swagger: '2.0'
info:
x-ibm-name: oauth2-oidc-provider
title: OAuth2 OIDC Provider
version: 1.0.0
description: >-
Provide a template on how to enable OIDC for APIC OAuth provider.
Authorization Code : the standard OAuth protocol
Resource Owner Grant Type : the 2 legged owner grant type
Client Credential : there is no user in this, and thus no id_token will be
created
Skip:
Implicit : this is a subset of authorization code grant type, public client
contact:
name: IBM API Connect
schemes:
- https
host: $(catalog.host)
basePath: /
securityDefinitions:
clientID:
description: application's client_id
in: query
name: client_id
type: apiKey
clientIdHeader:
in: header
type: apiKey
name: X-IBM-Client-Id
clientSecretHeader:
in: header
type: apiKey
name: X-IBM-Client-Secret
security:
- clientID: []
paths:
/oauth2/authorize:
get:
produces:
- text/html
summary: endpoint for Authorization Code and Implicit grants
description: description
parameters:
- name: response_type
in: query
description: request an authorization code or or access token (implicit)
required: true
type: string
enum:
- code
- token
- name: scope
in: query
description: Scope being requested
type: string
required: true
- name: redirect_uri
in: query
type: string
description: URI where user is redirected to after authorization
required: false
- name: state
in: query
type: string
description: >-
This string will be echoed back to application when user is
redirected
required: false
responses:
'200':
description: An HTML form for authentication or authorization of this request.
'302':
description: >
Redirect to the clients redirect_uri containing one of the following
- **authorization code** for Authorization code grant
- **access token** for Implicity grant
- **error** in case of errors, such as the user has denied the
request
security:
- clientID: []
post:
consumes:
- application/x-www-form-urlencoded
produces:
- text/html
summary: submit approval to authorization code or access token
description: >
Submit resource owners approval (or rejection) for the OAuth2 Server to
issue an
authorization code or access token to the application.
security: []
parameters:
- name: client_id
in: formData
description: application requesting the access code or token
required: true
type: string
- name: scope
in: formData
description: requested scope of this authorization
required: true
type: string
- name: resource-owner
in: formData
description: resource owners user name
required: true
type: string
- name: redirect_uri
in: formData
description: >-
URI the application is requesting this code or token to be
redirected to
required: true
type: string
- name: original-url
in: formData
description: URL of the original authorization request
required: true
type: string
- name: dp-state
in: formData
description: state information provided in the authorization form
required: true
type: string
- name: dp-data
in: formData
description: state information provided in the authorization form
required: true
type: string
responses:
'200':
description: Cool
/oauth2/token:
post:
consumes:
- application/x-www-form-urlencoded
produces:
- application/json
summary: Request Access Tokens
description: >
This endpoint allows requesting an access token following one of the
flows below:
- Authorization Code (exchange code for access token)
- Client Credentials (2-legged, there isnt resource owner information)
- Resource Owner Password Credentials (2-legged, client provides
resource owner name and password)
- Refresh Token (exchange refresh token for a new access code)
The table below indicates the required parameters for each specific
grant_type options.
Empty cells indicate a parameter is ignored for that specific grant
type.
Client authentication:
- Confidential clients should authenticate using HTTP Basic
Authentication. Alternatively, they may post
their client_id and client_secret information as a formData parameter.
- Public clients should send their client_id as formData parameter.
| grant_type | code | client_credentials | password |
refresh_token |
|----------------------|------------|--------------------|-------------|---------------|
| client_id | required* | required* | required* |
required* |
| client_secret | required* | required* | required* |
required* |
| code | required | |
| |
| redirect_uri | required | |
| |
| username | | | required
| |
| password | | | required
| |
| scope | | optional | optional
| |
| refresh_token | | | |
required |
The implicit grant requests, see /oauth2/authorize.
security: []
parameters:
- name: grant_type
in: formData
description: Type of grant
type: string
required: true
enum:
- authorization_code
- password
- client_credentials
- refresh_token
- name: client_id
in: formData
description: >-
Application client ID, can be provided in formData or using HTTP
Basic Authentication
required: false
type: string
- name: client_secret
in: formData
description: >-
Application secret, must be provided in formData or using HTTP Basic
Authentication
required: false
type: string
- name: code
in: formData
description: Authorization code provided by the /oauth2/authorize endpoint
required: false
type: string
- name: redirect_uri
in: formData
description: >-
required only if the redirect_uri parameter was included in the
authorization request /oauth2/authorize; their values MUST be
identical.
required: false
type: string
- name: username
in: formData
type: string
description: Resource owner username
required: false
- name: password
in: formData
type: string
description: Resource owner password
required: false
- name: scope
in: formData
type: string
description: Scope being requested
required: false
- name: refresh_token
in: formData
type: string
description: >-
The refresh token that the client wants to exchange for a new access
token (refresh_token grant_type)
required: false
responses:
'200':
description: 'json document containing token, etc.'
