Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Enable OAuth2 Authentication in OCI API Gateway to Call OCI Services using OCI Functions and OCI SDK

Introduction

We often need our applications to consume Oracle Cloud Infrastructure (OCI) REST services. There are several ways to guarantee security between components, ensuring the application can authenticate securely to the backend service.

This task is native within Oracle Cloud, as there are several ways to secure the network and access to existing services. Just a few settings and you are done. However, there are cases where the application may offer additional security and connectivity requirements. The use case of this material meets a very common need in the hybrid or multi-cloud scenario (on-premises connected to Oracle Cloud, or Oracle Cloud connected to another cloud).

Let’s present the following scenario:

• Application on an on-premises network connected to Oracle Cloud through Fast-Connect/VPN.

• Application needs to consume an OCI Data Science service.

• OCI service does not have an authentication mechanism that meets the application consumer’s possibilities.

• Application needs to authenticate using OAuth2 to be able to access the service securely.

Therefore, the tutorial provides the following solutions:

• Configure the Oracle Identity Cloud Service cloud’s own identity provider to authenticate through OAuth2.

• Configure OCI API Gateway to integrate with Oracle Identity Cloud Service to authenticate via an obtained token.

• Code an OCI Functions to call an OCI service that allows the use of resource principal (in our example, we will use the Data Science Model Deployment service).

• Create groups and policies to limit access to cloud resources.

• Deliver an identity provider that allows you to pass the client ID and secret ID and obtain an authentication token.

• Deliver a functional OCI API Gateway REST service that authenticates through the obtained token and provides the result of the Data Science service.

  Note: You can download OCI Functions from here OAuthOCIService-fn.zip.

Objectives

• Allow an external application to consume REST services with OAuth2 authentication.

• Provide an OAuth2 authentication service on OCI.

• Configure OCI API Gateway and OCI Functions to run OCI services via a token.

Prerequisites

• An OCI API Gateway instance created and exposed to the internet, see Creating Your First API Gateway In The Oracle Cloud.

• Network connectivity between OCI API Gateway, OCI Functions, and OCI PaaS resource.

  • VCN/Subnets

  • Security list

  • NAT Gateway/Internet Gateway

  • Public/Private Networks

• Knowledge with:

  • OCI Functions

  • OCI REST API to code a call for the OCI service

Task 1: Configure OAuth2 with Oracle Identity Cloud Service

1. Obtain the OCI API Gateway parameters: Let’s start to configure the OAuth2 mechanism. We need to integrate your OCI API Gateway instance to an identity provider by configuring the Oracle Identity Cloud Service from Oracle Cloud to be the identity provider.

   Go to the OCI API Gateway instance and copy Hostname. This information will be used in your Oracle Identity Cloud Service resource server configuration in the next step.

   

2. Create a Resource Application: We need to create an OAuth2 authorizer for your application. We can do it with the Oracle Identity Cloud Service in Oracle Cloud.

   1. In the OCI Console, go to Identity & Security and select Federation.

      

   2. Click OracleIdentityCloudSevice.

      

   3. Click the link for your Oracle Identity Cloud Service instance.

      

   4. We will create two applications. Click Applications and Services.

      

   5. In the Applications, click Add.

      

   6. Select Confidential Application to start to configure your resource server.

      

   7. We will configure the first application. Enter a Name in your resource server application and click Next.

      

   8. Click Skip for later. We need to configure the resource only.

      

   9. Enter your OCI API Gateway hostname obtained in the Step 1.

      

   10. Click Add Scope and enter the scope information.

       

   11. Review your scope information, click Next two times and click Finish.

       

   12. Click Activate to activate your application.

       

3. Create a Client Application.

   1. In Applications, click Add.

      

   2. Select Confidential Application to start to configure your resource server.

      

   3. Enter a Name for your application and click Next.

      

   4. Select Configure the application as a client now to enable the configurations for your client application. Select Client Credentials, JWT Assertion and On behalf of.

      

   5. Scroll down the screen and click Add Scope.

      

   6. Find your resource application created before (oauth_resource_server in this task) and click Add.

      

   7. You can see your scope added to your application. Click Next.

      

      Note: Keep the scope value, you will need to use to request a token.

