This article is part of a series about OAuth 2.0 Authorization on OCI API Gateway:
- Complete Guide: How to configure OAuth 2.0 with JWT & IDCS on OCI API Gateway
- Limit access to your APIs with OCI API Gateway using OAuth 2.0 Scopes
- Protect OIC REST APIs with OCI API Gateway and OAuth2 – 1/2
I often have discussions with clients about protecting Oracle Integration Cloud (OIC) REST APIs and we would almost always end up talking about OAuth2 Authorization and OCI API Gateway.
With OIC, we can use Basic Authentication and/or OAuth2 using IDCS (only client credentials possible for the moment), so we don’t necessarily need OCI API Gateway for OAuth Authorization, but there are many other reasons to consider OCI API Gateway as a front for OIC.
We’ll split this subject into two parts:
- In this first part, we will talk about why using OCI API Gateway with OIC, and how we can have OAuth2 on the API Gateway layer and statically pass the OIC basic credentials in the header. This may not be the prettiest option – but for some use cases is more than enough
- In the second part, we will look at a more complex solution on how to validate and pass the OAuth2 token using a custom OCI Function
Why use OCI API Gateway with OIC?
Put quite simply – multiple reasons – from security to API best practices:
- Don’t share your OIC hostname and endpoints with 3rd parties
- Bundle together multiple integrations under the same API path or else know as the API Facade Pattern – to provide a simple interface to a complex system
- Enhance the security of your OIC REST Integrations Endpoints
As previously stated, in this article we’ll have OAuth2 configured on the OCI API Gateway layer and we’ll pass OIC basic credentials in the header statically.
So basically, everyone will authenticate using the OAuth2 tokens that will be validated by Oracle IDCS, and in the API Gateway routes, we will forward a static Basic Authentication to OIC.
Even though we can configure OAuth2 Authorization for OIC directly with IDCS, we may want to move the OAuth2 Authorization on the Gateway layer for different reasons. Here’s a couple of examples:
- One of my clients wanted to do this because they wanted to limit the access of their 3rd party clients to the APIs so that the 3rd party clients wouldn’t have access to all of OIC’s endpoints (as for now you can’t limit the access of your token when configuring OAuth2 for OIC directly with IDCS)
- Another one wanted to put together under the same hostname and API Path some OIC Integration Endpoints and some microservices running on OKE
One important aspect we must mention before is that OIC does not permit the deactivation of authentication right now.
We must always authenticate when calling any OIC integration/endpoint.
This is way we can’t just move the authentication/authorization altogether from OIC to API Gateway.
The first step would be to configure the Authentication policy on your API Gateway deployment. If you need help with this, please follow this Complete Guide: How to configure OAuth 2.0 with JWT & IDCS on OCI API Gateway.
Once you’ve configured OAuth2 Authentication Policy on OCI API Gateway, your deployment should look something like this:
Now, that the OAuth2 Authentication policy is configured, we must add our Basic Authentication on each route calling an OIC integration endpoint.
Click on Show Route Request Policies
Then on Header Transformations, add the Authroization header with your base64 encoded basic credentials for OIC
Remember, we’re doing this because we cannot move or deactivate the authentication on the OIC layer
In the next part of the series, we will look at a more complex way of doing this only using OAuth2 (no more Basic Authentication forwarding in the header), by configuring a Custom Authentication Policy using an OCI Function. This way we will be able to forward the OAuth2 token to OIC from API Gateway.