schema:
$ref: '#/definitions/access_token_response'
'400':
description: json document that may contain additional details about the failure
/oauth2/introspect:
post:
consumes:
- application/x-www-form-urlencoded
produces:
- application/json
summary: Introspect a given access_token supported
description: |
This endpoint introspects a given access_token
security:
- clientIdHeader: []
clientSecretHeader: []
parameters:
- name: token
in: formData
description: String value of the access_token to be introspected
required: true
type: string
- name: token_type_hint
in: formData
description: This must contain 'access_token' to indicate the token type
required: true
type: string
responses:
'200':
description: 'json document containing issued information, etc.'
schema:
$ref: '#/definitions/introspect_response'
'401':
description: failure
/oauth2/issued:
get:
produces:
- application/json
summary: Returns list of permission granted to the owner
description: >
This endpoint allows the return of all the issued permission for a given
authenticated owner per owner authentication
defined in the x-ibm-configuration section
security:
- clientIdHeader: []
clientSecretHeader: []
responses:
'200':
description: 'json document containing issued information, etc.'
schema:
$ref: '#/definitions/issued_responses'
'401':
description: failure in retreiving issued list
delete:
consumes:
- application/x-www-form-urlencoded
produces:
- application/json
summary: Revoke an application/client permission by the authorized owner
description: Revoke an application/client permission by the authorized owner
security:
- clientIdHeader: []
clientSecretHeader: []
parameters:
- name: client-id
in: query
description: client-id is the OAuth client_id or application id to be revoked
required: true
type: string
responses:
'200':
description: OK
x-ibm-configuration:
testable: true
enforced: true
phase: realized
oauth2:
client-type: confidential
scopes:
openid: Enable OIDC
weather: Weather Provider API
grants:
- password
- accessCode
- application
- implicit
identity-extraction:
type: default-form
authentication:
x-ibm-authentication-url:
url: 'https://127.0.0.1/utility/basic-auth/spoon/spoon'
tls-profile: ''
authorization:
type: authenticated
access-token:
ttl: 3600
refresh-token:
count: 2048
ttl: 2682000
metadata:
metadata-url:
url: ''
tls-profile: ''
gateway: datapower-gateway
assembly:
execute:
- switch:
title: switch
case:
- condition: >-
(((request.verb==='GET')&&(api.operation.path==='/oauth2/authorize'))||((request.verb==='POST')&&(api.operation.path==='/oauth2/authorize'))
&& new String (apim.getvariable
('message.status.code')).startsWith ('302'))
execute:
- xslt:
title: xslt
input: false
version: 1.0.0
source: >-
- condition: >-
((request.verb==='POST')&&(api.operation.path==='/oauth2/token'))
execute:
- gatewayscript:
title: gatewayscript
version: 1.0.0
source: >-
var _apimgmt = session.name('_apimgmt');
var grantType =
_apimgmt.getVariable('requested-grant-type');
if (grantType === 'password' ||
grantType === 'code') {
// get scope
var splitScope = (apim.getvariable('message.body').scope || '').split(' ');
for (var i = 0; i < splitScope.length; i++) {
if (splitScope[i] === 'openid') {
var userIdentity = _apimgmt.getVariable('authenticated-username');
apim.setvariable('oidc-credential', userIdentity, 'set');
}
}
}
version: 1.0.0
- if:
title: if
condition: apim.getvariable('oidc-credential') !== undefined
execute:
- set-variable:
title: set-variable
actions:
- set: iss.claim
value: Spoon Bank Inc
- set: sign-jwk
value: >-
{ "kty": "RSA", "d":