   8. Skip the Resources and the Web Tier Policy window. In Authorization, select Enforce Grants as Authorization and click Finish.

      

   9. Keep the Client ID and the Client Secret information. You will need this to obtain your token.

      

   10. Click Activate to activate your application and your OAuth2 authorizer is ready to test.

       

4. Get a Token: Now we can test the OAuth2 authorizer to obtain the token.

   1. Compose the URL for the authorizer. You can obtain this by getting your Oracle Identity Cloud Service URL in the browser. In the Oracle Identity Cloud Service URL, you can see something like this: https://idcs-xxxxxxxxxxxxx.identity.oraclecloud.com/ui/v1/adminconsole.

   2. You will need the URL link until the oraclecloud.com, which is the root endpoint. For example, https://idcs-xxxxxxxxxxxxx.identity.oraclecloud.com.

   3. We need to add the oAuth authentication path. This URL will be executed as a POST REST request. For example, https://idcs-xxxxxxxxxxxxx.identity.oraclecloud.com/oauth2/v1/token. You will need to enter some parameters to request the token.

   4. Enter the credentials as a Basic Authentication and Client ID and Client Secret.

      

   5. In the Body content, enter the grant_type and scope values. Remember, the scope was captured in the Oracle Identity Cloud Service configuration.

      

   6. Click Send and execute the POST request and view the token.

      

5. Create the JSON Web Key (JWK): In your browser, enter the root Oracle Identity Cloud Service endpoint adding the /admin/v1/SigningCert/jwk to obtain the JWK: https://idcs-xxxxxxxxxxxxx.identity.oraclecloud.com/admin/v1/SigningCert/jwk

   You will receive a JWK string as shown below.

   

   We need to work on this JWK string.

