OCI API GW & JWT to call OIC with/without Credentials - Part I
To invoke any Integration created in OIC, we need to pass the credentials i.e., Username/Password. In this article, we’ll discuss and explain how to use OIC API GW & JWT to call OIC with/without credentials.
Most of the time these Integrations which we develop are to be triggered by External Applications or Vendors and if we want to not take the risk of either sharing the exact Integration endpoint or OIC Credentials to hit our Integration, we can follow any of the below methods.
In this blog, we will see the different methods by which we can allow external applications to invoke OIC Integrations.
- OCI APIGW with OIC Integration as backend (Passing OIC credentials)
- OCI APIGW with OIC Integration as backend (Where OIC credentials are configured in APIGW route level).
- OCI APIGW + JWT with OIC Integration as backend (Where OIC credentials are configured in APIGW route level).
- OCI APIGW + JWT+ OCI Functions with OIC Integration as backend (Where no creds are passed).
- Access to OCI Instance with relevant privileges’.
- Access to OIC Instance & existence of a simple Hello World Integration in that Instance.
- Access to a public facing OCI APIGW, with rules configured to allow traffic from the public internet.
- Access to fetch JWK from IDCS.
- Access to create applications in IDCS.
NOTE: The need for the above pre-requisites is, that we will be hitting OIC HelloWorld Integration from APIGW. For the last method, we will need a Bearer token (OAuth2.0) which will be generated by the application we create in IDCS.
Method 1 → Invoking Integration where the end user needs to pass OIC Credentials
In this method, we will have an OIC HelloWorld integration endpoint as a backend to our APIGW and hit it from Postman by passing OIC credentials.
In this approach, we would be hiding the actual Integration endpoint from the end user.
Pros → Integration or OIC Instance endpoint is not exposed.
Cons→ OIC Credentials are compromised. Even though we can create a specific user in OCI and give only “ServiceInvoker” privileges’ on the user, but still he’ll be able to hit all the integrations on the Instance.
Deployment created on APIGW for the HelloWorld Integration.
Integration endpoint configured in APIGW Deployment Route.
Once this deployment is completed you will get the endpoint to hit from Postman (which you can share with external applications who’ll be calling your integration).
Now, let us configure this endpoint by suffixing it with Route Path (/REST_HW01 in my case). Here I am passing OIC Credentials under the Authorization section, by choosing Authorization Type as “Basic”.
Method 2 → Invoking Integration, where no Credentials are passed by the end user
In this method, the end user will directly hit the APIGW endpoint for that integration the way we have generated by creating a deployment and adding the HelloWorld integration endpoint in Route as done in Method1. The only difference here is, that we will be configuring OIC Credentials inside the APIGW.
In this way, we need not share OIC credentials with the end user. Instead, we will configure them at Route Level in the APIGW deployment.
Pros → Integration or OIC Instance endpoint is not exposed. Credentials need not be shared with the end user.
Cons → As the end users need not pass credentials, anyone who knows the endpoint can hit it.
In here, we need to pass OIC credentials in Base64 format (username:password) and complete the APIGW deployment.
In my case, I have stored my OIC Credentials in OCI Vault in Base64 format and copied them from there.
To store credentials in OCI Vault, you need to follow the below steps:
- Create a vault (OCI → Identity & Security → Vault) on a specific compartment.
- Create Master Encryption Key in the vault with any protection method & algorithm. (I have considered HSM Protection mode & AES algo).
- Once the Master Encryption Key is created, create a Secret where you need to choose the Master Encryption Key created in Step2, Secret Type Template (I chose Plain Text, so that I can come back later to check when required), and enter your credentials(oicusername:oicpassword) in Secret Contents section.
- Once the Secret is created. You can click open it, and view secret contents by clicking on the menu against the secret version
Now, let us test this APIGW endpoint as done in Method1 from Postman. But without passing any credentials:
We will continue discussing the remaining Methods to invoke OIC in my next blog here, as the blog looks huge and you’ll lose interest scrolling through.
!!! Happy Reading !!!
If you liked the article, please like, comment, and share.
Please look at my YouTube channel for Oracle Integration-related videos and don’t forget to subscribe to our channel to get regular updates.