Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Leverage OCI Identity and Access Management Identity Domains REST APIs using API Signing Key

Introduction

When integrating with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) Identity Domains APIs, OAuth 2.0 is the most commonly recommended method for securing API requests. However, for certain use cases, especially where simplicity and directness are paramount, API signing key offers a viable alternative.

This tutorial will explore how you can invoke OCI IAM Identity Domain APIs using API signing keys, providing a more straightforward and accessible option for developers and administrators.

Why Use API Signing Key?

API signing key provides a straightforward way to authenticate API requests. They are easy to generate and use, making them ideal for applications that require simple, programmatic access without the complexity of OAuth token exchange process. API keys are especially useful in scenarios like:

• Automated Scripts and cron Jobs: Simplicity in authentication without needing to manage tokens.

• Internal Applications: Reduced complexity for services running within a trusted network.

• Prototyping and Development: Quick set up for testing and debugging.

Audience

OCI IAM professionals, developers and administrators.

Objective

Leverage OCI IAM Identity Domains REST API using API signing key. To demonstrate this effectively, Python snippet can be used to develop a script. This script illustrates how to interact with OCI IAM Identity Domain APIs using API Signing keys for authentication. It also covers the basic operations of creating a group, creating a user, and assigning the user to the group, demonstrating how to perform these actions programmatically with secure API requests. Using API keys simplifies the process, making it easier to integrate these operations into automated workflows or scripts.

Prerequisites

• OCI Account: Access to your Oracle Cloud Infrastructure account.

• API Signing Key: A public-private key pair for signing requests in PEM format. For more information, see How to Generate an API Signing Key.

• Familiarity with OCI IAM and Python.

• Knowledge of OCI IAM Identity Domains REST API is required.

• An OCI IAM user with authorization to manage applications (Identity Domain Administrator, Security Administrator, or Application Administrator).

• Python 3.x installed.

• requests and json Python packages installed.

Task 1: Import Python Packages and Initial Set Up

The initial part of the script sets up the necessary imports and configurations for interacting with OCI IAM Identity Domain APIs using API keys.

import requests
import json
from oci.config import from_file
from oci.signer import Signer

• requests: A simple HTTP library in Python for making HTTP requests.
• json: Library for parsing JSON data.
• from_file: Function to read the OCI configuration from a file.
• Signer: Class for signing HTTP requests with an API key.

Task 2: Define and Initialize a Class

The snippet defines a class, APISignedRequest, to manage interactions with OCI IAM Identity Domain APIs using API keys.

class APISignedRequest():
    def __init__(self):
        global auth
        global identity_domain
        global config

        config = from_file()
        auth = Signer(
            tenancy=config['tenancy'],
            user=config['user'],
            fingerprint=config['fingerprint'],
            private_key_file_location=config['key_file']
        )
        identity_domain = 'https://idcs-############################.identity.oraclecloud.com'

• APISignedRequest class: This class encapsulates methods to perform API requests to OCI IAM Identity Domains.
• init method: Initializes the class by setting up the global variables auth, identity_domain, and config.
  • config: Loaded from the default OCI configuration file.
  • auth: An instance of signer used for signing API requests with the API key.
  • identity_domain: The base URL for the identity domain instance.

Task 3: Create Group Method

The creategroup method in the APISignedRequest class is designed to create a new group in the OCI IAM Identity Domain.

def creategroup(self):
    extra = "/admin/v1/Groups"
    body = {
        "displayName": "Example Group",
        "externalId": "123456",
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group": {
            "creationMechanism": "api",
            "description": "Example Description"
        },
        "schemas": [
            "urn:ietf:params:scim:schemas:core:2.0:Group",
            "urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group",
            "urn:ietf:params:scim:schemas:extension:custom:2.0:Group"
        ]
    }

    response = requests.post(identity_domain + extra, auth=auth, json=body)
    jsonresp = json.loads(response.content)
    grpid = jsonresp.get("id")
    print("Group has been created")
    return grpid

• creategroup method: Sends a POST request to create a new group in identity domain.
  • extra: The API endpoint for creating groups.
  • body: JSON payload containing group details.
  • requests.post: Sends the POST request with the auth signer and body.
  • json.loads: Parses the JSON response.
  • grpid: Extracts and returns the group ID from the response.