   {"keys":[{"kty":"RSA","x5t#S256":"gHdIaH54tZt-b09W7_bTALX0DSj5t_Tsy6Wy2P1M_3E","e":"AQAB","x5t":"L_vneVBMiKA-ObXpNt8FZC4sRSY","kid":"SIGNING_KEY","x5c":["MIIDYTCCAkmgAwIBAgIGAXRBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZvcmFjbGUxFTATBgoJkiaJk/IsZAEZFgVjEtMjAeFw0yMDA0MTcxMDU3NTRaFw0zMDA0MTcxMDU3NTRaMFYxEzARBgNVBAMTCnNzbERvbWFpbnMxDzGA1UEAxMlaWRjcy00ZmI0N2I5MTYxMzA0YjFkYTI2ZjZlZDE2MTlhNGUwOTCCASIwDQYJKoZIhvcNAQJIXyaojue8TJXIuJrb4qxBqA3z35bC1kHdxtGZEEJUCtkHK2kEUD5GqD/C6OijCgPtZldU8Rn3fUDMfTjZrUS/ESFr7dOeNxWnusD30aWniHIRe7JQ4OHIhCe/oHaQiSjFUHJ7IlgQzwqCAtccweymxiq1r2jwJscdYaDOHrYz8AcvIfybxzHwT8hgSz7+dIZsjepp07uO5QYcyMM3meB6mS4KznanQOokmawcUcxw4tSFqqI/OxWKc7ZBMnaBdC5iOKZbbLE8bHbS8jfh6/HzONNnLOyMCAwEAAaMyMDAwDwYDVR0PAQH/BAUDAwf4ADAdBgNVHQ4EFgQUd415wDQYJKoZIhvcNAQELBQADggEBAClHD810UCnRuvS7Rbtp5UFTzeRvexDe+Jk6/1FdcfW4COWLRVrgY45XHQr2GmhPWC1G2Yn8WczkIErpX+LAtyFSyOYzBq1GjzpSLhqS/aNWstGVmPDLs+xySyRlBTPgFqsyl/kpIjyusKswUo57X77B7S+KzH4hvGsA6gj55ZLAynSnzMtPs+2Ij4F3PgkgJG7zxHs9HOuyuZtCKJAldVv7IFaQYv6yMjH7llehQOMwp1YPh54kk8M4yk1IIgi/Hw4Tr/HbU7r2EJyaHfxFZgck1Cr9nBIspANy5BDlFYeAnTmKk3UAafbZdSMfeJFd/XwaPlhIzNEJYGW3T4Y5d8o=","MIIDazCCAlOgAwIBAgIIMdQl7kIMrv0wDQYJKoZIhvcNAQELBQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBm9yYWNsZTEVMBMGCgmSJomT8ixkARkWBWNsb3VkMRMwEQYDVQQDEwpDbG91ZDlDQS0yMCAXDTE2MDUyMTAyMTgwOVoYDzIxMTYwNDI3MDIxODA5WjBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLGQBGRYFY2xvdWQxEzARBgNVBAMTCkNsb3VkOUNBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPZn2VAoMsIfWmIJks9exzK+DXaX6qYyBc12dRqDrRpC48v3CBeBchV/GT2E+mjcDp8Hzq8oIpwr9W5kwMja4PU3SPd4/0LB6WKbtLfHOnJxLg9EaT992UpbUGHaHlEq4oRAuVvPgDLp5sSspLZYEBKUh4vJXOyLitE1qsXn7mJNXRKTJZvrJKdfbs1dyTge3V3wk1rwY/wCWMKVgkqCgSzzWCGju8EZWoOrnzlR6BHkA0qZqeV4F7jDW8ucdv+Y20pOlOiaEbIg/ZFYGrZd5VWjlNvgLfU8P4C/YJLSkkcPHgoet3w4jI0S26efu59rVzgU9VsKnKtnqbDL99t81vAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFDMA8e55FI5kC12+guIE9xtcIXpFMA0GCSqGSIb3DQEBCwUAA4IBAQC45tOVeqHxA8Bo/Rnv1SHHpULge3HyTC1XV9nmUdrj6g/U6rmbA5hVJ5LshgQ77qopO/YsaNHj5Ru1u/+8VOlZWpbn+kt3CDOuBUCe89CKBZT/KWEDkvtNl2qu16gOkhFnuTQk8NsARvwZZ6KtyPDmsbW4Nc/I5fKwPhdTaMjCV6Lh9RCG4kU77lbdwY3SaXlCBXXQyfPWMouCi7z1thJaF3cNGW4tnsibMR5ej9fJ9j6UvShxNgAIgjNDoihPlC6k0kW3QDR3bBjCHJX47505aIhckojH/eKsP2Or0eE/Ma4WNbndj0IXPE2ae5AVmC8/GRtwAmnoZPnt3g/I2m5j"],"key_ops":["sig","encrypt"],"alg":"RS256","n":"khfJqiO57xMlci4mtvirEGoDfPflsLWQd3G0ZkQQlQK2QcraQRQPkaoP8Lo6KMKA-1mV1TxGfd9QMx9ONmtRL8RIWvt0543Fae6wPfRpaeIcDpknsHAovsTdQ9SwfqwhF7slDg4ciEJ7-gdpCJKMVQcnsiWBDPCoIC1xzB7KbGKrWvaPAmxx1hoM4etjPwBy8h_JvHMfDEF1GkrUtCDiLFPyGBLPv50hmyN6mnTu47lBhzIwzeZ4HqZLgrOdqdA6iSZrBxRzHDi1IWqoj87FYpztkWXnV7VkIN37RwrG6bFKOHGaYEydoF0LmI4pltssTxsdtLyN-Hr8fM402cs7Iw"}]}
   

   Note:

   • This JWK was redacted.

   • If you receive an error message, you need to provide access in Oracle Identity Cloud Service.

   

   Important Change in JWK String: The JWK string will not be useful in the OCI API Gateway until you make some changes.

   1. Find the segment with “key_ops”:[“x”,”y”,”z”] and replace with “use” : “sig”. It will look like as shown below (compare the two strings).

