1. Configure resource-based access for REST endpoints using OCI API Gateway
  2. Configure Resource-Based Access for REST Endpoints Using OCI API Gateway

Configure Resource-Based Access for REST Endpoints Using OCI API Gateway

Resource-based access control enables you to manage access to resources based on user's attributes and characteristics. This differs from role-based access control where access to resources is granted based on role. With resource-based access control, permissions to your REST API collections (deployments) can be assigned granularly for individual consumers.

Here are some advantages of implementing resource-based access control for REST API endpoints:

  • Implement fine-grained control for Oracle SaaS and Oracle Cloud Infrastructure (OCI) hosted API endpoints.
  • Avoid exposing backend API credentials to end users and applications.
  • Enforce resource-based access for APIs exposed through various OCI services such as Oracle Container Engine for Kubernetes and OCI Functions.

OCI API Gateway enables additional API management features when implementing resource-based access control for REST endpoints:

  • Help monetize enterprise APIs using usage plans.
  • Control API usage with rate limiting and quotas.
  • Leverage dashboards for monitoring consolidated subscriber-based API usage.

Architecture

This architecture outlines resource-based access control for REST endpoints hosted on OCI. Users and application requests from human capital management (HCM) and supply chain and manufacturing (SCM) can only access their respective resources. REST endpoints are hosted and exposed through Oracle SaaS applications and Oracle services such as OCI Functions, Oracle Integration Cloud Service, and Oracle Container Engine for Kubernetes.

HCM and SCM deployments are created in OCI API Gateway. REST endpoints are configured under the respective deployments as backend services. OCI Identity and Access Management confidential applications are used for HCM and SCM domains. The scope and audience details of the client confidential applications should match with respective OCI API Gateway deployments JWT validation configuration. HCM and SCM consumers should have access to their confidential application access token URL, client ID, client secret, and scope for token generation. Share OCI API Gateway HCM and SCM deployment endpoints with consumers.

Provision OCI API Gateway in a public subnet to intercept all internet traffic. OCI Functions and Oracle Integration Cloud Service are native OCI services that expose REST APIs configured as backend OCI API Gateway deployments. OCI API Gateway communicates with these REST APIs via service gateway. Oracle Container Engine for Kubernetes container services can be hosted in private subnets, and the REST endpoints exposed through Oracle Container Engine for Kubernetes clusters. The communication between OCI API Gateway and Oracle Container Engine for Kubernetes clusters can be enabled through security lists and routing rules.

The following diagram illustrates this reference architecture.


Description of rest-api-resource-based-access-arch.png follows
Description of the illustration rest-api-resource-based-access-arch.png

resource-based-access-rest-api-arch.zip

The following diagram illustrates the data flow:


Description of resource-based-access-rest-api-data-flow.png follows
Description of the illustration resource-based-access-rest-api-data-flow.png

The data flow for HCM and SCM users resembles the following:

  1. (a,b) Configure client confidential application and resource application with scope and audience.
  2. (a,b) Configure OCI API Gateway deployment with REST endpoint, scope, and audience.
  3. (a,b) The user application generates a JWT token using the client confidential application. The token contains the encoded scope and audience.
  4. (a,b) A user triggers an OCI API Gateway endpoint deployment using their token.
  5. (a,b) OCI API Gateway validates the token against the configured scope and audience in the deployment.
  6. (a,b) If validation is successful, the respective API access is granted per the routing configuration.
  7. (a,b) If validation is unsuccessful, a 401 unauthorized error is returned.

The architecture has the following components:

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Availability domains

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain shouldn't affect the other availability domains in the region.

  • Fault domains

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Container Engine for Kubernetes

    Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) is a fully managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Container Engine for Kubernetes provisions them on Oracle Cloud Infrastructure in an existing tenancy. Container Engine for Kubernetes uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.

  • API Gateway

    Oracle API Gateway enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. The endpoints support API validation, request and response transformation, CORS, authentication and authorization, and request limiting.

  • Functions

    Oracle Cloud Infrastructure Functions is a fully managed, multitenant, highly scalable, on-demand, Functions-as-a-Service (FaaS) platform. It is powered by the Fn Project open source engine. Functions enable you to deploy your code, and either call it directly or trigger it in response to events. Oracle Functions uses Docker containers hosted in Oracle Cloud Infrastructure Registry.

  • Integration

    Oracle Integration is a fully managed service that allows you to integrate your applications, automate processes, gain insight into your business processes, and create visual applications.

  • Identity and Access Management (IAM)

    Oracle Cloud Infrastructure Identity and Access Management (IAM) is the access control plane for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within the identity domain. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.
  • Production and Non-Production Environments

    Create multiple identity domains and separate OCI API Gateway instances for production and non-production for better control of user access and isolation.

  • Security

    Store the backend credentials in OCI Vault for enhanced security. Regenerate the client secret if the client secret is compromised.

Considerations

Consider the following when implementing this reference architecture:

  • Performance

    There are rate limiting and quota features in OCI API Gateway that enable you to maximize performance and reduce latency. Here are some of the benefits:

    • Maintain high availability and fair use of resources by protecting your backend from being overwhemed with too many requests.
    • Prevent denial-of-service attacks.
    • Constrain costs of resource consumption.
    • Restrict usage of APIs by your customers' users to monetize APIs.
  • Security

    Establish governance processes to manage client credentials and consumers.

  • Availability

    Create API Gateways in regional subnets (not availability domain specific subnets) to ensure high availability.

  • Cost

    OCI API Gateway is a cost-effective option with a fair pricing model.

Explore More

Review these additional resources to learn more about configuring resource-based access for REST endpoints.

Acknowledgments

  • Author: Subburam Mathuraiveeran
  • Contributors: Wei Han, Robert Wunderlich