"AQZvY1Z3Jymu7eKDAoZ9P-v5QvqCMb7EtDfTkW-CIOsvh4jVPIK-gwmoEqq4ic8WVOfQAEN4hN5SMuMoJu0xGpGtqIbYTl1yoJ22zFXXCWg0lv1InQmkg6EuaOzncSL7gnXxkWQUCbbtxMMwulKaQLUIR1vOGhPIjiNWrhwNxz2igbTHUEhPYaxzXMFukJiYnmeUd5FGq_QnhR_R4CgQt3yTKaAEWF2LlaejeDkqMXHCSuXRq-Ua3Y1IYzn3AXPoF9nfAV5QJezITDdSPAK5_hkKSLzb92Y6Pg7jXhH3DgfLVolpxrZWmK58P2IGz1uhuw9Nh_4a0_gw5xTNBNbAPSTOI6S9X7pt1rTSShYBOEJZ3MF7w3NDH2dsvkjZcdUxgvaHTrZKDtg2OJP0Go1sePvJHZJ1S0jjrSXMQyTagvjVhO0FQ_LuFrEhKPDpeXmyvVUJ8ud9oboJ_PbeL8bxOzp8HD6MI2SjrjtZ4SCmz3afdNKoS0_0Dk3i-JaV9kxVqUQYAGwRoccgh8aoIARMHGjlPP97lJkdIOxHb8KAjxa0GX5ZFz77xjz9P0E54u_TmKXj4iVGuY-yA33TNC0muwzm5q2HOlUg7DhPUryGGoLTMv7hChuFj9J5c6BXvvVe3ukfQkfsTglS2JuMsGDOcLFCd5SGoa9myu5xD-uqhG2p",
"e": "AQAB", "use": "sig", "kid": "spoon", "alg":
"RS512", "n":
"At1JEfmAE-rOFUyNo1oj-o5cLC3w6z18gz3wA1oB3DFh1a1t3okvT-KbwPHQONa2QCKheF7VeEa3RJc4l7n5CK-CBuGzENw43YZXJFz8HfwdSSibzB18c0abP89IF0CnW2zJCcO-4bkHNgxZg_tg5wfbuXMQ3JTFkuAgrArpzZchbIl9ihjnPBq65DsxY3RwO-aqf03bGbwKXGUlE4wY7IKF25ofomrwnNrew4eS4iBenTxaQosaWAnBxV791-6Nu7fodcKcieHg3GG7xufeN7gOQH7VmZSNt5r9pFq71rsGNsb5ncrcT0t76Tw9RHMjYanY5YGpmftyfwqvuERsiGmZFrzHd_iBvLgZYWI8JRPbWgGniv493MFE5pP-NnHTTJU6sW313Z0soNH3tt5dI-2ARN6P3RrUDfusRCxwmqiYdjXHdo67WzXPvYmAs7Pdmp2zlgOdPCSokRw2D3Oq1_lHIsIaTrNY7sTU-jwLpZBZFAbhZoQMPFwoyDlZpUwHsChvN42ZH8tnvggKV_yDoq2wyA8nfPdlVIY86nLaXYP873E661eAONbZxEBntZMozYVzraWkwy3VxG2HgnD89UXZuPzBKwnt0PW_R554jrEYl2-8KT1vEWDrBxBPTm0Q6Js444U6NNmoHD1UIWW0yt3P86lTjWJWPTciTJBt_ann"
}
- set: private.claim
value: '{"disclaimer":"for demo purpose"}'
version: 1.0.0
- jwt-generate:
title: jwt-generate
iss-claim: iss.claim
exp-claim: 3600
version: 1.0.0
jwt: idtoken
jti-claim: true
sub-claim: oidc-credential
aud-claim: client.app.id
private-claims: private.claim
jws-alg: RS512
jws-jwk: sign-jwk
- gatewayscript:
title: gatewayscript
version: 1.0.0
source: >-
var grantType =
session.name('_apimgmt').getVariable('requested-grant-type');
if (grantType === 'implicit') {
// regression in 5070 will not allow access, and modification to the location header
var location = apim.getvariable('oidc-location') + '&id_token=' + apim.getvariable("idtoken");
// work around is to use xslr
apim.setvariable('oidc-location', location);
}
else {
var token = apim.getvariable("message.body");
token["id_token"] = apim.getvariable("idtoken");
apim.setvariable("message.body", JSON.stringify(token));
}
- if:
title: if
condition: >-
new String (apim.getvariable
('message.status.code')).startsWith('302')
execute:
- xslt:
title: xslt
input: false
version: 1.0.0
source: >-
version: 1.0.0
version: 1.0.0
catch: []
definitions:
access_token_response:
type: object
additionalProperties: false
required:
- token_type
- access_token
- expires_in
properties:
token_type:
enum:
- bearer
access_token:
type: string
expires_in:
type: integer
scope:
type: string
refresh_token:
type: string
introspect_response:
type: object
additionalProperties: false
required:
- active
- client_id
- client_name
- username
- sub
- exp
- expstr
- iat
- nbf
- nbfstr
- scope
properties:
active:
type: boolean
client_id:
type: string
client_name:
type: string
username:
type: string
sub:
type: string
exp:
type: string
expstr:
type: string
iat:
type: string
nbf:
type: string
nbfstr:
type: string
scope:
type: string
miscinfo:
type: string
issued_response:
type: object
additionalProperties: false
required:
- clientId
- owner
- scope
- issuedAt
- expiredAt
- refreshTokenIssued
properties:
clientId:
type: string
clientName:
type: string
owner:
type: string
scope:
type: string
issuedAt:
type: string
expiredAt:
type: string
refreshTokenIssued:
type: boolean
miscInfo:
type: string
issued_responses:
type: array
items:
$ref: '#/definitions/issued_response'