Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add missing docs #1481

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Add missing docs #1481

merged 3 commits into from
Jul 22, 2024

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Jul 9, 2024

What

  • Add README file for token_introspection policy. Contents are copied from the official docs plus extra bit for new auth methods (private_key_jwt and client_secret_jwt)
  • Add missing entries to CHANGELOG file

Verification steps

No verification steps

@tkan145 tkan145 requested a review from a team as a code owner July 9, 2024 03:17
@tkan145 tkan145 requested a review from a team July 9, 2024 03:19
Copy link
Member

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sweet

CHANGELOG.md Outdated
### Added

- Bump openresty to 1.21.4.3 [PR #1461](https://github.com/3scale/APIcast/pull/1461) [THREESCALE-10601](https://issues.redhat.com/browse/THREESCALE-10601)

- Support Financial-grade API (FAPI) - Baseline profile [PR #1465](https://github.com/3scale/APIcast/pull/1465) [THREESCALE-10973](https://issues.redhat.com/browse/THREESCALE-10973)

- Token Introspection Policy - support `private_key_jwt` and `client_secret_jwt` authentication mode [PR #1464](https://github.com/3scale/APIcast/pull/1464) [THREESCALE-11015](https://issues.redhat.com/browse/THREESCALE-11015)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Token Introspection Policy - support `private_key_jwt` and `client_secret_jwt` authentication mode [PR #1464](https://github.com/3scale/APIcast/pull/1464) [THREESCALE-11015](https://issues.redhat.com/browse/THREESCALE-11015)
- Token Introspection Policy - Support `private_key_jwt` and `client_secret_jwt` authentication mode [PR #1464](https://github.com/3scale/APIcast/pull/1464) [THREESCALE-11015](https://issues.redhat.com/browse/THREESCALE-11015)

Little typo

@@ -0,0 +1,73 @@
# OAuth 2.0 Token Introspection

The OAuth 2.0 Token Introspection policy allows validating the JSON Web Token (JWT) token used for services with the OpenID Connect (OIDC) authentication option using the Token Introspection Endpoint of the token issuer.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The OAuth 2.0 Token Introspection policy allows validating the JSON Web Token (JWT) token used for services with the OpenID Connect (OIDC) authentication option using the Token Introspection Endpoint of the token issuer.
The OAuth 2.0 Token Introspection Policy allows validating the JSON Web Token (JWT) used for services with the OpenID Connect (OIDC) authentication option using the Token Introspection Endpoint of the token issuer.

Little typo.

The OAuth 2.0 Token Introspection policy allows validating the JSON Web Token (JWT) token used for services with the OpenID Connect (OIDC) authentication option using the Token Introspection Endpoint of the token issuer.

APIcast supports the following authentication types in the `auth_type` field to determine the Token Introspection Endpoint and the credentials APIcast uses when calling this endpoint:
* `use_3scale_oidc_issuer_endpoint`: APIcast uses the client credentials, Client ID and Client Secret, as well as the Token Introspection Endpoint from the OIDC Issuer setting configured on the Service Integration page. APIcast discovers the Token Introspection endpoint from the token_introspection_endpoint field. This field is located in the .well-known/openid-configuration endpoint that is returned by the OIDC issuer.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `use_3scale_oidc_issuer_endpoint`: APIcast uses the client credentials, Client ID and Client Secret, as well as the Token Introspection Endpoint from the OIDC Issuer setting configured on the Service Integration page. APIcast discovers the Token Introspection endpoint from the token_introspection_endpoint field. This field is located in the .well-known/openid-configuration endpoint that is returned by the OIDC issuer.
* `use_3scale_oidc_issuer_endpoint`: APIcast uses the client credentials, Client ID, and Client Secret, as well as the Token Introspection Endpoint from the OIDC Issuer setting configured on the Service Integration page. APIcast discovers the Token Introspection Endpoint from the `token_introspection_endpoint` field. This field is located in the `.well-known/openid-configuration` endpoint that is returned by the OIDC issuer.

A couple of minor edits.


APIcast supports the following authentication types in the `auth_type` field to determine the Token Introspection Endpoint and the credentials APIcast uses when calling this endpoint:
* `use_3scale_oidc_issuer_endpoint`: APIcast uses the client credentials, Client ID and Client Secret, as well as the Token Introspection Endpoint from the OIDC Issuer setting configured on the Service Integration page. APIcast discovers the Token Introspection endpoint from the token_introspection_endpoint field. This field is located in the .well-known/openid-configuration endpoint that is returned by the OIDC issuer.
* `client_id+client_secret`: specify a different Token Introspection Endpoint, as well as the Client ID and Client Secret APIcast uses to request token information.
Copy link
Contributor

@lcavalle lcavalle Jul 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tkan145 This sentence sounds a bit confusing to me. I am not sure if it says:
It specifies a different Token Introspection Endpoint. As well as the Client ID and the Client Secret APIcast, it uses it to request token information.
or
Specify a different Token Introspection Endpoint, a different Client ID and a different Client Secret APIcast to request token information.

