As expected, the 99th percentile is higher than the average. 99th percentile is around 93%
\nThe conclusion is We need to always check the 99th percentile. The average can mislead and it can impact your users.
\nWe can create different types of resources and applications utilization monitoring matrix and based on the data we can configure multiple alarms. You can configure notification or alarms on email, SMS from the Cloud provider dashboard. you can also configure alarms that automatically stop or terminate EC2 instances or VM when instance unused or underutilized according to the configured threshold. During the development or some POC as a developer or devops person we have to create some instances or resources but sometimes we forgot to terminate the instances or resources. You can minimize the this extra cost by creating a group of alarms that sends an email notification to developers whose instances have been underutilized or ideal for some hours, then terminates an instance. It will save the overall infra cost. different cloud providers provide different ways for creating these type alarms
\nYou can save around 75% cost for your Non - Production Development, Staging, and QA environment. Non - Production environment generally needed during working days. You can turn off these servers during off-hours. Cost-saving depends on the infrastructure size, it can be hundred, thousands of dollars
\nYou can create automation scripts for infrastructure deployment. Schedule the script in your cloud provider
\nApplication in-memory cache reduces the cost of transferring data in the network and overall application performance because reduce the traffic between the database servers or any other external application reduce the network level cost in the cloud also caching improves the efficiency and accessibility of data that used repeatedly or frequently accessed. Suppose your application is fetching user configuration or settings in every request from the database server. You can keep this type of configuration, which is not changing frequently in the in-memory cache. it will save a lot network-level cost
\nData Transfer cost mostly hidden or Some time we don't take care of it. Generally, data transfer is free in the same region between different services Storage, Compute service, etc.\nIf you do a lot of cross-region transfer, it will increase your network data transfer cost also if you will deploy multiple services in the same region it will improve application performance
\nThis includes knowing what you spend in detail, how specific services are billed, and the ability to display how (or why) you spent a specific amount Here, keep in mind key capabilities such as the ability to create shared accountability, hold frequent cost reviews, analyze trends, and visualize the impact of your actions on a near-real-time basis. You can also use cost controls like budget alerts and quotas to keep your costs in check over time.
\nEnterprises or Mid Level companies are adopting multi-cloud infrastructure. Consider this recent prediction from IDC: “By 2020, over 90% of enterprises will use multiple cloud services and platforms.” Or this one from 451 Research: “The future of IT is multi-cloud and hybrid with 69% of respondents planning to have some type of multi-cloud environment by 2019.”
\nOrganizations need to develop a cost optimization culture and awareness. Cost optimization is an ongoing activity in the organization. Need to decide someone responsible for the cost optimization it can be an Engineering team or DevOps team. Most cloud providers provide billing alarm’s they can alert you in case of cost increment also we can configure budget in the Cloud provider dashboard.
\n","frontmatter":{"date":"July 09, 2020","updated_date":null,"description":"Optimization of cloud costs lowers spending by recognizing mismanaged capital, reserving higher discount space, and proper sizing.","title":"Cloud Cost Optimization in 2021","tags":["Cloud","Optmization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.408450704225352,"src":"/static/9b95fca99dc1c53ce661e89fd0341f6d/58556/cloud.webp","srcSet":"/static/9b95fca99dc1c53ce661e89fd0341f6d/61e93/cloud.webp 200w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/1f5c5/cloud.webp 400w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/58556/cloud.webp 800w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/99238/cloud.webp 1200w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/7c22d/cloud.webp 1600w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/8dda0/cloud.webp 1747w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"Identity management for education has witnessed a dramatic change in the first half of 2020. As the COVID-19 pandemic spread, it resulted in…","fields":{"slug":"/identity/identity-management-for-education/"},"html":"Identity management for education has witnessed a dramatic change in the first half of 2020. As the COVID-19 pandemic spread, it resulted in the shutdown of educational institutes worldwide, with over 1.2 billion children officially out of their physical classrooms.
\nInterestingly, there is a notable increase in e-learning from the last couple of months. Classes are conducted remotely and on digital platforms. Now, that's a massive amount of traffic to keep up with.
