Oracle® Communications Services Gatekeeper OAuth Guide Release 5.1 E37521-01 |
|
|
PDF · Mobi · ePub |
This chapter explains how to protect Oracle Communications Services Gatekeeper (Services Gatekeeper) resources with the Open Authorization Protocol (OAuth). It starts with information you need to understand about the OAuth technology, then explains the deployment procedure, and finally lists some examples to help you understand the process.
This section describes OAuth resource management as supported by Services Gatekeeper.
You can use OAuth to protect a communication services by mapping that communication services to an OAuth resource.
In order to protect an API with OAuth, you model the API method as an OAuth resource, one API to one resource. Resource mapping involves creating a unique scopeId
to represent the resource, and then mapping it to the API and method names.
You can also define additional context parameters for the resource to use as targets for custom interceptors. These parameters may or may not map directly to the API method parameters.
You can create multiple resources for a single communication service. In this case, resources are aggregated and defined as XML elements in a single XML file. The scopeId
defined in this XML file is used as part of the scope
submitted during an authorization grant request. Created resources need to be mapped to the resource owners (identified by subscriber tel:/sip: URIs). resource owners then issue authorization grants to the scopeIds
(resources) that they own.
See "Understanding the OAuth Resource Format" for details on the resource format and a resource example.
As an OAuth Resource Server, Services Gatekeeper manages the protected resources contained within a service provider's network and accepts and responds to third-party application requests for access to protected resources.
In Services Gatekeeper, a resource is considered a method of a communication service. Resources have subresources that further define specific methods. Authorization grants to a resource also apply to its subresources. For example, for a payment communication service, a resource called amountTransaction can be created for charging transactions. A subresource called checkTransactionStatus is a method used to query the status of a charging transaction.
As an OAuth Authorization Server, Services Gatekeeper obtains a subscriber's permission for access to protected resources when an application makes a request. Services Gatekeeper issues a token to the client application, which is used to access protected resources without requiring the resource owner to provide actual credentials.
When a client application requests access to a protected resource, the Services Gatekeeper REST handler initially checks the request, ensuring that the body contains the needed authorization information. If the request is valid, Services Gatekeeper forwards the request onto the proper communication service. An OAuth interceptor verifies that the token contained in the request is valid before completing the request. Services Gatekeeper then sends a response back to the client application.
As an Authentication Server, Services Gatekeeper maintains a subscriber database used to store the owners of protected resources. OAuth 2.0 resource owners in Services Gatekeeper must be setup as subscribers in the Authentication Server first. The Authentication Server is used to authenticate subscribers, as resource owners, before initiating authorization to protected resources.
The included Authentication Server is intended for OAuth 2.0 demonstration and development purposes.
Services Gatekeeper contains a JMX interface for uploading resource mapping files. The interface name is included in the OAuthResourceMBean, which can be accessed with the OAM WebLogic interface or using the Services Gatekeeper Platform Test Environment (PTE). You load or retrieve resources using this MBean. See "Using the OAuthResourceMBean" for more information and a list of the supported operations.
You can map a client to an existing Services Gatekeeper application instance Id. This mapping lets you use existing SLA enforcement with OAuth security. You manage application clients using the OAuthClientMBean, which is available from the OAM WebLogic interface or the Services Gatekeeper Platform Test Environment (PTE). You use this MBean to search for clients or return a list of them. You can also add, remove, or update clients. See "Using the OAuthClientMbean" for more information and a list of the supported operations.
A resource owner for each resource in Services Gatekeeper must be defined to protect the resource. The resource owner is managed using the OAuthResourceOwnerMBean. You use this MBean to add, remove, or update resource owners. For all operations, the format of a resourceScope
is space separated scopeId
list. See "Creating Resource Owner/Resource Mappings Using Regular Expressions" for more information and a list of the supported operations.
Services Gatekeeper acts as an authentication server. You create and authenticate subscribers in the Services Gatekeeper database.
