|
| 1 | +// Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved. |
| 2 | +// Licensed under the Mozilla Public License v2.0 |
| 3 | +/* |
| 4 | + * The following API Gateway and deployment demonstrate using OpenID connect |
| 5 | + * with API Gateway using an OAUTH2 flow. |
| 6 | + */ |
| 7 | +variable "tenancy_ocid" {} |
| 8 | +variable "user_ocid" {} |
| 9 | +variable "fingerprint" {} |
| 10 | +variable "private_key_path" {} |
| 11 | +variable "region" {} |
| 12 | +variable "compartment_ocid" {} |
| 13 | +variable "client_id" { |
| 14 | + description = "The OAuth2 Client ID" |
| 15 | +} |
| 16 | +variable "client_secret_id" { |
| 17 | + description = "An ID to an OCI Secret value containing the OAuth2 client secret" |
| 18 | +} |
| 19 | +variable "client_secret_version_number" { |
| 20 | + default = 1 |
| 21 | +} |
| 22 | +provider "oci" { |
| 23 | + tenancy_ocid = var.tenancy_ocid |
| 24 | + user_ocid = var.user_ocid |
| 25 | + fingerprint = var.fingerprint |
| 26 | + private_key_path = var.private_key_path |
| 27 | + region = var.region |
| 28 | +} |
| 29 | +resource "oci_apigateway_deployment" "openid_connect_deployment" { |
| 30 | + compartment_id = var.compartment_ocid |
| 31 | + gateway_id = oci_apigateway_gateway.test_gateway.id |
| 32 | + path_prefix = "/" |
| 33 | + specification { |
| 34 | + request_policies { |
| 35 | + authentication { |
| 36 | + type = "TOKEN_AUTHENTICATION" |
| 37 | + token_header = "Authorization" |
| 38 | + token_auth_scheme = "Bearer" |
| 39 | + is_anonymous_access_allowed = false |
| 40 | + validation_policy { |
| 41 | + // Example validation policy using an OAuth2 introspection endpoint |
| 42 | + // (https://datatracker.ietf.org/doc/html/rfc7662) to validate the |
| 43 | + // clients authorization credentials |
| 44 | + type = "REMOTE_DISCOVERY" |
| 45 | + is_ssl_verify_disabled = true |
| 46 | + max_cache_duration_in_hours = 1 |
| 47 | + source_uri_details { |
| 48 | + // Discover the OAuth2/OpenID configuration from an RFC8414 |
| 49 | + // metadata endpoint (https://www.rfc-editor.org/rfc/rfc8414) |
| 50 | + type = "DISCOVERY_URI" |
| 51 | + uri = "https://auth.example.com/.well-known/oauth-authorization-server" |
| 52 | + } |
| 53 | + client_details { |
| 54 | + // Specify the OAuth client id and secret to use with the |
| 55 | + // introspection endpoint |
| 56 | + type = "CUSTOM" |
| 57 | + client_id = var.client_id |
| 58 | + client_secret_id = var.client_secret_id |
| 59 | + client_secret_version_number = var.client_secret_version_number |
| 60 | + } |
| 61 | + additional_validation_policy { |
| 62 | + issuers = ["https://identity.oraclecloud.com/"] |
| 63 | + audiences = ["https://www.oracle.com/"] |
| 64 | + verify_claims { |
| 65 | + is_required = true |
| 66 | + key = "key" |
| 67 | + values = ["value"] |
| 68 | + } |
| 69 | + } |
| 70 | + } |
| 71 | + validation_failure_policy { |
| 72 | + // When a client uses the API without auth credentials, or |
| 73 | + // invalid/expired credentials then invoke the OAuth2 flow using |
| 74 | + // the configuration below. |
| 75 | + type = "OAUTH2" |
| 76 | + scopes = ["openid"] |
| 77 | + response_type = "CODE" |
| 78 | + max_expiry_duration_in_hours = 1 |
| 79 | + use_cookies_for_intermediate_steps = true |
| 80 | + use_cookies_for_session = true |
| 81 | + use_pkce = true |
| 82 | + fallback_redirect_path = "/fallback" |
| 83 | + source_uri_details { |
| 84 | + // Use the same discovery URI as the validation policy above. |
| 85 | + type = "VALIDATION_BLOCK" |
| 86 | + } |
| 87 | + client_details { |
| 88 | + // Use the same OAuth2 client details as the validation policy above. |
| 89 | + type = "VALIDATION_BLOCK" |
| 90 | + } |
| 91 | + } |
| 92 | + } |
| 93 | + } |
| 94 | + routes { |
| 95 | + path = "/" |
| 96 | + methods = ["GET", "HEAD"] |
| 97 | + backend { |
| 98 | + type = "STOCK_RESPONSE_BACKEND" |
| 99 | + status = 200 |
| 100 | + body = "Hello World" |
| 101 | + } |
| 102 | + } |
| 103 | + } |
| 104 | +} |
| 105 | +resource "oci_apigateway_gateway" "test_gateway" { |
| 106 | + compartment_id = var.compartment_ocid |
| 107 | + endpoint_type = "PUBLIC" |
| 108 | + subnet_id = oci_core_subnet.regional_subnet.id |
| 109 | +} |
| 110 | +resource "oci_core_vcn" "vcn1" { |
| 111 | + cidr_block = "10.0.0.0/16" |
| 112 | + compartment_id = var.compartment_ocid |
| 113 | + display_name = "exampleVCN" |
| 114 | + dns_label = "tfexamplevcn" |
| 115 | +} |
| 116 | +resource "oci_core_subnet" "regional_subnet" { |
| 117 | + cidr_block = "10.0.1.0/24" |
| 118 | + display_name = "regionalSubnet" |
| 119 | + dns_label = "regionalsubnet" |
| 120 | + compartment_id = var.compartment_ocid |
| 121 | + vcn_id = oci_core_vcn.vcn1.id |
| 122 | +} |
0 commit comments