\nBecause significant amounts of highly sensitive data are involved, they make profitable targets for hackers—contact details, academic records, Social Security numbers, financial information, and health data.
\nMany educational institutions are already facing security crises and trying their best to sustain. Providing a secure learning environment has become a high priority.
\nBy now, it is pretty evident that the education sector has become a lucrative target of cybercriminals.
\nOne of the critical reasons schools are targeted, is the extensive data they maintain about students and staff, including personally identifiable information (PII), health details, and financial data. These records are a hot commodity on the dark web and are sold in millions for identity theft and fraud.
\nOther security challenges faced by schools, universities, and colleges in the education sector include:
\nA cybersecurity challenge faced by most educational institutions when defending their networks from threats is a shortage of dedicated IT resources—possibly pointing to the lack of funds to invest in cybersecurity.
\nAnother area that could put schools at risk of attack is the legacy IT infrastructure. IT departments must ensure that older equipment and software have the most recent upgrades, or that if manufacturers no longer support them, institutes should voluntarily install new versions.
\nInstitutes allow students to store data on their own devices, tablets, or laptops. Since they work on the same project in laboratories, in classrooms and at their residences, they carry their data on portable drives and connect to whichever computer is available.
\nMost students don't invest in paid antivirus software or anti-malware versions. Also, they download free, pirated apps. So, every time they plug their infected USB into the institute's network, the whole system gets affected.
\n![\"Enterprise](\"/860c267222fd012ab48fe9e6c26d0129/EB-The-Enterprise-Buyer%E2%80%99s-Guide-to-Consumer-Identity.webp\")
Many educational institutions advocate a culture of an open network for students and allow any device to connect within the premises. It is done to promote freedom of free information.
\nBut then, it has its downside too. Open network means that access is not monitored correctly, making it an easy target for cybercriminals to enter the network and wreak havoc.
\nThe majority of educational institutions lack a proper privileged access management system. Role-based access controls (RBAC) offer employees their access to different systems and data sources according to their responsibilities within the institution.
\nPrivileged accounts, like administrative accounts in schools, provide access to specific users that hold liability for critical systems and student's sensitive information.
\nWith each passing year, the specific role of students in the organization changes. They are promoted to the next class, some become alumni, and some may become assistants to teachers or become teachers themselves. Some students may also hold multiple responsibilities at the same time.
\nEducational institutions should authenticate these new identities as soon as they transition to the new role to avoid the burden of a security breach.
\nHigher educational institutes like colleges and universities store higher volumes of sensitive data related to research and other assignments. Moreover, all institutions (—for that matter) store critical alumnus, faculty, and students' data. These are gold mines for intruders to penetrate the networks and pose cyberthreats.
\nFollowing are a few significant ways hackers attack the Edtech sector:
\nA spoofing attack, in context to cybersecurity, happens when someone pretends to be someone else to gain trust to access sensitive network data and spread malware in the process. Spoofing attacks can occur in many different ways, like the widespread email spoofing attacks usually deployed as part of phishing campaigns or caller ID spoofing attacks that are also used to commit fraud.
\nIn educational institutions, attackers target IP address, Domain Name System ( DNS) servers, or Address Resolution Protocol (ARP) services.
\nPassword hijacking, as the term suggests, is a type of attack where hackers gain unauthorized access to the user's login credentials. What's intriguing is hackers do not always adopt a highly technical and sophisticated approach to hack accounts. In many cases, they guess common phrases, such as \"qwerty,\" which ranks high on the list of worst passwords.
\nThe rest of the time, hackers make use of other methods like brute force attacks, dictionary attacks, credential stuffing attacks, etc. to hack into the educational institute's network.
\nCracking of passwords occurs when a hacker deliberately targets a user or a business. They usually send a significant amount of time devising the right kind of attack to break into the victims' network.
\nSpeaking of which, while the victim of credential cracking can be any random user, the effort behind it also means that the victim has been deliberately targeted. It might be a business account, a company's social media accounts, or a premium educational institute with famous alumni.
\nPhishing is a malware attack that tricks victims into revealing their valuable and often sensitive data. Also referred to as a \"phishing scam,\" attackers target login credentials of users, financial data (such as credit cards and bank account details), business data, and everything that could be of high value to hackers.
\nPremium educational institutions have forever been at the risk of phishing attacks, primarily because of their high-value sensitive research data, student-critical data, faculty, or alumni data.
\nA man-in-the-middle attack happens when the cybercriminal intercepts a conversation between the user and the application. You can portray it as the cyber equivalent of eavesdropping done to impersonate one of the hosts.
\nThe hacker may, in this case, plant requests that seem to come from a legitimate source. For example, ask for alumni data that is otherwise deemed confidential.
\n![\"Identity-Management-for-Education\"](\"/999c76c855325833d6201c521f04d88e/Identity-Management-for-Education-1.webp\")
Software applications – apps – are common on campuses nowadays. From in-class polling devices to driving university-wide learning management systems, educational institutions are swiftly adapting to the new trend.
\nThese apps and online platforms play a key role in assisting students and helping modern colleges to operate smoothly by collecting data from faculty and students alike.
\nHowever, these data can be highly sensitive. Sometimes, they include data from students' personal preferences, their knowledge base, and projects they submit through these online portals.
\nTherefore, there will always be a danger looming when new technologies and applications are widely implemented across campuses, and every student or lecturer is expected to use them.
\nA lot of these educational apps may be useful. The school, college, or university faculty may use a few of those as supplemental instructional resources or advocate for additional skills practice.
\nThere is a catch, though! Newbie techies or tech start-ups build most of the new applications and courses launched with little to no background in children's privacy laws.
\nFree apps are more likely to collect user data and monitor children's behaviors to deliver targeted advertising. Moreover, there have been instances where even paid apps were accused of monitoring and using child data for unethical purposes. They collect PII and track precise location information, creating a severe threat to privacy.
\nThen again, apps that claim to be specially designed for educational purposes are not immune either. Some of these apps make money by selling advertising directly on the platform or trading students and faculties' sensitive data such as ethnicity, affluence, religion, lifestyle, etc. to third parties.
\nWith massive personal intellectual property at stake, hackers are willing to work even harder to break into educational institutions than other organizations. Failures in compliance can be extremely damaging, particularly with increased media attention.
\nFollowing are a few international compliance regulations that keep students' data safe amidst the volatile criminal backdrop.
\nThe optimal digital experience for education institutions is the need of the hour. Delivering top-notch experiences to students puts the pressure on customer identity and access management (CIAM) providers to provide a secure platform for their data.
\nHere how identity management for education enhances the user experience of students and faculty.
\nOff late, there has been an amplified need for identity and access management in the education industry. LoginRadius, as a leading provider in its space, offers a number of a scalable, highly integrative set of tools to meet the growing requirement of the modern higher education sector. A few of the particular ones include:
\nThe identity management platform allows institutes to create a central identity across all channels through single sign-on for students and faculty. It also offers modern and robust authentication methods such as multi factor authentication (MFA) with one-time passwords or security questions and more.
\nLoginRadius allows smooth and seamless integration into systems through industry-approved standards like OpenID Connect, OAuth2, and SAML2.0.
\nDefine the roles and permissions on who can access what content and when with LoginRadius. Colleges and universities can delegate admins to teachers, lecturers, and staff and assign their respective roles.
\nBesides, they can work with other faculties by adding users to their groups. Also, professors can divide their students into groups and assign permissions based on their projects.
\nStrengthen security and protect resources with a secure interface (APIs). It detects suspicious behavior within the system, and when the need arises demands a second factor of authentication.
\nFurthermore, it offers excellent user experience, and with SSO on the hook, it encourages users to choose a strong password for their accounts. As a cloud-based identity management platform, LoginRadius is always updated with the latest security mechanisms.