To authenticate users, Services Gatekeeper supports a component called the Subscriber Manager which provisions subscribers, authenticates them, and expands GroupURIs. You manage subscribers using the SubscriberMBean. See "Using the SubscriberMBean" for more information and a list of the supported operations.
Administration of the Services Gatekeeper OAuth server is performed using MBeans in either the WebLogic Administrator console (OAM) or command-line console. For more information about Services Gatekeeper administration, see Oracle Communications Services Gatekeeper System Administrator's Guide.
The OAuth EAR files are deployed as part of the Services Gatekeeper installation.
The Services Gatekeeper OAuth implementation functions as an application running on the WebLogic application server host. Manual configuration of EDRs and alarms is required if needed. See the chapter on managing and configuring EDRs, CDRs and Alarms in Oracle Communications Services Gatekeeper Systems Administrator's Guide for more information.
To deploy and configure the Services Gatekeeper OAuth functionality:
Confirm that the OAuth EAR files are deployed.
Update OAuth Service configuration using the OAuthCommonMBean. See "Using the OAuthCommonMBean" for more information.
Create the protected resources in Services Gatekeeper. See "Using the OAuthResourceMBean" for more information.
Configure the Authentication URL.
Configure the resource owner and define the ownership of resources as described in "Resource Management". Also, see "Creating Resource Owner/Resource Mappings Using Regular Expressions" for more information.
Create the client identifier(s) and credentials in Services Gatekeeper that will request access to protected resources. See "Using the OAuthClientMbean" for more information.
See "Example: Protecting the OneAPI Payment Service with OAuth" for an example of the configuration steps.
This section explains how to use the OAuthCommonMBean to configure Services Gatekeeper for use with OAuth.
Managed object: Container Services, OAuthService
MBean: oracle.Services Gatekeeper.oauth2.management.OAuthCommonMBean
Table 2-1 describes the available attributes.
Table 2-1 Attributes for OAuthCommonMBean
Attributes | Type | Description |
---|---|---|
TokenType |
string |
The token type (MAC and Bearer are supported). Default value: Bearer |
GrantURL |
string |
The address used to submit a resource owner's grant. Represents the address used to submit a resource owner's grant. The default value is: https://host:port/oauth2/grant where host and port are the Services Gatekeeper AT node IP address and HTTPS port. |
MacAlgorithm |
string |
The MAC algorithm used to calculate the request MAC for access token. Default value: hmac-sha-1 |
NoOwnerRequestSupport |
boolean |
Whether or not no owner is supported. Specifies the OAuth behavior when there is no address (resource owner) information declared in REST API request parameters. true: accept such request false: reject such request with 401 "invalid_request" Default value: true |
GroupUriEnabled |
boolean |
Whether the group URI option is enabled. Default value: true |
CleanDbPeriod |
int |
Number of seconds until the database is cleaned. Default value: 60 seconds |
SendAnonymousId |
boolean |
Whether to include AnonymousId in applyAccessToken response event. Default value: true |
AuthorizationCodeExpirePeriod |
int |
Number of seconds until the authorization code expires. Default value: 600 seconds |
IssueRefreshToken |
boolean |
Whether to issue a refresh token when issuing an access token. Default value: false |
Authentication URL |
string |
URL used to authenticate the resource owner and obtain consent for the application requested scope. |
IssueRefreshTokenWhenRefresh |
boolean |
Whether to issue a refresh token when the token is refreshed. Default value: false |
TLSUsageForced |
boolean |
Whether the TLS security protocol is required. For information on setting up and using TLS/SSL security, see Oracle Fusion Middleware Securing Oracle WebLogic Server 12cRelease. See the discussion on securing web services in Oracle Communications Services Gatekeeper Security Guide for general information on TLS. Default value: false |
To enable OAuth protection for RESTful communication services (including custom communication services), communication services can be mapped to OAuth resources.
The resource mapping can then be uploaded to Services Gatekeeper using the OAuthResourceMBean.