Task 4: Create User Method

The createuser method in the APISignedRequest class is designed to create a new user in the OCI IAM Identity Domain.

def createuser(self):
extra = "/admin/v1/Users"
body = {
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "name": {
    "givenName": "Test",
    "familyName": "User"
  },
  "userName": "testuser@example.com",
  "emails": [
    {
      "value": "testuser@example.com",
      "type": "work",
      "primary": True
    },
    {
      "value": "testuser@example.com",
      "primary": False,
      "type": "recovery"
    }
  ]
}

response = requests.post(identity_domain + extra, auth=auth, json=body)
jsonresp = json.loads(response.content)
userid = jsonresp.get("id")
print("User has been created")
return userid  

• createuser method: Sends a POST request to create a new user in Oracle Identity Domain.
  • extra: The API endpoint for creating users.
  • body: JSON payload containing user details.
  • requests.post: Sends the POST request with the auth signer and body.
  • json.loads: Parses the JSON response.
  • grpid: Extracts and returns the user ID from the response.

Task 5: Assign User to Group Method

The assignuser method in the APISignedRequest class handles the process of assigning a user to a group in the OCI IAM Identity Domain.

def assignuser(self):
    extra = "/admin/v1/Groups/"
    obj = APISignedRequest()
    grpid = obj.creategroup()
    gid = str(grpid)
    userid = obj.createuser()

    body = {
      "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
      ],
      "Operations": [
        {
          "op": "add",
          "path": "members",
          "value": [
            {
              "value": userid,
              "type": "User"
            }
          ]
        }
      ]
    }

    response = requests.patch(identity_domain + extra + gid, auth=auth, json=body)
    print("User has been assigned to the group")

• assignuser method: Orchestrates creating a group and a user, then assigns the user to the group.
  • extra: The API endpoint for group operations.
  • creategroup: Creates a group and retrieves its ID.
  • createuser: Creates a user and retrieves its ID.
  • body: JSON payload to patch the group by adding the user to its members.
  • requests.patch: Sends the PATCH request to update the group with the new user.

Task 6: Execute the Flow

Create Instance and Call Method: Create an instance of APISignedRequest and call assignuser to execute the entire flow.

obj = APISignedRequest()
obj.assignuser()

Task 7: Use the Script in the OCI Cloud Shell

Once the script is ready, it can be easily executed on the local machine (with Python installed) or on any integrated development environment (IDE) that supports Python development. We are using OCI Cloud Shell to run the script and get the desired report.

1. Log in to the OCI Console, open the OCI Cloud Shell from the top right corner and upload the Python script OCIAPISignedRequest.py.

Note: The OCIAPISignedRequest.py is the Python script developed using the above tasks code snippets.

1. Execute the python OCIAPISignedRequest.py command.

Conclusion

Using API keys to invoke OCI IAM Identity Domain APIs provides a straightforward alternative to OAuth, ideal for certain use cases where simplicity and ease of use are crucial. After this tutorial you can securely and efficiently integrate with OCI IAM Identity Domain APIs, leveraging the power of API keys for authentication.

Whether you are automating administrative tasks, building internal tools, or prototyping applications, API keys offer a flexible and convenient method to interact with OCI services.

Related Links

• OCI IAM Identity Domains REST API

• How to Generate an API Signing Key

Acknowledgments

• Author - Gautam Mishra (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Leverage OCI Identity and Access Management Identity Domains REST APIs using API Signing Key

F99641-01

May 2024

Copyright ©2024,

Oracle and/or its affiliates.