This function provides verification of username and password against IDCS at runtime and allows only authorized users to access API gateway deployment.
The implementation conforms to the guidelines in the OCI Documentation at https://docs.cloud.oracle.com/en-us/iaas/Content/APIGateway/Tasks/apigatewayusingauthorizerfunction.htm.
As you make your way through this tutorial, look out for this icon 
.
Whenever you see it, it's time for you to perform an action.
Before you deploy this sample function, make sure you have run step A, B and C of the Oracle Functions Quick Start Guide for Cloud Shell
- A - Set up your tenancy
- B - Create application
- C - Set up your Cloud Shell dev environment
Assuming your have successfully completed the prerequisites, you should see your application in the list of applications.
fn ls apps
We need another function that will be a target for API Gateway. We suggest oci-display-httprequest-info-python. In Cloud Shell, run the fn deploy command to build the function and its dependencies as a Docker image, push the image to OCIR, and deploy the function to Oracle Functions in your application.
cd ../oci-display-httprequest-info-python
fn -v deploy --app <app-name>
In order to invoke functions, your API Gateway must be part of a dynamic group.
When specifying the Matching Rules, we suggest matching all functions in a compartment with:
ALL {resource.type = 'ApiGateway', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaxxxxx'}
Create a new policy that allows the API Gateway dynamic group to invoke functions. We will grant use access to functions-family in the compartment.
Your policy should look something like this:
Allow dynamic-group <dynamic-group-name> to use functions-family in compartment <compartment-name>
For more information on how to create policies, check the documentation.
Login to IDCS admin console and create, add an Application and select "Confidential Application".
Enter a name for your IDCS Application, for example "myAPI".
For "Allowed Grant Types", select "Resource Owner". Click Next.
For Primary Audience, enter anything "display-httprequest-info" for example. For Scopes, click Add. In the dialog box, for field "Scope", enter anything "display-httprequest-info" for example, click Add.
Click Next.
Click Finish.
Now that the application is added, note the Client ID and Client Secret.
Click Close.
Click on Configurations tab under Client Information section click on add scope and select the application name from the dropdown. Note the scope value.
Click Activate and click Ok in the dialog.
Note the IDCS URL, this is the URL you see in your browser URL bar, copy the IDCS url ( For example: https://idcs-xxxxxxxxxxx.identity.oraclecloud.com/ ), client-id, client-secret and scope these values are provided to the Basicauth function.
Review the following files in the current folder:
- pom.xml specifies all the dependencies for your function
- func.yaml that contains metadata about your function and declares properties
- src/main/java/com/example/fn/BasicAuth.java which contains the Java code
The name of your function basicauth is specified in func.yaml.
set the following variable in "src/main/java/com/example/utils/ResourceServerConfig.java" to the values noted while configuring IDCS.
public static final String CLIENT_ID = "xxxxxxxxxxx";
public static final String CLIENT_SECRET = "xxxxxxxxx";
public static final String IDCS_URL = "https://idcs-xxxxxxxx.identity.oraclecloud.com";
//INFORMATION ABOUT THE TARGET APPLICATION
public static final String SCOPE_AUD = "display-httprequest-infodisplay-httprequest-info";
In Cloud Shell, run the fn deploy command to build the function and its dependencies as a Docker image, push the image to OCIR, and deploy the function to Oracle Functions in your application.
fn -v deploy --app <app-name>
In Cloud Shell, run fn invoke command to invoke the deployed function, returns active status as true if the token is valid or else returns false.
echo -n '{"type":"TOKEN", "token":"Basic aW5jaGFyYS5zaGFtYW5uYUBvcmFj....."}' | fn invoke <app-name> <func-name>
The functions is meant to be invoked through API Gateway.
On the OCI console, navigate to Developer Services > API Gateway. Click on Create Gateway. Provide a name, set the type to "Public", select a compartment, a VCN, a public subnet, and click Create.
Once created, click on your gateway. Under Resources, select Deployments and click Create Deployment.
- Provide a name, a path prefix ("/basicauth" for example).
- Under API Request Policies Add Authentication
- Authentication Type: Custom
- Choose the application and the basicauth function
- For "Authentication token", select Header
- For the "Header Name", enter "Autorization"
Click Save Changes when you are finished
Click Next. Provide a name to the route ("/hello" for example), select methods eg: "GET", select HTTP-URL for your back-end.
Click Next and finally, click Save Changes.
Note the endpoint of your API Gateway deployment.
The function validates if the user information is valid.
Use the curl command to make the HTTP request
curl -i -u "<username>:<password>" https://d6xxxxxxxxk64.apigateway.us-ashburn-1.oci.customer-oci.com/basicauth/hello
If the user is valid gateway will make a call to backend with HTTP200 else The gateway will reject the request with an HTTP401.