Feature/credential manager (#64)

Author: simonkurtz-MSFT

README.md

@@ -139,13 +139,14 @@ For detailed troubleshooting of setup issues, see [Import Troubleshooting Guide]
 
 ### 📁 List of Samples
 
-| Sample Name                                                     | Description                                                                                                         | Supported Infrastructure(s)   |
-|:----------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------|:------------------------------|
-| [AuthX](./samples/authX/README.md)                              | Authentication and role-based authorization in a mock HR API.                                                       | All infrastructures           |
-| [AuthX Pro](./samples/authX-pro/README.md)                      | Authentication and role-based authorization in a mock product with multiple APIs and policy fragments.              | All infrastructures           |
-| [General](./samples/general/README.md)                          | Basic demo of APIM sample setup and policy usage.                                                                   | All infrastructures           |
-| [Load Balancing](./samples/load-balancing/README.md)            | Priority and weighted load balancing across backends.                                                               | apim-aca, afd-apim (with ACA) |
-| [Secure Blob Access](./samples/secure-blob-access/README.md)    | Secure blob access via the [valet key pattern](https://learn.microsoft.com/azure/architecture/patterns/valet-key).  | All infrastructures           |
+| Sample Name                                                              | Description                                                                                                         | Supported Infrastructure(s)   |
+|:-------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------|:------------------------------|
+| [AuthX](./samples/authX/README.md)                                       | Authentication and role-based authorization in a mock HR API.                                                       | All infrastructures           |
+| [AuthX Pro](./samples/authX-pro/README.md)                               | Authentication and role-based authorization in a mock product with multiple APIs and policy fragments.              | All infrastructures           |
+| [General](./samples/general/README.md)                                   | Basic demo of APIM sample setup and policy usage.                                                                   | All infrastructures           |
+| [Load Balancing](./samples/load-balancing/README.md)                     | Priority and weighted load balancing across backends.                                                               | apim-aca, afd-apim (with ACA) |
+| [Secure Blob Access](./samples/secure-blob-access/README.md)             | Secure blob access via the [valet key pattern](https://learn.microsoft.com/azure/architecture/patterns/valet-key).  | All infrastructures           |
+| [Credential Manager (with Spotify)](./samples/oauth-3rd-party/README.md) | Authenticate with APIM which then uses its Credential Manager with Spotify's REST API.                              | All infrastructures           |
 
 ### ▶️ Running a Sample
 

samples/oauth-3rd-party/README.md

@@ -0,0 +1,67 @@
+# Samples: OAuth 2.0 with 3rd Party
+
+Sets up a 3rd party integration via [Azure API Management Credential Manager](https://learn.microsoft.com/azure/api-management/credentials-overview).  
+
+***This sample has prerequisites! Please follow the instructions below.***
+
+⚙️ **Supported infrastructures**: All infrastructures
+
+👟 **Expected *Run All* runtime (excl. infrastructure prerequisite): ~2-3 minutes**
+
+## 🎯 Objectives
+
+1. Distinguish between authentication to APIM via JSON Web Tokens and to the 3rd party using Credential Manager.
+1. Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).
+1. Learn how authorization (authZ) can be accomplished based on JWT claims.
+1. Configure authN and authZ at the API level (simpler than _AuthX-Pro_)
+1. Use external secrets in policies.
+1. Experience how API Management policy fragments simplify shared logic.
+
+## 📝 Scenario
+
+We chose Spotify as it provides an extensive REST API and has relatively generous limits on free API access. This makes for a relatively straight-forward experience for this sample. 
+Specifically, this sample uses Spotify's REST API to obtain information about its deep music and artist catalog. API Management is registered as an application in Spotify's applications with its own client ID and client secret for a given scope. This application is then set up as a generic OAuth 2.0 integration in Credential Manager.  
+Furthermore, we build on the knowledge gained from the _AuthX_ and _AuthX-Pro_ samples to authentication callers and authorize their use of the Spotify integration. 
+
+We use only one persona in this sample:
+
+- `Marketing Member` - holds read rights.
+
+The API hierarchy is as follows:
+
+1. All APIs / global
+    This is a great place to do authentication, but we refrain from doing it in the sample as to not affect other samples. 
+1. Marketing Member
+
+## Prerequisites
+
+This sample requires a little bit of manual pre-work in order to create a high-fidelity setup:
+
+1. A Spotify Account
+1. A Spotify Application
+
+### A Spotify Account
+
+1. You can use your existing Spotify account or sign up for a new one [here](https://www.spotify.com/us/signup). Please ensure you adhere to Spotify's terms & conditions of use.
+
+### A Spotify Application
+
+In order for API Management to gain access to Spotify's API, we need to create an application that represents API Management. 
+
+1. Open or log into the [Spotify Developer Dashboard](https://developer.spotify.com/dashboard).
+1. Review and accept the _Spotify Developer Terms of Service_, if required.
+1. Proceed with verifying your email address, if required.
+1. If the Dashboard does not open immediately, select it from the menu after clicking on your profile name (top-right corner).
+1. [Create the app](https://developer.spotify.com/dashboard/create):
+    - **App Name**: _APIM_
+    - **App Description**: _API Management_
+    - **Redirect URIs**: https://localhost:8080/callback
+        We will update this placeholder once we have the APIM URL.
+    - **Which API/SDKs are you planning to use?** _Web API_
+1. Once the app has been created, **note the _Client ID_ and _Client secret_**. We will need them for the Credential Manager setup.
+1. Leave the Dashboard page open in your browser, as we will need to replaec the Redirect URI shortly.
+1. Proceed to the [create](./create.ipynb) Jupyter notebook and follow directions there.
+
+## Acknowledgement
+
+We thank [Spotify](https://www.spotify.com) for access to their API. Keep building great products!

samples/oauth-3rd-party/artist_get.xml

@@ -0,0 +1,18 @@
+<!--
+    This policy retrieves artist information from Spotify.
+-->
+<policies>
+    <inbound>
+        <base />
+        <rewrite-uri template="/artists/{id}" copy-unmatched-params="false" />
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>

samples/oauth-3rd-party/create.ipynb

@@ -0,0 +1,246 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🛠️ 1. Initialize notebook variables\n",
+    "\n",
+    "❗️ **Run cells 1 & 2 MANUALLY (not via _Run All_)!**\n",
+    "\n",
+    "Configures everything that's needed for deployment. \n",
+    "\n",
+    "👉 **Modify entries under _1) User-defined parameters_ and _3) Define the APIs and their operations and policies_**."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import utils\n",
+    "import time\n",
+    "from apimtypes import *\n",
+    "\n",
+    "# 1) User-defined parameters (change these as needed)\n",
+    "rg_location   = 'eastus2'\n",
+    "index         = 1\n",
+    "deployment    = INFRASTRUCTURE.SIMPLE_APIM\n",
+    "tags          = ['oauth-3rd-party', 'jwt', 'credential-manager', 'policy-fragment']       # ENTER DESCRIPTIVE TAG(S)\n",
+    "api_prefix    = 'oauth-3rd-party-'              # OPTIONAL: ENTER A PREFIX FOR THE APIS TO REDUCE COLLISION POTENTIAL WITH OTHER SAMPLES\n",
+    "# OAuth\n",
+    "client_id     = 'your-spotify-client-id'        # ENTER THE OAUTH CLIENT ID FOR THE BACKEND API\n",
+    "client_secret = 'your-spotify-client-secret'    # ENTER THE OAUTH CLIENT SECRET FOR THE BACKEND API\n",
+    "\n",
+    "# 2) Service-defined parameters (please do not change these)\n",
+    "rg_name = utils.get_infra_rg_name(deployment, index)\n",
+    "supported_infrastructures = [INFRASTRUCTURE.SIMPLE_APIM, INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.APIM_ACA]        # ENTER SUPPORTED INFRASTRUCTURES HERE, e.g., [INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.AFD_APIM_FE]\n",
+    "utils.validate_infrastructure(deployment, supported_infrastructures)\n",
+    "sample_folder = \"oauth-3rd-party\"\n",
+    "\n",
+    "# Set up the signing key for the JWT policy\n",
+    "jwt_key_name = f'JwtSigningKey{int(time.time())}'\n",
+    "jwt_key_value, jwt_key_value_bytes_b64 = utils.generate_signing_key()\n",
+    "utils.print_val('JWT key value', jwt_key_value)                         # this value is used to create the signed JWT token for requests to APIM\n",
+    "utils.print_val('JWT key value (base64)', jwt_key_value_bytes_b64)      # this value is used in the APIM validate-jwt policy's issuer-signing-key attribute  \n",
+    "\n",
+    "\n",
+    "# 4) Set up the named values\n",
+    "nvs: List[NamedValue] = [\n",
+    "    NamedValue(jwt_key_name, jwt_key_value_bytes_b64, True),\n",
+    "    NamedValue('MarketingMemberRoleId', Role.MARKETING_MEMBER)\n",
+    "]\n",
+    "\n",
+    "# 5) Define the APIs and their operations and policies\n",
+    "\n",
+    "# Policies\n",
+    "pol_artist_get_xml  = utils.read_policy_xml('artist_get.xml', sample_name = sample_folder)\n",
+    "\n",
+    "# Read the policy XML without modifications - it already uses correct APIM named value format\n",
+    "pol_spotify_api_xml = utils.read_and_modify_policy_xml('spotify_api.xml', {\n",
+    "    'jwt_signing_key': '{{' + jwt_key_name + '}}', \n",
+    "    'marketing_member_role_id': '{{MarketingMemberRoleId}}'\n",
+    "}, sample_folder)  \n",
+    "\n",
+    "# Define template parameters for the artists\n",
+    "blob_template_parameters = [\n",
+    "    {\n",
+    "        \"name\": \"id\",\n",
+    "        \"description\": \"The Spotify ID of the artist\",\n",
+    "        \"type\": \"string\",\n",
+    "        \"required\": True\n",
+    "    }\n",
+    "]\n",
+    "\n",
+    "# Spotify\n",
+    "spotify_artist_get = GET_APIOperation2('artists-get', 'Artists', '/artists/{id}', 'Gets the artist by their ID', pol_artist_get_xml, templateParameters = blob_template_parameters)\n",