      {"keys":[{"kty":"RSA","x5t#S256":"gHdIaH54tZt-b09W7_bTALX0DSj5t_Tsy6Wy2P1M_3E","e":"AQAB","x5t":"L_vneVBMiKA-ObXpNt8FZC4sRSY","kid":"SIGNING_KEY","x5c":["MIIDYTCCAkmgAwIBAgIGAXRBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZvcmFjbGUxFTATBgoJkiaJk/IsZAEZFgVjEtMjAeFw0yMDA0MTcxMDU3NTRaFw0zMDA0MTcxMDU3NTRaMFYxEzARBgNVBAMTCnNzbERvbWFpbnMxDzGA1UEAxMlaWRjcy00ZmI0N2I5MTYxMzA0YjFkYTI2ZjZlZDE2MTlhNGUwOTCCASIwDQYJKoZIhvcNAQJIXyaojue8TJXIuJrb4qxBqA3z35bC1kHdxtGZEEJUCtkHK2kEUD5GqD/C6OijCgPtZldU8Rn3fUDMfTjZrUS/ESFr7dOeNxWnusD30aWniHIRe7JQ4OHIhCe/oHaQiSjFUHJ7IlgQzwqCAtccweymxiq1r2jwJscdYaDOHrYz8AcvIfybxzHwT8hgSz7+dIZsjepp07uO5QYcyMM3meB6mS4KznanQOokmawcUcxw4tSFqqI/OxWKc7ZBMnaBdC5iOKZbbLE8bHbS8jfh6/HzONNnLOyMCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0PAQH/BAUDAwf4ADAdBgNVHQ4EFgQUd415wDQYJKoZIhvcNAQELBQADggEBAClHD810UCnRuvS7Rbtp5UFTzeRvexDe+Jk6/1FdcfW4COWLRVrgY45XHQr2GmhPWC1G2Yn8WczkIErpX+LAtyFSyOYzBq1GjzpSLhqS/aNWstGVmPDLs+xySyRlBTPgFqsyl/kpIjyusKswUo57X77B7S+KzH4hvGsA6gj55ZLAynSnzMtPs+2Ij4F3PgkgJG7zxHs9HOuyuZtCKJAldVv7IFaQYv6yMjH7llehQOMwp1YPh54kk8M4yk1IIgi/Hw4Tr/HbU7r2EJyaHfxFZgck1Cr9nBIspANy5BDlFYeAnTmKk3UAafbZdSMfeJFd/XwaPlhIzNEJYGW3T4Y5d8o=","MIIDazCCAlOgAwIBAgIIMdQl7kIMrv0wDQYJKoZIhvcNAQELBQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBm9yYWNsZTEVMBMGCgmSJomT8ixkARkWBWNsb3VkMRMwEQYDVQQDEwpDbG91ZDlDQS0yMCAXDTE2MDUyMTAyMTgwOVoYDzIxMTYwNDI3MDIxODA5WjBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGb3JhY2xlMRUwEwYKCZImiZPyLGQBGRYFY2xvdWQxEzARBgNVBAMTCkNsb3VkOUNBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPZn2VAoMsIfWmIJks9exzK+DXaX6qYyBc12dRqDrRpC48v3CBeBchV/GT2E+mjcDp8Hzq8oIpwr9W5kwMja4PU3SPd4/0LB6WKbtLfHOnJxLg9EaT992UpbUGHaHlEq4oRAuVvPgDLp5sSspLZYEBKUh4vJXOyLitE1qsXn7mJNXRKTJZvrJKdfbs1dyTge3V3wk1rwY/wCWMKVgkqCgSzzWCGju8EZWoOrnzlR6BHkA0qZqeV4F7jDW8ucdv+Y20pOlOiaEbIg/ZFYGrZd5VWjlNvgLfU8P4C/YJLSkkcPHgoet3w4jI0S26efu59rVzgU9VsKnKtnqbDL99t81vAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFDMA8e55FI5kC12+guIE9xtcIXpFMA0GCSqGSIb3DQEBCwUAA4IBAQC45tOVeqHxA8Bo/Rnv1SHHpULge3HyTC1XV9nmUdrj6g/U6rmbA5hVJ5LshgQ77qopO/YsaNHj5Ru1u/+8VOlZWpbn+kt3CDOuBUCe89CKBZT/KWEDkvtNl2qu16gOkhFnuTQk8NsARvwZZ6KtyPDmsbW4Nc/I5fKwPhdTaMjCV6Lh9RCG4kU77lbdwY3SaXlCBXXQyfPWMouCi7z1thJaF3cNGW4tnsibMR5ej9fJ9j6UvShxNgAIgjNDoihPlC6k0kW3QDR3bBjCHJX47505aIhckojH/eKsP2Or0eE/Ma4WNbndj0IXPE2ae5AVmC8/GRtwAmnoZPnt3g/I2m5j"],"use" : "sig","alg":"RS256","n":"khfJqiO57xMlci4mtvirEGoDfPflsLWQd3G0ZkQQlQK2QcraQRQPkaoP8Lo6KMKA-1mV1TxGfd9QMx9ONmtRL8RIWvt0543Fae6wPfRpaeIcDpknsHAovsTdQ9SwfqwhF7slDg4ciEJ7-gdpCJKMVQcnsiWBDPCoIC1xzB7KbGKrWvaPAmxx1hoM4etjPwBy8h_JvHMfDEF1GkrUtCDiLFPyGBLPv50hmyN6mnTu47lBhzIwzeZ4HqZLgrOdqdA6iSZrBxRzHDi1IWqoj87FYpztkWXnV7VkIN37RwrG6bFKOHGaYEydoF0LmI4pltssTxsdtLyN-Hr8fM402cs7Iw"}]}
      