APIcast supports the following authentication types in the `auth_type` field to determine the Token Introspection Endpoint and the credentials APIcast uses when calling this endpoint:
* `use_3scale_oidc_issuer_endpoint`: APIcast uses the client credentials, Client ID and Client Secret, as well as the Token Introspection Endpoint from the OIDC Issuer setting configured on the Service Integration page. APIcast discovers the Token Introspection endpoint from the token_introspection_endpoint field. This field is located in the .well-known/openid-configuration endpoint that is returned by the OIDC issuer.
* `client_id+client_secret`: specify a different Token Introspection Endpoint, as well as the Client ID and Client Secret APIcast uses to request token information.
* `client_secret_jwt`: Request token information using `client_secret_jwt` method. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign using HMAC SHA-256 and with Client Secret as the shared key. APIcast will then make a token request including the generated client assertion as the value of the `client_assertion` parameter.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `client_secret_jwt`: Request token information using `client_secret_jwt` method. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign using HMAC SHA-256 and with Client Secret as the shared key. APIcast will then make a token request including the generated client assertion as the value of the `client_assertion` parameter.
* `client_secret_jwt`: It is a request token information using `client_secret_jwt` method. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign-in using HMAC SHA-256 and the Client Secret as the shared key. Then, APIcast will make a token request including the generated client assertion as the value of the `client_assertion` parameter.

A couple of edits added.

* `use_3scale_oidc_issuer_endpoint`: APIcast uses the client credentials, Client ID and Client Secret, as well as the Token Introspection Endpoint from the OIDC Issuer setting configured on the Service Integration page. APIcast discovers the Token Introspection endpoint from the token_introspection_endpoint field. This field is located in the .well-known/openid-configuration endpoint that is returned by the OIDC issuer.
* `client_id+client_secret`: specify a different Token Introspection Endpoint, as well as the Client ID and Client Secret APIcast uses to request token information.
* `client_secret_jwt`: Request token information using `client_secret_jwt` method. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign using HMAC SHA-256 and with Client Secret as the shared key. APIcast will then make a token request including the generated client assertion as the value of the `client_assertion` parameter.
* `private_key_jwt`: using asymmetric key to request token information from OIDC provider. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign with the key provided. APIcast will then make a token request including the generated client assertion as the value of the `client_assertion` parameter.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `private_key_jwt`: using asymmetric key to request token information from OIDC provider. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign with the key provided. APIcast will then make a token request including the generated client assertion as the value of the `client_assertion` parameter.
* `private_key_jwt`: When using asymmetric key to request token information from the OIDC provider. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign-in with the key provided. Then, APIcast will make a token request including the generated client assertion as the value of the `client_assertion` parameter.

A couple of edits added.

* `private_key_jwt`: using asymmetric key to request token information from OIDC provider. Prior to a token information request, APIcast will prepare a new JWT authentication token and sign with the key provided. APIcast will then make a token request including the generated client assertion as the value of the `client_assertion` parameter.

The response of the Token Introspection Endpoint contains the active attribute. APIcast checks the value of this attribute. Depending on the value of the attribute, APIcast authorizes or rejects the call:
* `true`: The call is authorized
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `true`: The call is authorized
* `true`: The call is authorized.

Litle typo.


The response of the Token Introspection Endpoint contains the active attribute. APIcast checks the value of this attribute. Depending on the value of the attribute, APIcast authorizes or rejects the call:
* `true`: The call is authorized
* `false`: The call is rejected with the Authentication Failed error
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `false`: The call is rejected with the Authentication Failed error
* `false`: The call is rejected with the Authentication Failed error

Little typo.

* `true`: The call is authorized
* `false`: The call is rejected with the Authentication Failed error

The policy allows enabling caching of the tokens to avoid calling the Token Introspection Endpoint on every call for the same JWT token. To enable token caching for the Token Introspection Policy, set the max_cached_tokens field to a value from 0, which disables the feature, and 10000. Additionally, you can set a Time to Live (TTL) value from 1 to 3600 seconds for tokens in the max_ttl_tokens field.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The policy allows enabling caching of the tokens to avoid calling the Token Introspection Endpoint on every call for the same JWT token. To enable token caching for the Token Introspection Policy, set the max_cached_tokens field to a value from 0, which disables the feature, and 10000. Additionally, you can set a Time to Live (TTL) value from 1 to 3600 seconds for tokens in the max_ttl_tokens field.
The policy enables caching tokens to avoid calling the Token Introspection Endpoint on every call for the same JWT token. To enable token caching for the Token Introspection Policy, set the `max_cached_tokens` field to a value between `0`, which disables the feature, and `10000`. Additionally, you can set a Time to Live (TTL) value from `1` to `3600` seconds for tokens in the `max_ttl_tokens` field.

A couple of minor edits.

@lcavalle
Copy link
Contributor

lcavalle commented Jul 9, 2024

@tkan145 I have just left a couple of edits and suggestion. I hope they make sense to you. Thanks!

@tkan145 tkan145 requested a review from lcavalle July 10, 2024 06:48
@tkan145
Copy link
Contributor Author

tkan145 commented Jul 10, 2024

Thanks @lcavalle, I've updated the docs based on your feedback.

@tkan145
Copy link
Contributor Author

tkan145 commented Jul 12, 2024

@lcavalle If everything looks good, could you please approve this PR? Thanks in advance

@tkan145 tkan145 merged commit fb73d93 into 3scale:master Jul 22, 2024
14 checks passed
@tkan145 tkan145 deleted the missing-docs branch July 22, 2024 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants