Configure a Protected Resource via API
This page details the requests required to register a resource at the RSA-OIDC. The values here must correspond to those defined at the Authorization Server and Wallet components.
Request Attributes
The attributes in the sample requests are described below according to the entity they belong to.
Resource
JSON-API type: resource
| Parameter | Description | Example value | Required |
|---|---|---|---|
| resourceId | The identifier for the Resource. | rsa-userinfo | Yes |
| type | A string representing the Resource type. | https://openid.net/specs/openid-connect-core-1_0.html | Yes |
| name | A human-readable name for the Resource. | RSA Userinfo | No |
| description | A brief description which can provide details about the Resource. | null | No |
| iconUri | The location of an image that can be used as an icon for the Resource. | null | No |
| userId | A single user ID to associate with this Resource. | null | No |
| Relationship | Description | Required |
|---|---|---|
| authServer | Of type oauth-provider. See the request made previously, here | Yes |
Protected HTTP Path
JSON-API type: protected-http-path
| Parameter | Description | Example value | Required |
|---|---|---|---|
| path | The path where a protected resource may be accessed. | /api/userinfo | Yes |
| Relationship | Description | Required |
|---|---|---|
| authServer | Of type oauth-provider. See the request made previously, here | Yes |
Protected Resource Path Mapping
JSON-API type: protected-resource-path-mapping
| Parameter | Description | Example value | Required |
|---|---|---|---|
| method | An HTTP method to map to the Protected HTTP Path. | GET | Yes |
| Relationship | Description | Required |
|---|---|---|
| resource | The resource component of this mapping, this resource will be mapped to the protected HTTP path | Yes |
| path | Of type protected-http-path. The path component of this mapping, this path will be mapped to the protected resource | Yes |
Protected Resource Path Mapping Scopes
JSON-API type: protected-resource-path-mapping-scopes
| Parameter | Description | Example value | Required |
|---|---|---|---|
| scope | A scope to allow for the Protected Resource Path Mapping. | read | Yes |
| Relationship | Description | Required |
|---|---|---|
| pathMapping | Of type protected-resource-path-mapping. The resource component of this mapping, this resource will be mapped to the protected HTTP path | Yes |
When enrolling the protected resource path mapping scopes, the scopes enrolled for a particular protected path must be registered in the Authorization Server's requested resource for that particular capability ticket. The Resource Server Adapter compares the granted scopes in the access token permissions to the protected resource path mapping scopes. If all the scopes in the protected resource path mapping scopes are not present in the token permission granted scopes, the user info endpoint will return an error.
Resource Authority Mapping
JSON-API type: resource-authority-mapping
This entity consists of a composite key and a single parameter (authorityString, detailed in the table below). The composite key is composed of a resource ID and a scope. JSON-API ID for this entity must include both of these values as a string with a space between them. E.g. In the example request above, one of these composite IDs is "rsa-userinfo read".
| Parameter | Description | Example value | Required |
|---|---|---|---|
| authorityString | Scope names can be mapped to Authority names, define the Authority names with this attribute. | read | Yes |
Sample Requests
Resource, Protected HTTP Path, Protected Resource Path Mapping
This request combines three related operations into one.
An entry must be made to the resource table which represents a resource registered at a given Authorization Server. The 'name' can be a generic user friendly name. However, the 'resource_id' above must be the same as it is in the Authorization Server DB. The type above is listed as an "openid" type. The Authorization Server reference must correspond to the id in the oauth_provider table that represents the Authorization Server.
Next, an entry must be made to the protected_http_path table. This entry will represent the path that the SP will use to request the resource with the access token granted by the Authorization Server mentioned above. Note how the path begins with "/api" which corresponds to the prefix supplied in the application's Zuul config (in the Application Config under the property zuul.routes.userinfo.path). The Authorization Server reference must correspond to the id in the oauth_provider table that represents the Authorization Server.
Finally, an entry must be made to the protected_resource_path_mapping table. This entry links a protected_path to a resource registered at a given Authorization Server.