Managed object: Container Services, OAuthService
MBean: oracle.Services Gatekeeper.oauth2.management.OAuthResourceMBean
Following is a list of attributes and operations for the configuration and maintenance of resources.
Scope: Cluster
Loads an XML format resource information file using the oauth_resource.xsd schema into Services Gatekeeper.
Signature:
loadResourceXml(String xml)
See "Resource Mapping" for more information about mapping resources using oauth_resource.xsd.
Operation: retrieveResourceXml
Scope: Cluster
Displays resource information in XML format.
Signature:
retrieveResourceXml()
Operation: retrieveResourceList
Scope: Cluster
Displays resource information in list format.
Signature:
retrieveResourceList()
Services Gatekeeper uses operations in the OAuthResourceMBean to protect subscription resources. For details see the discussion on Services Gatekeeper OAuth 2.0 authorization and resource servers in Oracle Communications Services Gatekeeper Communication Service Guide.
In order to grant an authorization code, a resource owner must be authenticated and authorize the scope of the grant. The resource owner can be authenticated using these methods:
A resource owner controls its resources and can allow a client to access them. For each resource, one or more resource owners need to be defined using the SubscriberMBean.
Services Gatekeeper offers a built-in subscriber repository to authenticate subscribers. To use the default Subscriber Manager to authenticate subscribers, do the following:
Create the subscribers in Services Gatekeeper using the SubscriberMBean. This MBean can be accessed through the OAM Console or the PTE Tools MBean browser. See "Using the SubscriberMBean" for more information.
Verify that the AuthenticationURL
property of OAuthCommonMbean is set to:
https://
app_server_IP:app_server_port/oauth2/auth.jsp
Managed object: Container Services, SubscriberService
MBean: oracle.Services Gatekeeper.subscriber.management.SubscriberMBean
This MBean supports these operations to configure and maintain subscribers:
Scope: Cluster
Adds a new subscriber to the Services Gatekeeper authentication server.
Signature:
addSubscriber ()
Table 2-2 describes the attributes used to create a subscriber in Services Gatekeeper.
Table 2-2 Attributes for New Subscriber
Attributes | Type | Description |
---|---|---|
Address |
string |
Subscriber address |
LoginId |
string |
Subscriber login ID |
password |
string |
Subscriber password |
Scope: Cluster
Retrieves subscriber information using an address or login ID.
Signature:
getSubscriberInfo()
Table 2-3 describes the attributes used to query a subscriber's info in Services Gatekeeper.
Table 2-3 Attributes for Querying Subscriber Info
Attributes | Type | Description |
---|---|---|
Address |
string |
Subscriber address |
LoginId |
string |
Subscriber login ID |
Scope: Cluster
Removes a subscriber by address.
Signature:
removeSubscriber()
Table 2-4 describes the attributes used to remove a subscriber in Services Gatekeeper.
Table 2-4 Attributes for Removing a Subscriber
Attributes | Type | Description |
---|---|---|
Address |
string |
Subscriber address |
Scope: Cluster
Updates a subscriber's properties.
Signature:
updateSubscriber()
Table 2-5 describes the attributes used to update a subscriber in Services Gatekeeper.
Table 2-5 Attributes for Updating a Subscriber
Attributes | Type | Description |
---|---|---|
Address |
string |
Subscriber address |
LoginId |
string |
Subscriber login ID |
password |
string |
Subscriber password |
Scope: Cluster
Verifies a subscriber's address and password.
Signature:
verifySubscriber()
Table 2-6 describes the attributes used to verify a subscriber in Services Gatekeeper.
Instead of provisioning users in the Services Gatekeeper database, you can delegate authentication to a custom authentication server.
See "Implementing a Third-Party Authentication Service" for more information
See "Understanding the OAuth Resource Format" for details on the resource format.
Protecting resources requires assigning them to owners using the OAuthResourceOwnerMBean. This MBean can be accessed either through the OAM Console or using the PTE Tools MBean browser.