\nThe identity platform is compliant with all major international data regulation policies, including the EU's GDPR and California's CCPA. To meet the high identity management of education requirements, it offers more transparency about accepted consents, secured access, and excellent user experience.
\nThe identity management solution is compatible with major security programs. Major certifications include OpenID for end-user identity verification, PCI DSS PCI SSC administered standard for fee and salary transactions, ISO 27001:2013, 2015 for information security, AICPA SOC 2 (Type II) for system-level privacy control, and ISAE 3000 for the protection of non-financial information.
\nOther certifications include ISAE 3000, NIST Cybersecurity Framework, CSA CCM Level 1, Level 2, CIS Critical Security Controls, US Privacy Shield Complaint, and ISO/IEC 27018:2019.
\nGiven this rapid upgrade in the classroom environment, experts are curious whether acceptance of online learning would continue to exist in the post-pandemic world, and whether such a move will affect the pressure of identity management on educational institutions.
\nIf it does (which sure, will), LoginRadius will certainly complement the complex, and unique CIAM needs for schools, colleges, and universities across the globe.
\n![\"book-a-demo-loginradius\"](\"/1bebf239d110701b9b534d7eb481a5ac/BD-Plexicon1-1024x310.webp\")
This post will cover a demo working setup of a service mesh architecture using Envoy using a demo application. In this service mesh architecture, we will be using Envoy proxy for both control and data plane. The setup is deployed in a Kubernetes cluster using Amazon EKS.
\nWe will be deploying an echo-grpc test application provided by Google in their article related to gRPC load balancing and was used as a reference to test the service mesh setup with Envoy. The article covers setting up Envoy as an edge proxy only.\nThis is a simple gRPC application that exposes a unary method that takes a string in the content request field and responds with the content unaltered.\nRepo: grpc-gke-nlb-tutorial
\nkubectl create namespace envoygo get github.com/fullstorydev/grpcurlConfiguration of envoy for the sidecar deployment:
\nenvoy-echo.yaml:
\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: envoy-echo\ndata:\n envoy.yaml: |\n static_resources:\n listeners:\n - address:\n socket_address:\n address: 0.0.0.0\n port_value: 8786\n filter_chains:\n - filters:\n - name: envoy.http_connection_manager\n config:\n access_log:\n - name: envoy.file_access_log\n config:\n path: "/dev/stdout"\n codec_type: AUTO\n stat_prefix: ingress_https\n route_config:\n name: local_route\n virtual_hosts:\n - name: https\n domains:\n - "*"\n routes:\n - match:\n prefix: "/api.Echo/"\n route:\n cluster: echo-grpc\n http_filters:\n - name: envoy.health_check\n config:\n pass_through_mode: false\n headers:\n - name: ":path"\n exact_match: "/healthz"\n - name: "x-envoy-livenessprobe"\n exact_match: "healthz"\n - name: envoy.router\n config: {}\n clusters:\n - name: echo-grpc\n connect_timeout: 0.5s\n type: STATIC\n lb_policy: ROUND_ROBIN\n http2_protocol_options: {}\n load_assignment:\n cluster_name: echo-grpc\n endpoints:\n - lb_endpoints:\n - endpoint:\n address:\n socket_address:\n address: "127.0.0.1"\n port_value: 8081\n health_checks:\n timeout: 1s\n interval: 10s\n unhealthy_threshold: 2\n healthy_threshold: 2\n grpc_health_check: {}\n admin:\n access_log_path: "/dev/stdout"\n address:\n socket_address:\n address: 127.0.0.1\n port_value: 8090A couple things to note here.
\n*, allowing all domains to pass-through.Run:\nkubectl apply -f envoy-echo.yaml -n envoy
Deployment of echo-grpc application with 3 replicas. The config contains two containers, one for application and another being the Envoy image.