The path_id and resource_id must correspond to the id of the appropriate entry within the protected_http_path and resource tables respectively. The value for method must correspond to the HTTP method expected to be used against the Federated Provider to fetch the resource and must be capitalized as displayed above.
curl -X PATCH '{{RSA_ADMIN_URI}}' \
--header 'Accept: */*' \
--header 'Content-Type: application/vnd.api+json; ext=jsonpatch' \
--header 'ApiVersion: {{RSA_ADMIN_VERSION}}' \
--header 'Authorization: {{RSA_ADMIN_STATIC_TOKEN}}' \
--data-raw '[
{
"op": "add",
"path": "resource",
"value": {
"type": "resource",
"id": 4,
"attributes": {
"name": "RSA Userinfo",
"resourceId": "rsa-userinfo",
"type": "https://openid.net/specs/openid-connect-core-1_0.html",
"description": null,
"iconUri": null,
"userId": null
},
"relationships": {
"authServer": {
"data": {
"type": "oauth-provider",
"id": 2
}
}
}
}
},
{
"op": "add",
"path": "/protected-http-path",
"value": {
"type": "protected-http-path",
"id": 4,
"attributes": {
"path": "/api/userinfo"
},
"relationships": {
"authServer": {
"data": {
"type": "oauth-provider",
"id": 2
}
}
}
}
},
{
"op": "add",
"path": "/protected-resource-path-mapping",
"value": {
"type": "protected-resource-path-mapping",
"id": 4,
"attributes": {
"method": "GET"
},
"relationships": {
"resource": {
"data": {
"type": "resource",
"id": 4
}
},
"path": {
"data": {
"type": "protected-http-path",
"id": 4
}
}
}
}
}
]'
Protected Resource Path Mapping Scopes
An entry must be made to the protected_resource_path_mapping_scopes table. This entry would represent the scopes the Service Provider is required to have been granted access to by the Requesting Party (RQP), in order to access a protected path of the RSA.
A path can have have multiple scopes granted to it. The value of pathMapping must correspond to the id given for the protected-resource-path-mapping in the request immediately preceding this one.
curl -X PATCH '{{RSA_ADMIN_URI}}' \
--header 'Accept: */*' \
--header 'Content-Type: application/vnd.api+json; ext=jsonpatch' \
--header 'ApiVersion: {{RSA_ADMIN_VERSION}}' \
--header 'Authorization: {{RSA_ADMIN_STATIC_TOKEN}}' \
--data-raw '[
{
"op": "add",
"path": "/protected-resource-path-mapping-scopes",
"value": {
"type": "protected-resource-path-mapping-scopes",
"id": 6,
"attributes": {
"scope": "read"
},
"relationships": {
"pathMapping": {
"data": {
"type": "protected-resource-path-mapping",
"id": 4
}
}
}
}
},
{
"op": "add",
"path": "/protected-resource-path-mapping-scopes",
"value": {
"type": "protected-resource-path-mapping-scopes",
"id": 7,
"attributes": {
"scope": "write"
},
"relationships": {
"pathMapping": {
"data": {
"type": "protected-resource-path-mapping",
"id": 4
}
}
}
}
}
]'
Resource Authority Mapping
To map between scopes and the Authorities that the RSA-OIDC uses, the following configuration is required. The id value for each operation shown here should include the Resource identifier and the scope name, separated by a space, e.g. "resource-identifier scope-name".
curl -X PATCH '{{RSA_ADMIN_URI}}' \
--header 'Accept: */*' \
--header 'Content-Type: application/vnd.api+json; ext=jsonpatch' \
--header 'ApiVersion: {{RSA_ADMIN_VERSION}}' \
--header 'Authorization: {{RSA_ADMIN_STATIC_TOKEN}}' \
--data-raw '[
{
"op": "add",
"path": "/resource-authority-mapping",
"value": {
"type": "resource-authority-mapping",
"id": "rsa-userinfo read",
"attributes": {
"authorityString": "read"
}
}
},
{
"op": "add",
"path": "/resource-authority-mapping",
"value": {
"type": "resource-authority-mapping",
"id": "rsa-userinfo write",
"attributes": {
"authorityString": "write"
}
}
}
]'