OCI APIGW & JWT for invoking OIC with/without credentials — Part II
To invoke any Integration created in OIC, we need to pass the credentials i.e., Username/Password.
Most of the times these Integrations which we develop are to be triggered by External Applications or Vendors and if we want to not take the risk of either sharing the exact Integration endpoint or OIC Credentials to hit our Integration, we can follow any of the below methods.
In my previous blog, I have discussed Method 1 & Method 2 here i.e.,
Method 1 → Invoking Integration where end user need to pass OIC Credentials
Method 2 → Invoking Integration, where no Credentials are passed by the end user
In this blog, we will discuss on how to use OCI APIGW with JWT & Functions to call OIC via Method 3 & Method 4.
Method 3 → Invoking Integration, where end user need to pass Bearer token which can be refreshed.
In this method, we will be sharing ClientID, ClientSecret, AccessTokenURL and scope. Using which end user generates a bearer token to invoke our Integration.
Pros → Integration or OIC Instance endpoint is not exposed. Credentials need not be shared with end user. Only those who has access to ClientID, ClientSecret, AccessTokenURL, Scope & APIGW endpoint for Integration can trigger the Integration.
Cons → The only drawback here is that we configure OIC creds on the APIGW Deployment Route as in Method 2. But, that shouldn’t be an issue as it will be in Base64 format and also we will not be providing access to OCI console to end user.
To share ClientID, ClientSecret & Scope with end user, we need to first generate them by creating Auth Resource Server & Client applications in IDCS.
You can fetch your IDCS console URL from OCI Console (Identity & Security → Federation → Oracle Identity Cloud Service)
Create a Confidential Application here, by clicking on Add
Give a name to the Server application and click “Next”
Client Screen can be skipped by clicking “Next”.
On the Resources screen, choosing on “configure this application as a resource server”. Populate Primary Audience with OCI APIGW Host & you need to add a scope by giving some name to it (I gave it as “/oic-scope”). You can also change the default “access token expiration” value as required.
Click “Next”, “Finish” and “Activate” the application.
Now, let us create a client application, where we chose the above created server application.
Create a Confidential application as above by clicking on Add, giving a name to your appl. and click “Next”.
Choose “configure this application as a client now”, choose Allowed Grant Types as “Client Credentials” & “JWT Assertion”. Then click on Add Scope and chose the Auth Resource server created earlier, click on the > to the right of earlier created application and click on “Add”.
Click “Next”, “Finish” and “Activate” the application.
In the Client Application we just created, under Configuration → General Information, we will find Client ID & Client Secret.
This completes creation of Applications in IDCS.
Now, let us create JWT authorization in APIGW deployment.
Go to APIGW, create deployment. Configure JWT under Deployment → API Request Policies → Authentication section.
Choose data as Authentication Type → JWT, Authentication Token → Header, Header name → Authorization, Authentication Scheme → Bearer, Allowed Issuers → https://identity.oraclecloud.com, Allowed Audiences → APIGW Host, Public Key Type → Static Keys, Key ID → SIGNING_KEY, Format → JSON Web Key.
For populating data in JSON Web Key section, you need the below data:
{“format”:”JSON_WEB_KEY”,”kid”:”SIGNING_KEY”,”kty”:”RSA”,”use”:”sig”,”alg”:”RS256",”n”:” ”,”e”:”AQAB”}
Values for these fields can be fetched as below:
In IDCS Console, go to Settings → Default Settings and Toggle ON the Access Signing Certificate option and Save it.
Now, download the JWKS file, by running this in your browser https://<YOUR-IDCS-URL>/admin/v1/SigningCert/jwk (replace <> with your IDCS URL value), click enter and the save the output. Once you save this data you can revert changes to the Access Signing Certificate.
From this output fetch all the relevant field values to complete creating your JSON_WEB_KEY to be populated in APIGW Authorization section.
Once, done click Apply Changes, add HelloWorld Integration endpoint on the next screen, add OIC credentials under Header Transformation as done in Method 2 and complete the deployment.
Now, to test it from Postman populate details as below:
Choose the Authorization Type as “OAuth2.0”. ClientID, ClientSecret & Scope can be fetched from the Client application created in IDCS. Access Token URL → https://<Your-IDCS-URL>/oauth2/v1/token.
Click on Get New Access Token once you are done filling the above details and click Use Token. This populates token in Access Token Section of your Authorization section.
Method 4 → Invoking Integration, where end user needs to pass only Bearer token which can be refreshed and we will not be hardcoding OIC credentials anywhere on APIGW.
In this method, we will be using OAuth authentication made for both APIGW & OIC. For this, we will be creating application in IDCS for APIGW & OIC. Customer will be making call to APIGW deployment endpoint using Bearer Token, which will be validated with IDCS using OCI Function, which generates another Token to call OIC.
The entire process to achieve this is explained in detail in an existing Oracle blog here.
!!!Happy Reading!!!