The following sections describe how to create owner/resource mappings.
See "Understanding the OAuth Resource Format" for details of the resource format.
Managed object: Container Services, OAuthService
MBean: oracle.Services Gatekeeper.oauth2.management.OAuthResourceOwnerMBean
Create an XML rules file that defines the resource owner/resource mapping and upload it to Services Gatekeeper using the OAuthResourceMBean's loadResourceRuleXml
operation. See resource_rule.xsd
for the schema definition.
This rules file maps resource owner addresses, represented by a regular expression, to a list of one or more resources. The rules file is interpreted when OAuth grants the authorization, and rules must be defined in order of priority from most specific to most general.
In the following example, owner/resource mapping rules are defined with the most specific rules at the beginning of the file, proceeding to the most general rules at the end. Placing a more specific rule, with a regular expression such as ^1390.*$
, at the start of the file ensures that the expected cases are caught and correctly interpreted first. Then the rules with more general regular expressions, such as ^.*$
, toward the end of the file serves as a stop gaps to catch the unexpected or rarer cases.
Example 2-1 Regular Expression Rules File
<?xml version="1.0" encoding="UTF-8"?> <tns:addressResourceRules xmlns:tns="http://oracle/ocsg/oauth2/management/resource_rule" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- numbers start with '1390' own the 'location' and 'payment' services --> <tns:rule addressPattern="^1390.*$" resources="location payment"/> <!-- numbers start with '139' own the 'location' service --> <tns:rule addressPattern="^139.*$" resources="location"/> <!-- All other resources are protected and no resource owners are defined. --> <!-- Any request with a scope not defined in this xml file will be rejected. --> <tns:rule addressPattern="^.*$" resources=""/> </tns:addressResourceRules>
These operations configure a resource using regular expressions.
Operation: loadResourceRuleXML
Scope: Cluster
Loads resource rules defined in an XML file. See Example 2-1, "Regular Expression Rules File" for an example XML file.
Signature:
loadResourceRuleXml(String fileContent)
Table 2-7 describes these parameters.
Table 2-7 Parameters for loadResourceRuleXML
Parameter | Description |
---|---|
fileContent |
An XML file containing rule definitions. |
Operation: retrieveResourceRuleXML
Scope: Cluster
Retrieves the current rules XML file.
Signature:
updateResourceOwner(String address, String resourceScope)
Table 2-8 describes these parameters.
Table 2-8 Parameters for retrieveResourceRuleXML
Parameter | Description |
---|---|
address |
Address of the resource owner. The format of address depends on which resource the client trying to access. For most communication services, only tel:[+][0-9]+ is supported, for example:
For SIP-related services, the SIP URI is supported. |
resourceScope |
The value of an id attribute ( |
Managed object: Container Services, OAuthService
MBean: oracle.Services Gatekeeper.oauth2.management.OAuthResourceOwnerMBean
These operations configure individual resource owners.
Scope: Cluster
Adds a resource owner in Services Gatekeeper.
The value of the id attribute, scopeId
, creates a resource owner for a resource. This scopeId
is the value of the resourceScope
parameter.
Signature:
addResourceOwner(String address, String resourceScope)
Table 2-9 describes these parameters.
Table 2-9 Parameters for addResourceOwner
Parameter | Description |
---|---|
address |
Address of the resource owner. The format of address depends on which resource the client trying to access. For most communication services, only tel:[+][0-9]+ is supported. For example:
For SIP-related services, the SIP URI is supported. |
resourceScope |
The value of an id attribute ( |
Operation: updateResourceOwner
Scope: Cluster
Updates the properties of a resource owner.
Signature:
updateResourceOwner(String address, String resourceScope)
Table 2-10 describes these parameters.
Table 2-10 Parameters for updateResourceOwner
Parameter | Description |
---|---|
address |
Address of the resource owner |
resourceScope |
Scope of the resource identified by scopeId. |
Operation: removeResourceOwner
Scope: Cluster
Removes a resource owner (by address).
Signature:
removeResourceOwner(String address)
Table 2-11 describes these parameters.
Table 2-11 Parameters for removeResourceOwner
Parameter | Description |
---|---|
address |
Address of the resource owner |
Operation: getResourceOwnerInfo
Scope: Cluster
Retrieves resource owner information (by address).
Signature:
getResourceOwnerInfo(String address)
Table 2-12 describes these parameters.
Services Gatekeeper allows the creation of an application client to support the authorization code grant type. A client registers with its password and the allowed redirect URI in Services Gatekeeper. The OAuthClientMBean configures application clients, and can be accessed either through the OAM Console or using the PTE Tools MBean browser. See "Using the OAuthClientMbean" for more information.
Managed object: Container Services, OAuthService
MBean: oracle.Services Gatekeeper.oauth2.management.OAuthClientMBean
These attributes and operations configure and maintain clients.
Scope: Cluster
Adds an application client to Services Gatekeeper.
Signature:
addClient(String id, String name, String password, String description, String allowedRedirectionURI, Boolean supportImplicitGrant, String appInstanceID)
Table 2-13 describes these parameters.
Table 2-13 Parameters for addClient
Parameter | Description |
---|---|
id |
Client identifier |
name |
Client name |
password |
Client password |
description |
Client description |
allowedRedirectionURI |
Allowed redirection URIs, split by a space character (for example, "URI1 URI2 URI3") |
supportImplicitGrant |
Whether implicit grant is supported |
AppInstanceId |
Application instance Id in Services Gatekeeper |
Scope: Cluster
Removes a client (by Id).
Signature:
removeClient(String id)
Table 2-14 describes these parameters.
Scope: Cluster
Retrieves client information (by Id).
Signature:
getClientInfo(String id)
Table 2-15 describes these parameters.
Scope: Cluster
Retrieves a list of all clients.
Signature:
listClients(int offset, int size))
Table 2-16 describes these parameters.
Table 2-16 Parameters for listClients
Parameter | Description |
---|---|
Offset |
Offset within the complete result set. Must be >= 0. |
Size |
Number of entries to return. 0 means no limit. |
Scope: Cluster
Returns a list of clients whose name matches a pattern that you enter.
Signature:
List<String> searchClients(String, pattern)
Table 2-17 describes these parameters.
Table 2-17 Parameters for updateClient
Parameter | Description |
---|---|
pattern |
A regular expression to match client names. |
Scope: Cluster
Updates an existing client in Services Gatekeeper.
Signature:
updateClient(String id, String name, String password, String description, String allowedRedirectionURI, Boolean supportImplicitGrant, String appInstanceID)
Table 2-18 describes these parameters.
Table 2-18 Parameters for updateClient
Parameter | Description |
---|---|
id |
Client identifier |
name |
Client name |
password |
Client password |
description |
Client description |
allowedRedirectionURI |
Allowed redirection URIs, split by a space character (for example, “URI1 URI2 URI3”) |
supportImplicitGrant |
Whether implicit grant is supported |
AppInstanceId |
Application instance Id in Services Gatekeeper |
It is possible to create a custom RESTful communication service using the Platform Development Studio (PDS) wizard and deploy the service on the Services Gatekeeper platform. This service is automatically protected by OAuth2.0.
The service must be provisioned as an OAuth2.0 resource as described in the following steps:
Deploy the service into the Services Gatekeeper server.
For example:
Interfacename=com.foo.DemoMethod=bar
Execute the loadResourceXml
operation in the OAuthResourceMbean to create a resource element. For example, use the following XML:
<resource id="foo_id " name="Demo Service" interfaceName=" com.foo.Demo" methodName=" bar" tokenExpirePeriod="3600"> </resource>
Execute the addResourceOwner
operation in the OAuthResourceOwnerMbean with the following values (where the resource_owner_address is the TEL:/SIP: URI):
address=${resource_owner_address}resourceScope=foo_id
After completing the above steps, the custom RESTful communication service can be accessed if a resource owner grants access to any application client.
Figure 2-1 illustrates the above steps.
This section explains how to protect the OneAPI Payment Service with OAuth.
Open the MBean browser in PTE or use the OAM to access the addclient operation in the OAuthClient MBean at:
Wlng, OauthServer, OauthClientMBean, addClient()
Use the following parameters for the addclient
operation:
Id: app123
Name: App123_name
Password: password
Description: Demo Application
AllowRedirectURI: https://localhost/app/redirect.php
AppInstanceId: domain_user
Submit the parameters to add the new client.
Open the MBean browser in PTE or use the OAM to access the AuthenticationURL configuration setting in the OAuthCommon MBean at:
Wlng, OauthServer, OauthCommonMBean, AuthenticationURL
Use the following parameters for the AuthenticationURL field:
AuthenticationURL: https://
app_tier_host:app_tier_port/oauth2/auth.jsp
Submit the parameter to set the authentication URL.
Open the MBean browser in PTE or use the OAM to access the loadResourceXml operation in the OAuthResourceMBean at:
Wlng, OauthServer, OauthResourceMBean, loadResourceXml()
Use the following sample XML content for the FileContent
parameter field:
<?xml version="1.0" encoding="UTF-8"?> <resources xmlns="http://oracle/Services Gatekeeper/oauth2/management/xml" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- OneAPI Payment amountTransaction --> <resource id="POST-/payment/acr:Authorization/transactions/amount" name="Charge or refund" interfaceName="oracle.Services Gatekeeper.parlayrest.plugin.PaymentPlugin" methodName="amountTransaction" tokenExpirePeriod="3600"> <parameter name="code" description="billable item id"/> </resource> </resources>
Submit the parameter to add the payment service as an OAuth resource.
Open the MBean browser in PTE or use the OAM to access the addSubscriber operation in the SubscriberMBean at:
Wlng, SubscriberService, SubscriberMBean, addSubscriber()
Use the following parameters for the addSubscriber operation:
Address: tel:888
LoginID: Jack
Password: password
Submit the parameters to create a subscriber.
Open the MBean browser in PTE or use the OAM to access the addResourceOwner operation in the OAuthResourceOwnerMBean at:
Wlng, OauthServer, OauthResourceOwnerMBean, addResourceOwner()
Use the following parameters for the addResourceOwner operation:
Address: tel:888
resourceScope: POST-/payment/acr:Authorization/transactions/amount
Submit the parameters to create a subscriber.
The Services Gatekeeper OAuth resource format is defined in the oauth_resource.xsd file located in the oauth2_nt.ear file. To view the resource schema definition use an archive manager to expand the wlng_nt_oauth2.ear found in:
middleware_home/ocsg_5.1/applications
Here are the contents of the oauth_resource.xsd file:
<?xml version="1.0" encoding="UTF-8"?> <resources xmlns="http://oracle/ocsg/oauth2/management/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- OneAPI Payment --> <!-- amountTransaction --> <resource id="POST-/payment/tel:15415550100/transactions/amount" name="Charge or refund" interfaceName="oracle.ocsg.parlayrest.plugin.PaymentPlugin" methodName="amountTransaction" tokenExpirePeriod="3600"> <parameter name="code" description="billable item id"/> <subResource>checkTransactionStatus</subResource> </resource> <!-- list amount transactions --> <resource id="GET-/payment/tel:15415550100/transactions/amount" name="list amount transaction" interfaceName="oracle.ocsg.parlayrest.plugin.PaymentPlugin" methodName="listTransaction" tokenExpirePeriod="3600"> <subResource>checkTransactionStatus</subResource> </resource> <!-- get amount transaction --> <resource id="checkTransactionStatus" name="Get amount transaction detail" interfaceName="oracle.ocsg.parlayrest.plugin.PaymentPlugin" methodName="checkTransactionStatus" tokenExpirePeriod="3600"/> <!-- start reservation --> <resource id="startAmountReservationTransaction" name="startAmountReservationTransaction" interfaceName="oracle.ocsg.parlayrest.plugin.PaymentPlugin" methodName="startAmountReservationTransaction" tokenExpirePeriod="3600"/> <!-- update reservation: reserve additional, charge reservation, release reservation --> <resource id="updateAmountReservationTransaction" name="updateAmountReservationTransaction" interfaceName="oracle.ocsg.parlayrest.plugin.PaymentPlugin" methodName="updateAmountReservationTransaction" tokenExpirePeriod="3600"/> </resources>
Table 2-19 lists the resource structure and attributes.
