In this final post on this theme, I will discuss the authorizer function, that will validate the client token and invoke IDCS to generate a new OIC token. This function will be called from API Gateway, which takes the result and injects the new token into the Authorization Header, before routing the request to OIC. The latter will then be injected into the original request, which is then forwarded to OIC.
An introduction to the authorization function can be found here in the API Gateway docs.
Net, net, the code will be written in python, and there are examples already available, thanks to some of my Oracle colleagues. In fact there are how to's already available out there on OIC and OAuth, however, sometimes details are missing. And, as you all know, the devil lies in the detail. This series of posts has been written with neophytes in mind, i.e. my audience are not expected to be experts in IDCS, OCI Functions etc.- simply folks who need to protect their public facing OIC endpoints. I got a great deal of help from my colleagues so -
A big thank you here to Valeria Chiran and Robert Wunderlich!
I begin by creating the OIC app in IDCS -
I also create an app, to be used for validating the client token - it is configured as follows -
Pre-requisite IDCS Policies
Allow service FaaS to use virtual-network-family in compartment yourCompartment