OCI APIGW & JWT for invoking OIC with/without credentials — Part I

To invoke any Integration created in OIC, we need to pass the credentials i.e., Username/Password.

Most of the times these Integrations which we develop are to be triggered by External Applications or Vendors and if we want to not take the risk of either sharing the exact Integration endpoint or OIC Credentials to hit our Integration, we can follow any of the below methods.

In this blog , we will see the different methods in which we can allow external applications to invoke OIC Integrations.

1. OCI APIGW with OIC Integration as backend (Passing OIC Creds)
2. OCI APIGW with OIC Integration as backend (Where OIC are Creds configured in APIGW route level).
3. OCI APIGW+JWT with OIC Integration as backend (Where OIC Creds are configured in APIGW route level).
4. OCI APIGW + JWT+ OCI Functions with OIC Integration as backend (Where no creds are passed).

Pre-Requisites

Access to OCI Instance with relevant privileges'.

Access to OIC Instance & existence of a simple Hello World Integration in that Instance.

Access to a public facing OCI APIGW, with rules configured to allow traffic from public internet.

Access to fetch JWK from IDCS.

Access to create applications in IDCS.

NOTE: Need for the above pre-requisites is, we will be hitting OIC HelloWorld Integration from APIGW. For the last method, we will need Bearer token (OAuth2.0) which will be generated by the application we create in IDCS.

Method 1 → Invoking Integration where end user need to pass OIC Credentials

In this method, we will have an OIC HelloWorld integration endpoint as backend to our APIGW and hit it from Postman by passing OIC credentials.

In this approach, we would be hiding the actual Integration endpoint from the end user.

Pros → Integration or OIC Instance endpoint is not exposed.

Cons → OIC Credentials are compromised. Even though we can create a specific user in OCI and give only “ServiceInvoker” privileges’ on the user, but still he’ll be able to hit all the integrations on the Instance.

OIC HelloWorld Integration endpoint

Deployment created on APIGW for the HelloWorld Integration

Integration endpoint configured in APIGW Deployment Route

Configure OIC Integration Endpoint

Once this deployment is completed you will get the endpoint to hit from Postman (which you can share with external applications who’ll be calling your integration)

APIGW Deployment endpoint

Now, let us configure this endpoint by suffixing it with Route Path (/REST_HW01 in my case). Here I am passing OIC Credentials under Authorization section, by choosing Authorization Type as “Basic”

Method 2 → Invoking Integration, where no Credentials are passed by the end user

In this method, end user will directly hit the APIGW endpoint for that integration the way we have generated by creating a deployment and adding HelloWorld integration endpoint in Route as done in Method1. The only difference here is, we will be configuring OIC Credentials inside the APIGW.

In this way we need not share OIC credentials with the end user. Instead, we will configure them at Route Level in the APIGW deployment.

Pros → Integration or OIC Instance endpoint is not exposed. Credentials need not be shared with end user.

Cons → As end user need not pass credentials, anyone who knows the endpoint can hit it.

Passing OIC Credentials in Base64 format in OCI APIGW Route

In here, we need to pass OIC credentials in Base64 format (username:password) and complete the APIGW deployment.

In my case, I have stored my OIC Credentials in OCI Vault in Base64 format and copied it from there.

To store credentials in OCI Vault, you need to follow the below steps:

1. Create a vault (OCI → Identity & Security → Vault) on a specific compartment.
2. Create Master Encryption Key in the vault with any protection method & algorithm. (I have considered HSM Protection mode & AES algo).
3. Once Master Encryption Key is created, create a Secret where you need to chose the Master Encryption Key created in Step2, Secret Type Template (I chose Plain Text, so that I can come back later to check when required) and enter your credentials(oicusername:oicpassword) in Secret Contents section.
4. Once the Secret is created. You can click open it, view secret contents by clicking on the menu against the secret version

Now, let us test this APIGW endpoint as done in Method1 from Postman. But without passing any credentials

We will continue discussing the remaining Methods to invoke OIC in my next blog here, as the blog looks huge and you’ll loose interest scrolling through.

!!! Happy Reading !!!