\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: echo-grpc\nspec:\n replicas: 3\n selector:\n matchLabels:\n app: echo-grpc\n template:\n metadata:\n labels:\n app: echo-grpc\n spec:\n containers:\n - name: echo-grpc\n image: <hub-username>/echo-grpc\n imagePullPolicy: Always\n resources: {}\n env:\n - name: "PORT"\n value: "8081"\n ports:\n - containerPort: 8081\n readinessProbe:\n exec:\n command: ["/bin/grpc_health_probe", "-addr=:8081"]\n initialDelaySeconds: 1\n livenessProbe:\n exec:\n command: ["/bin/grpc_health_probe", "-addr=:8081"]\n initialDelaySeconds: 1\n - name: envoy\n image: envoyproxy/envoy:v1.9.1\n resources: {}\n ports:\n - name: https\n containerPort: 443\n volumeMounts:\n - name: config\n mountPath: /etc/envoy\n volumes:\n - name: config\n configMap:\n name: envoy-echoHere, echo-grpc is test application and envoy is being deployed in the same pod. Config volumes are mounted so that the envoy can read the configmaps.
\nRun:\nkubectl apply -f echo-deployment.yaml -n envoy
We are using headless service for echo-grpc. Using service as headless will expose the Pods IP to the DNS server of kubernetes which will be used by Envoy to do service discovery for the pods.
\necho-service.yaml
\napiVersion: v1\nkind: Service\nmetadata:\n name: echo-grpc\nspec:\n type: ClusterIP\n clusterIP: None\n selector:\n app: echo-grpc\n ports:\n - name: http2-echo\n protocol: TCP\n port: 8786\n - name: http2-service\n protocol: TCP\n port: 8081In the above config file, we are exposing two ports, one for envoy sidecar (this is the same port we mentioned in the config map of sidecar envoy) and one for the service itself.
\nRun:\nkubectl apply -f echo-service.yaml -n envoy
Creating a service of type LoadBalancer so that client can access the backend service.
\nenvoy-service.yaml:
\napiVersion: v1\nkind: Service\nmetadata:\n name: envoy\nspec:\n type: LoadBalancer\n selector:\n app: envoy\n ports:\n - name: https\n protocol: TCP\n port: 443\n targetPort: 443Run:\nkubectl apply -f envoy-service.yaml -n envoy
Since we are deploying front envoy LoadBalancer on port 443, we have to create a self-signed certificate to make it terminate SSL/TLS connection.
\nkubectl describe svc/envoy -n envoynslookup <your load balancer aadess>openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout privkey.pem -out cert.pem -subj \"/CN=<ip-address>\"kubectl create secret tls envoy-certs --key privkey.pem --cert cert.pem --dry-run -o yamlConfiguration for the edge Envoy:
\nenvoy-configmap.yaml
\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: envoy-conf\ndata:\n envoy.yaml: |\n static_resources:\n listeners:\n - address:\n socket_address:\n address: 0.0.0.0\n port_value: 443\n filter_chains:\n - filters:\n - name: envoy.http_connection_manager\n config:\n access_log:\n - name: envoy.file_access_log\n config:\n path: "/dev/stdout"\n codec_type: AUTO\n stat_prefix: ingress_https\n route_config:\n name: local_route\n virtual_hosts:\n - name: https\n domains:\n - "*"\n routes:\n - match:\n prefix: "/api.Echo/"\n route:\n cluster: echo-grpc\n http_filters:\n - name: envoy.health_check\n config:\n pass_through_mode: false\n headers:\n - name: ":path"\n exact_match: "/healthz"\n - name: "x-envoy-livenessprobe"\n exact_match: "healthz"\n - name: envoy.router\n config: {}\n tls_context:\n common_tls_context:\n tls_certificates:\n - certificate_chain:\n filename: "/etc/ssl/envoy/tls.crt"\n private_key:\n filename: "/etc/ssl/envoy/tls.key"\n clusters:\n - name: echo-grpc\n connect_timeout: 0.5s\n type: STRICT_DNS\n lb_policy: ROUND_ROBIN\n http2_protocol_options: {}\n load_assignment:\n cluster_name: echo-grpc\n endpoints:\n - lb_endpoints:\n - endpoint:\n address:\n socket_address:\n address: echo-grpc.envoy.svc.cluster.local\n port_value: 8786\n health_checks:\n timeout: 1s\n interval: 10s\n unhealthy_threshold: 2\n healthy_threshold: 2\n grpc_health_check: {}\n admin:\n access_log_path: "/dev/stdout"\n address:\n socket_address:\n address: 127.0.0.1\n port_value: 8090Since we will be offloading HTTPS, we are using port_value of 443. Most of the configurations are same as of sidecar envoy except for three things:
\nRun:\nkubectl apply -f envoy-configmap.yaml -n envoy
envoy-deployment.yaml
\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: envoy\nspec:\n replicas: 2\n selector:\n matchLabels:\n app: envoy\n template:\n metadata:\n labels:\n app: envoy\n spec:\n containers:\n - name: envoy\n image: envoyproxy/envoy:v1.9.1\n resources: {}\n ports:\n - name: https\n containerPort: 443\n volumeMounts:\n - name: config\n mountPath: /etc/envoy\n - name: certs\n mountPath: /etc/ssl/envoy\n readinessProbe:\n httpGet:\n scheme: HTTPS\n path: /healthz\n httpHeaders:\n - name: x-envoy-livenessprobe\n value: healthz\n port: 443\n initialDelaySeconds: 3\n livenessProbe:\n httpGet:\n scheme: HTTPS\n path: /healthz\n httpHeaders:\n - name: x-envoy-livenessprobe\n value: healthz\n port: 443\n initialDelaySeconds: 10\n volumes:\n - name: config\n configMap:\n name: envoy-conf\n - name: certs\n secret:\n secretName: envoy-certsRun:\nkubectl apply -f envoy-deployment.yaml -n envoy
Proto file for the echo-grpc service:
\nccho.proto:
\nsyntax = "proto3";\n\npackage api;\n\nservice Echo {\n rpc Echo (EchoRequest) returns (EchoResponse) {}\n}\n\nmessage EchoRequest {\n string content = 1;\n}\n\nmessage EchoResponse {\n string content = 1;\n}Run the following command to call the server:\ngrpcurl -d '{\"content\": \"echo\"}' -proto echo.proto -insecure -v <load_balancer_or_external_ip>:443 api.Echo/Echo
The output will be similar to something like this:
\nResolved method descriptor:\nrpc Echo ( .api.EchoRequest ) returns ( .api.EchoResponse );\n\nRequest metadata to send:\n(empty)\n\nResponse headers received:\ncontent-type: application/grpc\ndate: Wed, 27 Feb 2019 04:40:19 GMT\nhostname: echo-grpc-5c4f59c578-wcsvr\nserver: envoy\nx-envoy-upstream-service-time: 0\n\nResponse contents:\n{\n "content": "echo"\n}\n\nResponse trailers received:\n(empty)\nSent 1 request and received 1 responseRun the above command multiple times and check the value of the hostname field every time which will contain the pod name of one of the 3 pods deployed.
\nThere is a constant need for compliance and security in every industry that uses customer identities for tracking records, transactions, or any other activity. As such the advantages of audit trails are multidimensional - from generating historical reports, crime investigation, future budget planning, audit compliance, risk management, and many more.
\nThe LoginRadius’ recently announced Consumer Audit Trail detects threats in real-time, manages incident response, and if need be, even performs a forensic investigation on past security incidents. It also turns log entries, and events from security systems, into actionable information.
\nAdditionally, it prepares audits for compliance purposes, provides the functionality to track user engagement, and gain an in-depth understanding of customer behavioral metrics.
\nThe ability to track back records to their source comes with a lot of benefits. Transparency, compliance, accountability, and security of sensitive information are a few of them.
\nThrough real-time monitoring, businesses can automate audit logs and use them to identify unusual activities or operational issues.
\nIn addition, audit logs can be used to gain deeper insights into an identity cloud environment. This information improves the application's performance and maintainability and automates actions that otherwise require manual intervention.