Table 2-19 Resource Structure and Attributes
Attributes | Type | Description |
---|---|---|
id |
String |
Unique identifier for the resource scope (required). As part of an authorization grant, the Id (as the |
name |
String |
Resource name (required). A concise description of a resource which can be used for display purposes. |
interfaceName |
String |
Plug-in north interface name of the resource (required). |
methodName |
String |
Plug-in north method name of the resource (required). |
tokenExpirePeriod |
Int |
Number of seconds until a token expires (optional). If multiple resources (scopes) are granted with a single token, the earliest token expiration period will be enforced on the token. If the resource has subResources, then the earliest token expiration period configured among all resources will be used. |
subResource |
String |
One or more resources that can exist within the scope of the resource (optional). The value of this field should be an id of another resource. |
parameter |
ResourceParameter |
One or more parameters valid for the resource (optional). These parameter(s) are submitted as part of the OAuth authorization grant. During an authorization grant, a resource may accept several parameters, and each of the parameters can have two attributes, name and description. Parameters defined as part of the resource do not need to be directly related to the method parameters of an API. The semantics of the parameters can be interpreted by a custom interceptor by examining the RequestContext.For example, for the following scope value:
The chargeAmount is the scopeId mapped in Services Gatekeeper, the code represents the parameter name and 123 represents the parameter value.As part of communication service access (resource access), a custom interceptor can be written to interpret the OAuth token scope and RequestContext and validate the token usage against the authorization scope. |
The following is an example XML representation of the OAuth resource mapping for a OneAPI communication service:
<?xml version="1.0" encoding="UTF-8"?> <resources xmlns="http://oracle/Services Gatekeeper/OAuth2.0 /management/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- amountTransaction --> <resource id="chargeAmount" name="Charge or refund" interfaceName="oracle.Services Gatekeeper.parlayrest.plugin.PaymentPlugin" methodName="amountTransaction" tokenExpirePeriod="3600"> <parameter name="code" description="billable item id"/> <subResource>checkTransactionStatus</subResource> </resource> <!-- list amount transactions --> <resource id="listAmount" name="List amount transactions" interfaceName="oracle.Services Gatekeeper.parlayrest.plugin.PaymentPlugin" methodName="listTransaction" tokenExpirePeriod="3600"> <subResource>checkTransactionStatus</subResource> </resource> <!-- get amount transaction --> <resource id="checkTransactionStatus" name="Get amount transaction" interfaceName="oracle.Services Gatekeeper.parlayrest.plugin.PaymentPlugin" methodName="checkTransactionStatus" tokenExpirePeriod="3600"/> </resources>
The following resources are defined in this example:
chargeAmount: a token can be obtained for this resource, but this restricts the access of the resource (OneAPI charging API) to the code specified as part of the scope parameter value.
listAmount
checkTransactionStatus
In addition, one subResource is also defined. The checkTransactionStatus subResource is defined as a subResource for the chargeAmount and listAmount resources. By defining checkTransactionStatus as a subResource, Services Gatekeeper facilitates using the same access token obtained for chargeAmount while accessing the checkTransactionStatus resource.