1. Endpoint Virtualisation
2. Making it easy to expose a subset of integration endpoints to various clients - this could include 3rd parties.
3. Easy integration with 3rd party identity providers.
4. Ability to leverage a rich set of API Gateway policies - rate limiting etc.
For me, the focus will be on granting access to the following integrations -
AA-Salary-Test-MV supports multiple verbs - GET (get the salary based on empid) and PUT (update salary based on empid).
The rules are very simple - I have 2 sets of clients - users and admins. The users can read salary info, the admins can update salary info.
Net, net - users should be able to invoke the OIC integration AA-SALARY-USERS as well as the GET on AA-SALARY-Test-MV. The admins should be able to invoke all endpoints. Let's begin by looking at the multiple verb integration -
Let's agree to use 2 different scopes to enforce the rules - _userScope and _adminScope.
Many OIC customers require something similar, e.g. different trading partners requiring access to different sets of integrations. I have greatly simplified things here with my 3 integrations, but they will suffice to demonstrate the value-add of the combination API Gateway / IDCS.
Deploy the multi verb integration to API Gateway
Check out the routing rules -
Add a new routing rule /version
Try invoking /version from Postman -
Note no auth has been set.
Back to the API Gateway - let's secure the api by setting the authentication as follows -
Click Show Advanced Options -
Here I add my 2 scopes -
Validate in IDCS that clients can access the signing certificate - specified above in the Public Keys section.
Now we move to IDCS...
Creating the required applications in IDCS
Let's go thru these individually -
AA-Salary-application - this takes care of the resources/scopes.
Note the definition of the 2 scopes _userScope, _adminScope.
AA-Salary-application-admins - this is specifically for admin clients.
Note the scope setting - anyAudience_adminScope
This is a concatenation of ALLOWED AUDIENCES and the relevant CLAIM VALUE.
Think back to the Authentication definition in API Gateway -
A client Id and secret are generated.
I do the same for the users - AA-Salary-application-users - same as the above except for -
I also save the client id and secret generated -
I test the /version endpoint again from Postman -
As expected - Unauthorized.
Now I add the OAuth client details from the "users" app -
Token config is as follows -
Access Token URL set to https://myIDCSURL/oauth2/v1/token
So now we have successfully tested limiting access to only authorised clients - OAuth 2.0 Authorization on OCI API Gateway, courtesy of IDCS.
I now publish the 2 remaining OIC endpoints to API Gateway -
Beginning with the admin only integration - AA-Salary-Admins -
Here I add the same Authentication rule -
I add another route - /version - with the same stock response as in the previous example.
I test this with the client credentials from user -
Now with the admin credentials -
No comments:
Post a Comment