This function provides verification of username and password against IDCS at runtime and allows only authorized users to access API gateway deployment.
The implementation conforms to the documented guidlines for using authorizer functions to add Authentication and Authorization to API deployments.
As you make your way through this tutorial, look out for this icon 
.
Whenever you see it, it's time for you to perform an action.
Before you deploy this sample function, you need to complete steps A, B and C of the Oracle Functions Quick Start Guide for Cloud Shell
- A - Set up your tenancy
- B - Create application
- C - Set up your Cloud Shell dev environment
Assuming your have successfully completed the prerequisites, you should see your application in the list of applications.
fn ls apps
We need another function that will be a target for API Gateway. We suggest oci-display-httprequest-info-python.
In Cloud Shell, run fn deploy to build the function and its dependencies as a container,
push the image to Oracle Cloud Infrastructure Registry (OCIR), and deploy the function to Oracle Functions in your application.
cd ../oci-display-httprequest-info-python
fn -v deploy --app <app-name>
In order to invoke functions, your API Gateway must be part of a dynamic group.
When specifying the Matching Rules, we suggest matching all functions in a compartment with:
ALL {resource.type = 'ApiGateway', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaxxxxx'}
Create a new policy that allows the API Gateway dynamic group to invoke functions. We will grant use access to functions-family in the compartment.
Your policy should look something like this:
Allow dynamic-group <dynamic-group-name> to use functions-family in compartment <compartment-name>
For more information on how to create policies, check the documentation.
Login to IDCS admin console and create, add an Application and select "Confidential Application".
Enter a name for your IDCS Application, for example "myAPI".
For "Allowed Grant Types", select "Resource Owner". Click Next.
For Primary Audience, enter anything "display-httprequest-info" for example. For Scopes, click Add. In the dialog box, for field "Scope", enter anything "display-httprequest-info" for example, click Add.
Click Next.
Click Finish.
Now that the application is added, note the Client ID and Client Secret.
Click Close.
Click on Configurations tab under Client Information section click on add scope and select the application name from the dropdown. Note the scope value.
Click Activate and click Ok in the dialog.
Note the IDCS URL, this is the URL you see in your browser URL bar, copy the IDCS url ( For example: https://idcs-xxxxxxxxxxx.identity.oraclecloud.com/ ), client-id, client-secret and scope these values are provided to the Basicauth function.
Review the following files in the current folder:
pom.xmlspecifies all the dependencies for your functionfunc.yamlthat contains metadata about your function and declares propertiessrc/main/java/com/example/fn/BasicAuth.javawhich contains the Java code
The name of your function basicauth is specified in func.yaml.
set the following config variables to the values noted while configuring IDCS. The IDCS URL is the token endpoint that returns the access token after validating credentials
CLIENT_ID = "xxxxxxxxxxx";
CLIENT_SECRET = "xxxxxxxxx";
IDCS_URL = "https://idcs-xxxxxxxx.identity.oraclecloud.com/oauth2/v1/token";
//INFORMATION ABOUT THE TARGET APPLICATION
SCOPE_AUD = "display-httprequest-infodisplay-httprequest-info";For the unit test to run, set the following variables in src/test/java/com/example/fn/BasicAuthTest.java
private static final String TEST_IDCS_URL = "https://idcs-xxxxxxxx.identity.oraclecloud.com/oauth2/v1/token";
private static final String TEST_CLIENT_ID = "xxxxxxxxxxx";
private static final String TEST_CLIENT_SECRET = "xxxxxxxxxxx";
private static final String TEST_SCOPE_AUD = "display-httprequest-infodisplay-httprequest-info";
private static final String TEST_TOKEN = "xxxxxxxxxxx";In Cloud Shell, run fn deploy to build the function and its dependencies as a container,
push the image to OCIR, and deploy the function to Oracle Functions in your application.
fn -v deploy --app <app-name>In Cloud Shell, run fn invoke to invoke the deployed function. It should return an active status of true if the token is valid or otherwise returns false.
echo -n '{"type":"TOKEN", "token":"Basic aW5jaGFyYS5zaGFtYW5uYUBvcmFj....."}' | fn invoke <app-name> <func-name>The functions is meant to be invoked through API Gateway.
On the OCI console, navigate to Developer Services > API Gateway. Click on Create Gateway. Provide a name, set the type to "Public", select a compartment, a VCN, a public subnet, and click Create.
Once created, click on your gateway. Under Resources, select Deployments and click Create Deployment.
- Provide a name, a path prefix ("/basicauth" for example).
- Under API Request Policies Add Authentication
- Authentication Type: Custom
- Choose the application and the basicauth function
- For "Authentication token", select Header
- For the "Header Name", enter "Autorization"
Click Save Changes when you are finished
Click Next. Provide a name to the route ("/hello" for example), select methods eg: "GET", select HTTP-URL for your back-end.
Click Next and finally, click Save Changes.
Note the endpoint of your API Gateway deployment.
The function validates if the user information is valid.
Use curl to make the HTTP request
curl -i -u "<username>:<password>" https://d6xxxxxxxxk64.apigateway.us-ashburn-1.oci.customer-oci.com/basicauth/helloIf the user is valid gateway will make a call to backend with HTTP200 else The gateway will reject the request with an HTTP401.