+    "\n",
+    "# APIs Array\n",
+    "apis: List[API] = [\n",
+    "    API(f'{api_prefix}spotify', 'Spotify', f'/{api_prefix}spotify', 'This is the API for interactions with the Spotify REST API', policyXml = pol_spotify_api_xml, operations = [spotify_artist_get], tags = tags),\n",
+    "]\n",
+    "\n",
+    "utils.print_ok('Notebook initialized')"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🚀 2. Create deployment using Bicep\n",
+    "\n",
+    "Creates the bicep deployment into the previously-specified resource group. A bicep parameters file will be created prior to execution."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import utils\n",
+    "\n",
+    "# 1) Define the Bicep parameters with serialized APIs\n",
+    "bicep_parameters = {\n",
+    "    'apis': {'value': [api.to_dict() for api in apis]},\n",
+    "    'namedValues': {'value': [nv.to_dict() for nv in nvs]},\n",
+    "    'clientId': {'value': client_id},\n",
+    "    'clientSecret': {'value': client_secret}\n",
+    "}\n",
+    "\n",
+    "# 2) Infrastructure must be in place before samples can be layered on top\n",
+    "if not utils.does_resource_group_exist(rg_name):\n",
+    "    utils.print_error(f'The specified infrastructure resource group and its resources must exist first. Please check that the user-defined parameters above are correctly referencing an existing infrastructure. If it does not yet exist, run the desired infrastructure in the /infra/ folder first.')\n",
+    "    raise SystemExit(1)\n",
+    "\n",
+    "# 3) Run the deployment using the utility function that handles working directory management\n",
+    "output = utils.create_bicep_deployment_group_for_sample(sample_folder, rg_name, rg_location, bicep_parameters)\n",
+    "\n",
+    "# 4) Print a deployment summary, if successful; otherwise, exit with an error\n",
+    "if not output.success:\n",
+    "    raise SystemExit('Deployment failed')\n",
+    "\n",
+    "if output.success and output.json_data:\n",
+    "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "    apim_service_name = output.get('apimServiceName', 'APIM Service Name')\n",
+    "\n",
+    "    # TODO: This should be retrieved from an output; however, the format is static.\n",
+    "    apim_oauth_redirect_url = f'https://authorization-manager.consent.azure-apim.net/redirect/apim/{apim_service_name}'\n",
+    "    utils.print_val('APIM OAuth Redirect URL', apim_oauth_redirect_url)\n",
+    "\n",
+    "utils.print_ok('Deployment completed')"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### 🗒️ 3. Authenticate API Management with Spotify\n",
+    "\n",
+    "❗️ **The following steps are all manual and cannot presently be automated.**\n",
+    "\n",
+    "We have previously created the _APIM_ application in Spotify and have also set Spotify up in Credential Manager via the just-completed bicep. \n",
+    "\n",
+    "#### 3.1 Set Redirect URL in Spotify\n",
+    "\n",
+    "Now that the API Management instance has been created, we need to update the redirect URI for the _APIM_ application in Spotify.\n",
+    "\n",
+    "1. Open the [Spotify Developer Dashboard](https://developer.spotify.com/dashboard), then click on the _APIM_ application.\n",
+    "1. Press _Edit_ and remove the temporary _localhost_ Redirect URI.\n",
+    "1. Add the `APIM OAuth Redirect URL` (see output above), then press 'Save`. \n",
+    "\n",
+    "#### 3.2 Log API Management into Spotify\n",
+    "\n",
+    "We now need to log the _APIM_ application into Spotify via OAuth 2.0.\n",
+    "\n",
+    "1. Open the [Azure Portal](https://portal.azure.com) and navigate to your API Management instance.\n",
+    "1. Expand the _APIs_ blade and click on _Credential manager_. You should see the `spotify` credential provider name. Click on it.\n",
