1. Cloud Native Core Console User Guide
  2. Generating Access Tokens and Accessing NF Resources

5 Generating Access Tokens and Accessing NF Resources

CNC Console provides a secure option for direct API access of NF resources through CNCC IAM access token. This chapter describes how to generate and refresh access tokens through CNC Console IAM REST API. You can request access tokens through the CNC Console IAM REST API by using curl or Postman. Once the access token is granted, CNC Console will be able to access the required NF resources.

Access Token Generation

CNCC IAM provides a REST API for generating and refreshing access tokens.

You must use cncc-api-access client for accessing NF resources through REST APIs. For security reasons, Direct Access Grants Enabled is set to OFF by default.

Perform the following steps to set Direct Access Grants Enabled to ON.

  1. Log in to CNC IAM with valid credentials.
  2. Click Cncc realm.
  3. On the right pane, click Clients. The following screen appears:

    Figure 5-1 Clients

    img/cnc_curl_3.png
  4. Click cncc-api-access the following screen appears.
    img/cnc_curl_4.png
  5. Set the Direct Access Grants Enabled to ON and Save.

Perform the following procedure to generate the access tokens:

  1. Acquire an access token from CNC Console IAM by sending a POST request to the following URL:

    http://${cncc-iam-ingress-extrenal-ip}:${cncc-iam-ingress-service-port}/cncc/auth/realms/${realm}/protocol/openid-connect/token

    Example:

    http://10.75.182.79:8080/cncc/auth/realms/cncc/protocol/openid-connect/token

  2. The body of the request must be x-www-form-url encoded as follows: 
    
'client_id': 'your_client_id',
'username': 'your_username',
'password': 'your_password',
'grant_type': 'password'
 
Example:
'client_id': 'cncc-api-access',
'username': 'user1',
'password': 'User123!',
'grant_type': 'password'
  3. The Curl Command to access the token is as follows: 
    
  curl --location --request POST 'http://${cncc-iam-ingress-extrenal-ip}:${cncc-iam-ingress-service-port}/cncc/auth/realms/cncc/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=user1' \
--data-urlencode 'password=User123!' \
--data-urlencode 'client_id=cncc-api-access'
  4. In response, you will get an access_token and a refresh_token. The response is as follows: 
    {
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHS1N4WVhoWlExRVhrOVE5RTR3STN4WG9LcHI2RW5yOFJCdGlMVndPV0JZIn0.eyJqdGkiOiIwMTQzYzNhZC1kNjE3LTQyNTYtYTA2My01NGYxNGI5MDQ5MWMiLCJleHAiOjE1ODQ3MDAyMzUsIm5iZiI6MCwiaWF0IjoxNTg0Njk5OTM1LCJpc3MiOiJodHRwOi8vMTAuNzUuMjEzLjYwOjMwMDI0L2NuY2MvYXV0aC9yZWFsbXMvY25jYyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwMTJlNDI2OS02YzYwLTQzNWItYWExNC0yYWI3NmJjOWI1MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGktZ2F0ZXdheSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjZjNDJkOTc4LTE0YWMtNDc5My1hMWUzLTc4OWNmYmRiMmI3NCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiUENGX1JFQUQiLCJQQ0ZfV1JJVEUiLCJTQ1BfUkVBRCIsIm9mZmxpbmVfYWNjZXNzIiwiTlJGX1dSSVRFIiwiQURNSU4iLCJ1bWFfYXV0aG9yaXphdGlvbiIsIk5SRl9SRUFEIiwiU0NQX1dSSVRFIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiU2hyZXlhcyBCIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2hyZWIiLCJnaXZlbl9uYW1lIjoiU2hyZXlhcyIsImZhbWlseV9uYW1lIjoiQiIsImVtYWlsIjoic2hyZXlhcy5iQG9yYWNsZS5jb20ifQ.fXYyjmAbSSIFlLr2ZBEX2pfKrE_vr6Zbj8ta-l_tKlv2gTX1J3ehScg_m30swpWU7UojuFkyc8CfNZL2Z9mcs7zbq_zA7ZTlaWA_AgmeoXWapicX2wALT_YDU6Z3H7L9x1C1Ulp8aTBIBHPv2J-zgkrFDtk83NeKunKEGlEZpp-9MGDLQ5a8QX6SAUo-Fe6hNgF1vP0d7LCyjWvu6UvoeG_Fuxsi4xEVHcbSen8M3eueAt7xN7akhXZ_4PgWnxsWvQVqtTzsY6O-WyUjUiwtaTvpX0dPVVeeNDvWMY_0q0KvF_nnE3_wQtE8bu_LcCZYwDQJJTloj2PJ8y1WjO9l2Q",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3YTFlYjcyZi00MWE1LTRkMTEtYjRmZS01NDZjZGU5NjY2MTUifQ.eyJqdGkiOiJmYjAwZTY2OC0xZTkyLTRlMTUtYTVlMS1jZjgxNDFkMjllNDMiLCJleHAiOjE1ODQ3MDE3MzUsIm5iZiI6MCwiaWF0IjoxNTg0Njk5OTM1LCJpc3MiOiJodHRwOi8vMTAuNzUuMjEzLjYwOjMwMDI0L2NuY2MvYXV0aC9yZWFsbXMvY25jYyIsImF1ZCI6Imh0dHA6Ly8xMC43NS4yMTMuNjA6MzAwMjQvY25jYy9hdXRoL3JlYWxtcy9jbmNjIiwic3ViIjoiMDEyZTQyNjktNmM2MC00MzViLWFhMTQtMmFiNzZiYzliNTIzIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFwaS1nYXRld2F5IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNmM0MmQ5NzgtMTRhYy00NzkzLWExZTMtNzg5Y2ZiZGIyYjc0IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlBDRl9SRUFEIiwiUENGX1dSSVRFIiwiU0NQX1JFQUQiLCJvZmZsaW5lX2FjY2VzcyIsIk5SRl9XUklURSIsIkFETUlOIiwidW1hX2F1dGhvcml6YXRpb24iLCJOUkZfUkVBRCIsIlNDUF9XUklURSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.l8w3j1gMNgblKSYdvCmJQfg6yIfkdKnmFb5vKPF-ZIg",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "6c42d978-14ac-4793-a1e3-789cfbdb2b74",
    "scope": "email profile"
}