\n![\"Core](\"/193ad9e5787c0b78cfd32c255b43f049/Core-Capabilities-of-LoginRadius-Consumer-Audit-Trail.webp\")
![\"Consumer](\"/f9ff67826fdb4033fb4b08f715b60c1e/DS-Cosumer-Audit-Trail-1024x310.webp\")
The world that we live in today falls under several regulatory laws - be it the EU's GDPR, California's CCPA, or any other international statutes. It is a good practice to maintain a reliable and accurate audit log and trail system.
\nThe LoginRadius' Consumer AuditTrail feature plays a vital role in the maintenance, security, availability, and integrity of the records so businesses can understand the bigger picture in the cybersecurity threat landscape.
\n![\"book-a-free-demo-loginradius\"](\"/788a6a84e389edac18728007099fdc1d/Book-a-free-demo-request-1024x310.webp\")
Kafka Streams is a Java library developed to help applications that do stream processing built on Kafka. To learn about Kafka Streams, you need to have a basic idea about Kafka to understand better. If you’ve worked with Kafka before, Kafka Streams is going to be easy to understand.
\nKafka Streams is a streaming application building library, specifically applications that turn Kafka input topics into Kafka output topics. Kafka Streams enables you to do this in a way that is distributed and fault-tolerant, with succinct code.
\nStream processing is the ongoing, concurrent, and record-by-record real-time processing of data.
\nLet us get started with some highlights of Kafka Streams:
\nThere are two individual processors in the topology:
\n![\"Toplogy](\"/a6722490a32c205bf1f07a2796039933/streams-architecture-topology.webp\")
There is actually a close relationship between streams and tables, the so-called stream-table duality
\nLet's Start with the Setup using Scala instead of Java. The Kafka Streams DSL for Scala library is a wrapper over the existing Java APIs for Kafka Streams DSL.
\nTo Setup things, we need to create a KafkaStreams Instance. It needs a topology and configuration (java.util.Properties). We also need a input topic and output topic. Let's look through a simple example of sending data from an input topic to an output topic using the Streams API
You can create a topic using the below commands (need to have Kafka pre installed)
\nkafka-topics --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic inputTopic\nkafka-topics --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic outputTopicval config: Properties = {\n val properties = new Properties()\n properties.put(StreamsConfig.APPLICATION_ID_CONFIG, "your-application")\n properties.put(StreamsConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9092")\n properties.put(ConsumerConfig.AUTO_OFFSET_RESET_CONFIG, "latest")\n properties.put(StreamsConfig.PROCESSING_GUARANTEE_CONFIG, StreamsConfig.EXACTLY_ONCE)\n properties.put(StreamsConfig.DEFAULT_KEY_SERDE_CLASS_CONFIG, Serdes.String())\n properties.put(StreamsConfig.DEFAULT_VALUE_SERDE_CLASS_CONFIG, Serdes.String())\n properties\n }StreamsBuilder provide the high-level Kafka Streams DSL to specify a Kafka Streams topology.
\nval builder: StreamsBuilder = new StreamsBuilderCreates a KStream from the specified topics.
\nval inputStream: KStream[String,String] = builder.stream(inputTopic, Consumed.`with`(Serdes.String(), Serdes.String()))Store the input stream to the output topic.
\ninputStream.to(outputTopic)(producedFromSerde(Serdes.String(),Serdes.String())Starts the Streams Application
\nval kEventStream = new KafkaStreams(builder.build(), config)\nkEventStream.start()\nsys.ShutdownHookThread {\n kEventStream.close(10, TimeUnit.SECONDS)\n }You can send data to the input topic using
\nkafka-console-producer --broker-list localhost:9092 --topic inputTopicAnd can fetch the data from the output topic using
\nkafka-console-consumer --bootstrap-server localhost:9092 --topic outputTopic --from-beginningYou can add the necessary dependencies in your build file for sbt or pom file for maven. Below is an example for build.sbt.