+    "1. Press _Connections_. You should see `spotify-auth` with an `Error` status (\"This connection is not authenticated.\").\n",
+    "1. Click on the ellipsis (...) on the right and select _Login_. This should open a dialog with Spotify, asking you to agree for Spotify and APIM to connect. Press _Agree_.\n",
+    "1. Back in the Azure Portal, press _Refresh_ to see the `Connected` status.\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### ✅ 4. Verify API Request Success\n",
+    "\n",
+    "Assert that the deployment was successful by making simple calls to APIM. \n",
+    "\n",
+    "❗️ If the infrastructure shields APIM and requires a different ingress (e.g. Azure Front Door), the request to the APIM gateway URl will fail by design. Obtain the Front Door endpoint hostname and try that instead."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import utils\n",
+    "import json\n",
+    "from apimrequests import ApimRequests\n",
+    "from apimtesting import ApimTesting\n",
+    "from users import UserHelper\n",
+    "from authfactory import AuthFactory\n",
+    "\n",
+    "tests = ApimTesting(\"OAuth 3rd Party (Spotify) Sample Tests\")\n",
+    "\n",
+    "# 1) Marketing Member Role\n",
+    "# Create a JSON Web Token with a payload and sign it with the symmetric key from above.\n",
+    "encoded_jwt_token_marketing_member = AuthFactory.create_symmetric_jwt_token_for_user(UserHelper.get_user_by_role(Role.MARKETING_MEMBER), jwt_key_value)\n",
+    "print(f'\\nJWT token for Marketing Member:\\n{encoded_jwt_token_marketing_member}')  # this value is used to call the APIs via APIM\n",
+    "\n",
+    "# 2) Issue a direct request to API Management\n",
+    "artist_id = '6XpaIBNiVzIetEPCWDvAFP'    # Whitney Houston's Spotify Artist ID\n",
+    "reqsApim = ApimRequests(apim_gateway_url)\n",
+    "reqsApim.headers['Authorization'] = f'Bearer {encoded_jwt_token_marketing_member}'\n",
+    "\n",
+    "output = reqsApim.singleGet(f'/oauth-3rd-party-spotify/artists/{artist_id}', msg = 'Calling the Spotify Artist API via API Management Gateway URL. Response codes 200 and 403 are both valid depending on the infrastructure used.')\n",
+    "artist = json.loads(output)\n",
+    "tests.verify(artist['name'], 'Whitney Houston')\n",
+    "utils.print_info(f'{artist[\"name\"]} has a popularity rating of {artist[\"popularity\"]} with {artist[\"followers\"][\"total\"]:,} followers on Spotify.')\n",
+    "\n",
+    "# 2) Issue requests against Front Door.\n",
+    "# Check if the infrastructure architecture deployment uses Azure Front Door.\n",
+    "utils.print_message('Checking if the infrastructure architecture deployment uses Azure Front Door.', blank_above = True)\n",
+    "afd_endpoint_url = utils.get_frontdoor_url(deployment, rg_name)\n",
+    "\n",
+    "if afd_endpoint_url:\n",
+    "    artist_id = '2VSHKHBTiXWplO8lxcnUC9'    # Taylor Swift's Spotify Artist ID\n",
+    "    reqsAfd = ApimRequests(afd_endpoint_url)\n",
+    "    reqsAfd.headers['Authorization'] = f'Bearer {encoded_jwt_token_marketing_member}'\n",
+    "    output = reqsAfd.singleGet(f'/oauth-3rd-party-spotify/artists/{artist_id}', msg = 'Calling the Spotify Artist API via API Management Gateway URL. Response codes 200 and 403 are both valid depending on the infrastructure used.')\n",
+    "    artist = json.loads(output)\n",
+    "    tests.verify(artist['name'], 'Whitney Houston')\n",
+    "    utils.print_info(f'{artist[\"name\"]} has a popularity rating of {artist[\"popularity\"]} with {artist[\"followers\"][\"total\"]:,} followers on Spotify.')\n",
+    "\n",
+    "tests.print_summary()\n",
+    "\n",
+    "utils.print_ok('All done!')"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "APIM Samples Python 3.12",
+   "language": "python",
+   "name": "apim-samples"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.12.10"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}