-
Notifications
You must be signed in to change notification settings - Fork 10
API Gateway
This section of our Wiki documents our configuration of the BC Gov API-Gateway service we use for managing access to our hosted API services.
- What is the API Gateway
- Keycloak Setup
- Authorization Profiles
- Gateway Service Configuration
- Network Policies with OpenShift
- API Services Portal
- Saved Configurations
- API Services Portal
- Portal Directory API
- BC Gov API Services documentation.
The API Gateway is powered by Kong software and offers authentication, rate-limiting, request IP filtering and more for our APIs. It is part of the API Services Platform provided by a dedicated team (API Program Services - APS) at the Ministry of Citizen Service.
They can be reached on rocketcat channel #aps-ops
.
Included with the platform is the API Services Portal and Portal Directory API which provides a way to configure our Gateway service and an obnboarding interface for consumers of our hosted APIs (for example CHES and CDOGS).
Secure consumer access to our API is implemented using the OAUTH client credential grant flow. The API Services Portal provides a user interface for automating the backend keycloak configuration to support this. For more details see the APS Documentation on Protecting an API with OAuth2 Client Credential Flow.
When you first log in to the Portal (https://api.gov.bc.ca/login), choose the API Providers Login.
In the top menu you can change to our Namespace csst1
.
Our team's management tasks can be found from the main page.
See in Portal.
This is where we give members of our team access to the Portal interface by clicking the 'Grant User Access' link. The team member must try to log into the Portal first, before you can find them. Users with the 'Access.Manage' permission will receive email notifications for Client Access Requests.
Service-Accounts can also be configured here. We currently have one service account that has all the permissions. You can create new ones if you need them. Service accounts can be used as basic auth credentials for getting a token (from the APS token endpoint) to use with the APS Portal API, the GWA CLI and more.
For our Gateway services, we're using our own custom Keycloak realm in the SSO team's gold-tier service.
- realm id:
comsvcauth
- Admin console
For each API we offer through the gateway we need to create a confidential keycloak Client. (For example: CDOGS and CHES
See APS Documentation for steps on specific configuration of the clients.
We don't currently use any roles of scopes. However we do verify the aud
claim in the access token. To allow this we need to enable the audience Client Mapper at the keyclaok realm level, as decribed in the section on 'Client Mappers' here.
This is where we define how our APIs will be secured, in our case, using the Client Credentials auth flow. Our API consumers must have a Keycloak Client (Client ID and Secret are the credentials) that acts as a 'client' with a Service Account for the Client for our API itself (eg: CDOGS or CHES) that we set up in Keycloak in the previous section above.
our Authorization Profiles can be setup either in the Portal UI or by using the Portal Directory API. Calls to the Portal Directory API must be authenticated using an access token obtained using a Service Account for our namespace.
When adding an Authorization Profile using the Portal UI you can do the following:
- choose the 'Client Credential Flow, using Client ID and Secret' option
- Authorization
- Mode: Automatic
- We no longer check client claims in the token other than audience. Client Mappers > Audience should set to the ID of our API Keycloak Client (eg: CDOGS or CHES)
- Environment:
- Add a dev. test and prod environment
- idp Issuer URL is like
https://dev.loginproxy.gov.bc.ca/auth/realms/comsvcauth
- Client Registration type is
managed
. Here you enter the Client ID and Secret of our API Keycloak Client (eg: CDOGS or CHES)
If you did want to use roles/scopes, as we were previously in CHES, you can configure this in the Portal UI as shown in this screenshot
If you need to restore our existing configuration (for Auth Profile 1 and Auth Profile 2) you can use the Portal Directory console and PUT the the JSON in the Authorization Profile file below.
The Service configuration can be created using a command line utility called GWA.
Pre-requisite: You have a service account to use with GWA to connect to your Namespace on the Gateway server.
-
Install GWA utility on your workstation
-
Connect to your namespace from local machine using a service account for your namespace (this creates a .env file in your current Directory):
gwa init -P --api-version=2 --namespace=<namespace> \ --client-id=<Client ID found in portal> \ --client-secret=<Client Secret found in portal>
-
Craft a Kong configuration file (see example) that defines the service and its routes for each of the endpoints of your API (eg
/email
,/health
, etc..)You can generate this yaml template by parsing our OpenAPI Spec. Although this can be done in one command, I found the interactive mode in GWA preferable.
notes:
- API spec needs to be JSON
- GWA didn't seem to find local files.
- API spec 3.0.2 supported, needs to be valid spec
- the
route
parameter is the desired url for your api - the
service-url
is the target service. In our case it's the OpenShift service serving our node application (found in the OCP console) - use interactive mode -
$ new gwa
$ gwa new https://cdogs-spec-online.gov.bc.ca/api/v1/api-spec.json \ --route-host cdogs-dev.api.gov.bc.ca \ --service-url cdogs-app-master.2250c5-dev.svc \ --outfile=cdogs-service-dev.yaml
The output yaml file should look like one of the saved Gateway Service Configurations files
The process is also documented in the APS documentation
-
Publish the gateway configuration
gwa pg cdogs-service-dev.yaml
-
You can confirm your config was completed by GET all service configurations for our namespace using the Portal Directory API. Note: at time of writing response fom APi did not return the plugin configuration on routes.
The Response from the Portal Directory has been saved to a Gateway Routes file.
- You can verify the routes have been added using cURL request
curl https://cdogs.api.gov.bc.ca/api/v2/health/headers
Note: The configuration of the Gateway Service can also be done using requests to the Gateway Administration API (gwa-api Swagger Consolegwa-api Postman Collection)
Because our APIs are running on OpenShift, we need to create a Network Policy in the namespace for our API app to allow the Gateway's test and prod environments to route traffic to our API. The NSP's can be found in our OpenShift project namespaces (named, for example: 'allow-traffic-from-gateway-to-cdogs-master`)
See a Network Policy at the bottom of this page as an example.
Each of our APIs (eg CDOGS or CHES) can be thought of as a Product. In configuration terms, a Product is the central entity that links our API Directory entry (dataset) to our Authroization Profile and Gateway Service
Products can be managed in the Portal UI but they are easier to add using the Portal Directory API. GET'ing the config will return our current Product configuration that has been saved to a Configuration file in the section below
*Note At the time of writing there was a bug in the Portal where Product environments cannot be made active. The fix was to unlink the service (which technially works) but this seems to impact our API Metrics. There is a PR to fix it here and more background info in this RocketChat thread.
A Dataset can be thought of as metadata about our API that is displayed in the API Directory. It can be PUT and GET using APS Portal Directory API
Our current Dataset configuration and has been saved to a Configuration file in the section below
The following files amount to our Gateway configuration for the CDOGS and CHES APIs.
- Authorization Profiles
- Gateway Service definitions:
- Gateway Routes
- OpenShift Network Policy
- Products
- Datasets
Return Home
- Home
- Common Services
- Authentication
- Authorization
- Data Persistence
- Developer Resources
- Observability
- Operations
- Research
- Testing
- Acronyms and Terms