\n// Kafka\nlibraryDependencies += "org.apache.kafka" %% "kafka-streams-scala" % "2.0.0"\nlibraryDependencies += "javax.ws.rs" % "javax.ws.rs-api" % "2.1" artifacts( Artifact("javax.ws.rs-api", "jar", "jar")) // this is a workaround. There is an upstream dependency that causes trouble in SBT builds.Let us modify the code a little bit to try out a WordCount example:\nThe code splits the sentences into words and groups by word as a key and the number of occurences or count as value and is being sent to the output topic by converting the KTable to KStream.
\nval textLines: KStream[String, String] = builder.stream[String, String](inputTopic)\nval wordCounts: KTable[String, Long] = textLines\n\t\t.flatMapValues(textLine => textLine.toLowerCase.split("\\\\W+"))\n\t\t.groupBy((_, word) => word)\n\t\t.count()(materializedFromSerde(Serdes.String(),Serdes.Long()))\n\twordCounts.toStream.to(outputTopic)(producedFromSerde(Serdes.String(),Serdes.Long())With the above process, we can now implement a simple streaming application or a word count application using Kafka Streams in Scala. If you want to set up kafka on Windows, here is a quick guide to implement apache kafka on windows OS.
\n","frontmatter":{"date":"July 01, 2020","updated_date":null,"description":"Learn about Kafka Streams, key concepts and highlights with simple streaming or a word count application using Kafka Streams in Scala","title":"Kafka Streams: A stream processing guide","tags":["Scala","Kafka","Kafka Streams"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/0b37b7b26ad97126a6657a2447528848/58556/header.webp","srcSet":"/static/0b37b7b26ad97126a6657a2447528848/61e93/header.webp 200w,\n/static/0b37b7b26ad97126a6657a2447528848/1f5c5/header.webp 400w,\n/static/0b37b7b26ad97126a6657a2447528848/58556/header.webp 800w,\n/static/0b37b7b26ad97126a6657a2447528848/99238/header.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Priyadarshan Mohanty","github":"priyadarshan1995","avatar":null}}}}]},"markdownRemark":{"excerpt":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards…","fields":{"slug":"/identity/developer-first-identity-provider-loginradius/"},"html":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences.
\nWe’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way.
\nThe goal? Having them spend less time searching and more time building.
\nLoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible.
\nHere’s a closer look at what’s new and why it’s important:
\n![\"This](\"/f46881583c7518a93bb24e94c32320de/a-developer-friendly-dark-theme.webp\")
Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference.
\nThe new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter.
\nSo, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient.
\n![\"This](\"/e5358b82be414940f3fb146013845933/capabilities.webp\")
We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need:
\nThis structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem.
\n![\"This](\"/a8c155c2b6faf3d5f4b4de4e2b14d763/developers-menu.webp\")
We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available.
\nThe new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions.
\n![\"This](\"/b2f9a964a2da0ea83e2f8596b833bba7/we-support-your-tech-stack.webp\")
Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs.
\nOur platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks.
\nCheck out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications.
\nDo not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!
\n","frontmatter":{"date":"February 21, 2025","updated_date":null,"description":"LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve redesigned our website interface, making navigation more intuitive and reassuring that essential resources are easily accessible.","title":"Revamped & Ready: Introducing the New Developer-First LoginRadius Website","tags":["Developer tools","API","Identity Management","User Authentication"],"pinned":true,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7857142857142858,"src":"/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp","srcSet":"/static/80b4e4fbe176a10a327d273504607f32/61e93/hero-section.webp 200w,\n/static/80b4e4fbe176a10a327d273504607f32/1f5c5/hero-section.webp 400w,\n/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp 800w,\n/static/80b4e4fbe176a10a327d273504607f32/99238/hero-section.webp 1200w,\n/static/80b4e4fbe176a10a327d273504607f32/7c22d/hero-section.webp 1600w,\n/static/80b4e4fbe176a10a327d273504607f32/1258b/hero-section.webp 2732w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.webp"}}}},"pageContext":{"limit":6,"skip":774,"currentPage":130,"type":"///","numPages":164,"pinned":"ee8a4479-3471-53b1-bf62-d0d8dc3faaeb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}