    Note:

    M-CNCC IAM IP/FQDN is used to request access token and M-CNCC IAM IP/FQDN which is specified in custom-cncc_values.yaml should be the same.

Refresh the Access Tokens

Perform the following procedure to refresh the access tokens:

If the access_token has expired, it can be refreshed by sending a POST request to the same URL as above; but must have the refresh token instead of username and password. The format is as follows: 

'client_id': 'your_client_id',
'refresh_token': refresh_token_from_previous_request,
'grant_type': 'refresh_token'
 
Example:
'client_id': 'cncc-api-access',
'refresh_token': 'eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3YTFlYjcyZi00MWE1LTRkMTEtYjRmZS01NDZjZGU5NjY2MTUifQ.eyJqdGkiOiJmYjAwZTY2OC0xZTkyLTRlMTUtYTVlMS1jZjgxNDFkMjllNDMiLCJleHAiOjE1ODQ3MDE3MzUsIm5iZiI6MCwiaWF0IjoxNTg0Njk5OTM1LCJpc3MiOiJodHRwOi8vMTAuNzUuMjEzLjYwOjMwMDI0L2NuY2MvYXV0aC9yZWFsbXMvY25jYyIsImF1ZCI6Imh0dHA6Ly8xMC43NS4yMTMuNjA6MzAwMjQvY25jYy9hdXRoL3JlYWxtcy9jbmNjIiwic3ViIjoiMDEyZTQyNjktNmM2MC00MzViLWFhMTQtMmFiNzZiYzliNTIzIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFwaS1nYXRld2F5IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNmM0MmQ5NzgtMTRhYy00NzkzLWExZTMtNzg5Y2ZiZGIyYjc0IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlBDRl9SRUFEIiwiUENGX1dSSVRFIiwiU0NQX1JFQUQiLCJvZmZsaW5lX2FjY2VzcyIsIk5SRl9XUklURSIsIkFETUlOIiwidW1hX2F1dGhvcml6YXRpb24iLCJOUkZfUkVBRCIsIlNDUF9XUklURSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.l8w3j1gMNgblKSYdvCmJQfg6yIfkdKnmFb5vKPF-ZIg',
'grant_type': 'refresh_token'

In response, you will receive a new access_token and refresh_token.

NF API Access

Perform the following procedure to access NF Resources APIs:

To access NF Resources, you must use the access token in every request to an NF resource by placing it in the Authorization header.

The following headers are to be included while sending API request:

  • Authorization : The access token should be used in every request to a NF resource by placing it in the Authorization header
  • oc-cncc-id : M-CNCC uses the oc-cncc-id header to find the agent or master owning the instance.
  • oc-cncc-instance-id : A-CNCC Core (or M-CNCC Core ) uses the oc-cncc-instance-id header to find the NF instance for routing.
Following headers needs to be passed in curl/postman request while accessing NF resource:
GET : http://${cncc-mcore-ingress-external-ip}:${cncc-mcore-ingress-service-port}/<NF API URI>
 
headers: {
    'Authorization': 'Bearer' + access_token
    'oc-cncc-id': 'oc-cncc-id value"
    'oc-cncc-instance-id': 'oc-cncc-instance-id value"
 }

Example: While accessing SCP Canary Release API following headers needs to be passed in curl/postman request while accessing NF resource:

GET : http://${cncc-mcore-ingress-external-ip}:${cncc-mcore-ingress-service-port}/ocscp/scpc-configuration/v1/canaryrelease
 
headers: {
    'Authorization': 'Bearer' + access_token
    'oc-cncc-id': 'Cluster2"
    'oc-cncc-instance-id': 'Cluster2-scp-instance1"
 }