4 OAuth Validator REST API Configuration

This REST API configuration is required for enabling access token validation using NRF Instance ID and key-ID (K-ID).

Before this configuration, perform the prerequisite steps and helm configuration explained in OAuth Access Token Based Authorization Using Key-ID and NRF Instance ID section of Oracle Communications Cloud Native Core, Network Slice Selection Function User Guide.

After Helm configuration, send the REST requests to use configured public key certificates. Using REST-based configuration, you can distinguish between the certificates configured on different NRFs and can use these certificates to validate the token received from a specific NRF.

OAuth Validator Configuration - Supported REST APIs

Table 4-1 OAuth Validator Configuration - Supported REST APIs

URI Description Details
/{nfType}/nf-common-component/v1/{serviceName}/{resource}

With service name as "igw" and resource as "oauthvalidatorconfiguration".

 These URIs can be used to update or add oauth configuration that will be used for validating token sent in request to Ingress Gateway.

Note: By default, instanceIdList, keyIdList are null and validation mode is INSTANCEID_ONLY. This configuration is only applicable when oauth feature is enabled via helm chart. 

{"keyIdList": [
    {
      "keyId":
                "664b344e74294c8fa5d2e7dfaaaba407",
      "kSecretName":
                "oauthsecret",
      "certName":
                "4bc0c762-0212-416a-bd94-b7f1fb348bd4.crt",
      "certAlgorithm":
                "ES256"
    }
  ],
  "oauthValidationMode":
                "KID_ONLY"
}

or


{
  "instanceIdList": [
 
                  {
      "instanceId": "4bc0c762-0212-416a-bd94-b7f1fb348bd4",
 
                    "certName": "4bc0c762-0212-416a-bd94-b7f1fb348bd4.crt",
     
                "kSecretName": "oauthsecret",
      "certAlgorithm": "ES256"
 
                  }
  ],
  "oauthValidationMode":
                  "INSTANCEID_ONLY"
}

Note: Multiple OAuth and K-IDs can also be configured together in a single body.

Here, we can configure multiple Key-ID and instance ID objects of different NRFs. Validation of token is done based on the NRF Instance ID received in the token.

We have configurations like instanceId of NRF or keyId configured in NRF, secret name in which certificate is stored with certificate name and certificate algorithm. Once this request is sent, Oauth validator will pick appropriate certificate from secret configured.

We have "oAuthValidationMode" where we can select mode of validation. That is, INSTANCEID_ONLY, KID_ONLY, or KID_PREFERRED It will check for keyIdList or instanceIdList for validation of token received based on mode selected.

"KID_PREFERRED" is a fall back mode where it checks for keyId in token, If token is present then validation mode is KID_ONLY, else it will fall back to INSTANCEID_ONLY.

Example:

For K-ID Only mode, a sample curl command could be the following: 
curl -i --http2-prior-knowledge -X PUT 'http://ocnssf-nsconfig:{{port}}/nssf/nf-common-component/v1/igw/oauthvalidatorconfiguration' -H 'Content-Type: application/json' -d '{"keyIdList": [{"keyId": "664b344e74294c8fa5d2e7dfaaaba407","kSecretName": "oauthsecret","certName": "4bc0c762-0212-416a-bd94-b7f1fb348bd4.crt","certAlgorithm": "ES256"}],"oauthValidationMode":"KID_ONLY"}'
For INSTANCEID_ONLY mode, a sample curl command could be the following: 
curl -i --http2-prior-knowledge -X PUT 'http://ocnssf-nsconfig:{{port}}/nssf/nf-common-component/v1/igw/oauthvalidatorconfiguration' -H 'Content-Type: application/json' -d '{"instanceIdList":[{"instanceId":"4bc0c762-0212-416a-bd94-b7f1fb348bd4","certName":"4bc0c762-0212-416a-bd94-b7f1fb348bd4.crt","kSecretName":"oauthsecret","certAlgorithm":"ES256"}],"oauthValidationMode":"INSTANCEID_ONLY"}'

Using tokens generated, you can send requests to different NSSF services. Given below are the sample curl commands to send requests:

Request supportedNssaiAvailabilityData: 
curl -v --http2-prior-knowledge -X PUT http://{{host}}:{{port}}/nnssf-nssaiavailability/v1/nssai-availability/12345678-abcd-efAB-CDEF-123456789012 -H 'Content-Type: application/json'  -H 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjY2NGIzNDRlNzQyOTRjOGZhNWQyZTdkZmFhYWJhNDA3In0.eyJhdWQiOiJOU1NGIiwiZXhwIjo5OTk5OTk5OTk5OSwiaXNzIjoiNjY0YjM0NGU3NDI5NGM4ZmE1ZDJlN2RmYWFhYmE0MDciLCJzY29wZSI6Im5uc3NmLWNvbmZpZ3VyYXRpb24iLCJzdWIiOiIwMjYzNjYzZC1mNWMyLTRkMWItOTE3MC1mN2IxYTkxMTYzMzcifQ.K9GoneRxHBn9vrun6VVyFpBhe0xv4icVuJdQLoPppx_3KB1qUTIYkLFHEz2K4O_DPByDNHjPz7Fhe4PMfk9xXw' -d '{ "supportedNssaiAvailabilityData": [ { "tai": { "plmnId": { "mcc": "100", "mnc": "101" }, "tac": "001001" }, "supportedSnssaiList": [ { "sd": "EABB01", "sst": 1 }, { "sd": "EABB02", "sst": 2 } ] } ] }'
Request using instance id token:
curl -v --http2-prior-knowledge -X POST http://{{host}}:{{port}}/nnssf-configuration/v1/nssaiauth -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJOU1NGIiwiZXhwIjo5OTk5OTk5OTk5OSwiaXNzIjoiNGJjMGM3NjItMDIxMi00MTZhLWJkOTQtYjdmMWZiMzQ4YmQ0Iiwic2NvcGUiOiJubnNzZi1jb25maWd1cmF0aW9uIiwic3ViIjoiMDI2MzY2M2QtZjVjMi00ZDFiLTkxNzAtZjdiMWE5MTE2MzM3In0.OngSuKL2a2EquyQaEutrbaaz18SKXJUnr0hTP22rDvG4eXCUPA-Q-9Kz2L3zWxp3_oQDIJbn5mC5BUEA5UIB_Q ' -d '{"name":"NSSAI-AUTH-15","plmnId":{"mcc":"100","mnc": "101"},"tac":"1001","snssai":{"sst": "7","sd":"EABB01"},"grant": "ALLOWED"}'