   2. Remove string {"keys":[ from the beginning and ]} from the ending. The final string will look like as shown below. Now you can use it.

      {"kty":"RSA","x5t#S256":"gHdIaH54tZt-b09W7_bTALX0DSj5t_Tsy6Wy2P1M_3E","e":"AQAB","x5t":"L_vneVBMiKA-ObXpNt8FZC4sRSY","kid":"SIGNING_KEY","x5c":["MIIDYTCCAkmgAwIBAgIGAXRBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZvcmFjbGUxFTATBgoJkiaJk/IsZAEZFgVjEtMjAeFw0yMDA0MTcxMDU3NTRaFw0zMDA0MTcxMDU3NTRaMFYxEzARBgNVBAMTCnNzbERvbWFpbnMxDzGA1UEAxMlaWRjcy00ZmI0N2I5MTYxMzA0YjFkYTI2ZjZlZDE2MTlhNGUwOTCCASIwDQYJKoZIhvcNAQJIXyaojue8TJXIuJrb4qxBqA3z35bC1kHdxtGZEEJUCtkHK2kEUD5GqD/C6OijCgPtZldU8Rn3fUDMfTjZrUS/ESFr7dOeNxWnusD30aWniHIRe7JQ4OHIhCe/oHaQiSjFUHJ7IlgQzwqCAtccweymxiq1r2jwJscdYaDOHrYz8AcvIfybxzHwT8hgSz7+dIZsjepp07uO5QYcyMM3meB6mS4KznanQOokmawcUcxw4tSFqqI/OxWKc7ZBMnaBdC5iOKZbbLE8bHbS8jfh6/HzONNnLOyMCAwEAAaMyMDAwDwYDVR0PAQH/BAUDAwf4ADAdBgNVHQ4EFgQUd415wDQYJKoZIhvcNAQELBQADggEBAClHD810UCnRuvS7Rbtp5UFTzeRvexDe+Jk6/1FdcfW4COWLRVrgY45XHQr2GmhPWC1G2Yn8WczkIErpX+LAtyFSyOYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxhvGsA6gj55ZLAynSnzMtPs+2Ij4F3PgkgJG7zxHs9HOuyuZtCKJAldVv7IFaQYv6yMjH7llehQOMwp1YPh54kk8M4yk1IIgi/Hw4Tr/HbU7r2EJyaHfxFZgck1Cr9nBIspANy5BDlFYeAnTmKk3UAafbZdSMfeJFd/XwaPlhIzNEJYGW3T4Y5d8o=","MIIDazCCAlOgAwIBAgIIMdQl7kIMrv0wDQYJKoZIhvcNAQELBQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEWMBQGCgmSJomT8ixkARkWBm9yYWNsZTEVMBMGCgmSJomT8ixkARkWBWNsb3VkMRMwEQYDVQQDEwpDbG91ZDlDQS0yMCAXDTE2MDUyMTAyMTgwOVoYDzIxMTYwNDI3MDIxODA5WjBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGb3JhY2xlMRUwEwYKCZImiZPyLGQBGRYFY2xvdWQxEzARBgNVBAMTCkNsb3VkOUNBLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPZn2VAoMsIfWmIJks9exzK+DXaX6qYyBc12dRqDrRpC48v3CBeBchV/GT2E+mjcDp8Hzq8oIpwr9W5kwMja4PU3SPd4/0LB6WKbtLfHOnJxLg9EaT992UpbUGHaHlEq4oRAuVvPgDLp5sSspLZYEBKUh4vJXOyLitE1qsXn7mJNXRKTJZvrJKdfbs1dyTge3V3wk1rwY/wCWMKVgkqCgSzzWCGju8EZWoOrnzlR6BHkA0qZqeV4F7jDW8ucdv+Y20pOlOiaEbIg/ZFYGrZd5VWjlNvgLfU8P4C/YJLSkkcPHgoet3w4jI0S26efu59rVzgU9VsKnKtnqbDL99t81vAgMBAAGjNTAzMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFDMA8e55FI5kC12+guIE9xtcIXpFMA0GCSqGSIb3DQEBCwUAA4IBAQC45tOVeqHxA8Bo/Rnv1SHHpULge3HyTC1XV9nmUdrj6g/U6rmbA5hVJ5LshgQ77qopO/YsaNHj5Ru1u/+8VOlZWpbn+kt3CDOuBUCe89CKBZT/KWEDkvtNl2qu16gOkhFnuTQk8NsARvwZZ6KtyPDmsbW4Nc/I5fKwPhdTaMjCV6Lh9RCG4kU77lbdwY3SaXlCBXXQyfPWMouCi7z1thJaF3cNGW4tnsibMR5ej9fJ9j6UvShxNgAIgjNDoihPlC6k0kW3QDR3bBjCHJX47505aIhckojH/eKsP2Or0eE/Ma4WNbndj0IXPE2ae5AVmC8/GRtwAmnoZPnt3g/I2m5j"],"use" : "sig","alg":"RS256","n":"khfJqiO57xMlci4mtvirEGoDfPflsLWQd3G0ZkQQlQK2QcraQRQPkaoP8Lo6KMKA-1mV1TxGfd9QMx9ONmtRL8RIWvt0543Fae6wPfRpaeIcDpknsHAovsTdQ9SwfqwhF7slDg4ciEJ7-gdpCJKMVQcnsiWBDPCoIC1xzB7KbGKrWvaPAmxx1hoM4etjPwBy8h_JvHMfDEF1GkrUtCDiLFPyGBLPv50hmyN6mnTu47lBhzIwzeZ4HqZLgrOdqdA6iSZrBxRzHDi1IWqoj87FYpztkWXnV7VkIN37RwrG6bFKOHGaYEydoF0LmI4pltssTxsdtLyN-Hr8fM402cs7Iw"}
      

Task 2: Configure an OCI Functions to call your OCI SDK API

1. Understand OCI Functions and API Gateway: It is a best practice to expose your services through an API Gateway. Many authentications can be done bypassing the credentials from API Gateway to the backend services, but if the backend authentication was not the appropriate method to your client application, we can do some configurations at the API Gateway level.

   In this step, let’s understand how OCI API Gateway can help us to integrate the OAuth2 authentication and the request for any OCI service, like the Data Science Model Deployment prediction through the OCI Functions.

   OCI Functions can do the job to receive the body request and pass to the OCI service. Some services in the OCI service cannot authenticate by OAuth2 method, so we can do it with OCI Functions.

   In this example, the Model Deployment prediction service can authenticate by the OCI Private key in OCI IAM. It can be done by the Resource Principal.

   If you do not know how to create and deploy an OCI Functions, see OCI Functions Quickstart

2. Understand the Code: This code will be prepared to be used with OCI API Gateway. In your API deployment, we will configure the Model Deployment endpoint in the API Gateway and it will be passed as a HEADER parameter. So you can use this function for many Model Deployments in each API Gateway deployment you need.

   

   • We will use the oracle.ads library in Python to authorize by Resource Principal the access of this function to the Model Deployment instance (see task 4).

     ads.set_auth('resource_principal')
     

   • The body content can be captured by this line.

     body = json.loads(data.getvalue())
     

   • We will configure a HEADER named model_deployment in the OCI API Gateway. This HEADER contains the URL for the Model Deployment prediction passed in the API Gateway request.

     endpoint = ctx.Headers()["model_deployment"]
     

   • This will execute the REST API POST request and return the result from the Model Deployment in the Data Science endpoint.

     return requests.post(endpoint, json=body, auth=ads.common.auth.default_signer()['signer']).json()
     

   • This is the requirements.txt library that will need to be loaded in this function.

     requirements.txt
     ---------------------
     fdk>=0.1.54
     requests
     oracle-ads
     

   Deploy your OCI Functions and let’s configure it in the OCI API Gateway.

Task 3: Configure an API Gateway Deployment Authentication

Note: For more information on how to develop an OCI Functions and call it in OCI API Gateway, see Call an OCI Functions using API Gateway.

1. Select OAuth 2.0 / OpenID Connect and enter the following configuration. This is the default way to authenticate through the HEADER.

   Token Location: Header
   JWT token header name: Authorization
   Authentication scheme: Bearer
   

2. Enter the JSON Web key string created previously, select Static keys, and enter the following information.

   Key ID: SIGNING_KEY
   Key format: JSON web key
   JSON web key: <Your JWK string created previously>
   

3. Enter the Issuers as https://identity.oraclecloud.com/ and Audiences with your OCI API Gateway hostname obtained previously.

   

   Configure your OCI Functions created in the last task.

   

4. Configure the HEADER model_deployment parameter, click Show route request policies.

   

5. In the HEADER transformations, click Add.

   

6. You must have the Data Science Model Deployment prediction URL, you can obtain this here: go to the Data Science menu, select your Data Science instance and your model deployment, and click Invoking your model.

   Note: Save your Model Deployment OCID here. You will need to configure the policies later.

   

   Your Data Science Model Deployment prediction URL.

   

7. Enter the header name as model_deployment and values as the Data Science Model Deployment prediction URL.

   

   

   Note: After you save your API Gateway deployment, remember your API deployment endpoint.

   

Task 4: Configure the OCI Group and Policies

Create a dynamic group to grant access from OCI Functions to your OCI resource. In this tutorial, we are using the Data Science Model Deployment. For more information on how to use Resource Principal, see Resource Principal.

1. Obtain the OCID of your Model Deployment instance. Enter the OCID in the dynamic group string.

   ALL {resource.type = 'fnfunc', resource.id = 'ocid1.datasciencemodeldeployment.oc1.sa-saopaulo-1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'}
   

   Note: The resource.id is the OCID obtained previously in the Model Deployment console screen.

   

2. Create a policy to allow your dynamic group. For more information, see Model Deployment Policies.

   allow dynamic-group hoshikawa_datascience to {DATA_SCIENCE_MODEL_DEPLOYMENT_PREDICT} in tenancy
   allow dynamic-group hoshikawa_datascience to manage data-science-model-deployments in tenancy
   

   

Task 5: Test API

Now, let’s simulate your application’s OAuth2 request for your Model Deployment service in OCI Data Science.

1. Obtain the token passing the Client ID and Client Secret to your Oracle Identity Cloud Service provider.

   

2. Enter your OCI API Gateway deployment endpoint and select POST REST request. Copy the access_token value and pass to your OCI API Gateway deployment. Remember that your token has a one-hour duration.

   

   And here is the result!

   

Related Links

• Creating Your First API Gateway In The Oracle Cloud

• Authentication Using Resource Principals

• OCI Functions Quickstart

• Call an s using API Gateway

• Using Resource Principals in the Data Science service

• Data Science: Invoking a Model Deployment

• Model Deployment Policies

Acknowledgments

• Author - Cristiano Hoshikawa (Oracle LAD A-Team Solution Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Enable OAuth2 Authentication in OCI API Gateway to Call OCI Services using OCI Functions and OCI SDK

F90853-01

December 2023

Copyright © 2023, Oracle and/or its affiliates.