Skip to Content
Last modified by Carlijn Kokkeler on 2024/09/03 12:28
From version 2.2
edited by Erik Bakker
on 2022/06/13 09:26
Change comment: Update document after refactoring.
To version 13.2
edited by Danniar Firdausy
on 2024/08/07 10:06
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -advanced-create-your-transformations-xpath-advanced
1 +API Gateway Security - External IDP
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ebakker
1 +XWiki.dfirdausy
Default language
... ... @@ -1,0 +1,1 @@
1 +en
Content
... ... @@ -1,101 +1,55 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -= XPath Advanced =
2 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
3 3  
4 -Within the crash course, we already explained XPath conceptually. In that same microlearning, we also looked at some more uncomplicated cases of using XPath within your transformation. If you need to brush up on that knowledge, please check out this [microlearning](crashcourse-platform-create-transformation-xpath-basic.md). In the intermediate microlearning on this subject, we built upon that knowledge. Please check out this [microlearning](intermediate-create-your-transformations-xpath-intermediate.md) if you need a refresher on that. In this microlearning, we will build upon that knowledge and look at some concrete, practical examples that could be useful in your project.
5 -
6 6  Should you have any questions, please get in touch with [[academy@emagiz.com>>mailto:academy@emagiz.com]].
7 7  
8 -* Last update: October 25th, 2021
9 -* Required reading time: 6 minutes
10 -
11 11  == 1. Prerequisites ==
12 12  
13 -* Advanced knowledge of the eMagiz platform
14 -* [XPath Basic](crashcourse-platform-create-transformation-xpath-basic.md)
15 -* [XPath Intermediate](intermediate-create-your-transformations-xpath-intermediate.md)
8 +* Expert knowledge of the eMagiz platform
16 16  
17 -crashcourse-platform-create-transformation-xpath-basic
18 -crashcourse-platform-create-transformation-XPath-basic
19 -
20 20  == 2. Key concepts ==
21 21  
22 -This microlearning focuses on more complex XPath operations.
12 +This microlearning focuses on using an external IDP to validate whether a user is authorized to execute a certain action on your API Gateway and what configuration is needed in eMagiz to make this work.
23 23  
24 -With XPath Advanced, we mean learning that XPath options are complex but could benefit you in your daily work.
14 +* The Token and Issuer URL of the external IDP need to be known
15 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
25 25  
26 -Some of the more complex XPath options are:
17 +== 3. External IDP ==
27 27  
28 -* dateTime calculation
29 -* Filter list
30 -* XPath on JSON
31 -* SpEL notation for XPath
19 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
32 32  
21 +When selecting the option OAuth2.0 (or OpenID Connect) you have the option to use the IDP provided by eMagiz which makes the configuration easy or you could use an external IDP which you have control over and want to use for this purposes.
33 33  
23 +In this microlearning we will highlight what you need to configure in Design and Deploy to make this work within the tooling of eMagiz.
34 34  
35 -== 3. XPath Advanced ==
25 +=== 3.1 Design ===
36 36  
37 -Within the crash course, we already explained XPath conceptually. In that same microlearning, we also looked at some more uncomplicated cases of using XPath within your transformation. If you need to brush up on that knowledge, please check out this [microlearning](crashcourse-platform-create-transformation-xpath-basic.md). In the intermediate microlearning on this subject, we built upon that knowledge. Please check out this [microlearning](intermediate-create-your-transformations-xpath-intermediate.md) if you need a refresher on that. In this microlearning, we will build upon that knowledge and look at some concrete, practical examples that could be useful in your project.
27 +On the security level of the API Gateway in Design you need to select the desired option, for example OAuth2.0. Instead of not filling in the token and issuer URL, indicating that you want to use the eMagiz IDP, you need to fill these in to reference the IDP of your choice. Below you see an example of how this could be configured.
38 38  
39 -Some of the more complex XPath options are:
29 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-security-config-design.png]]
40 40  
41 -* dateTime calculation
42 -* Filter list
43 -* XPath on JSON
44 -* SpEL notation for XPath
31 +Note that the environmentID in this example should be replaced with an actual environmentID that references your environment.
45 45  
46 -=== 3.1 dateTime calculation ===
33 +=== 3.2 Deploy ===
47 47  
48 -Sometimes we see that a dateTime calculation is needed within a transformation to determine a specific action. As these calculations are not natively supported within the eMagiz platform, you need to use XPath's functionality to calculate the new valid date (or dateTime).
35 +Normally, eMagiz will automatically update the User Management information based on the configuration in Design. However, because the identity check is not done by eMagiz but by an external party you need to manually enter the roles and users and configure the scope correctly on role level.
49 49  
50 -The XPath standard offers several functions to calculate with dateTime values. The two most used options are dayTimeDuration and yearMonthDuration. With the help of the dayTimeDuration, you can add, subtract, multiple, or divide seconds, minutes, hours, and days regarding the original value. The yearMonthDuration works similarly but then for months and years. An example of such an XPath is: <xsl:value-of xmlns:xs="http://www.w3.org/2001/XMLSchema" select="CDM:StartDate + xs:dayTimeDuration('P1D') * xs:yearMonthDuration('P1M')"/>. In this example, XPath adds one day and subtracts one month from the input date. Note that making this work requires the additional namespace to be defined. Therefore you need a custom snippet within your transformation or a custom transformation to make this work. Furthermore, note that the P1D and P1M could also be filled with the help of parameters to make them dynamic in nature.
37 +To do so navigate to User Management in Deploy and add the users you want manually by pressing the New button and providing them with a name. Do subsequently the same for the roles. On role level do not forget to correctly enter the scope to make the call work. Note that the help text on the scope level gently reminds you what you need to do to make this work.
51 51  
52 -Some examples that we saw during the years:
39 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-scope-configuration.png]]
53 53  
54 -* https://my.emagiz.com/p/question/172825635700358186
55 -* https://my.emagiz.com/p/question/172825635700352588
41 +{{warning}}When implementing this you would be the first to do so with this setup. This means there might be some unexpected behavior when configuring this.{{/warning}}
56 56  
57 -=== 3.2 Filter list ===
43 +== 4. Key takeaways ==
58 58  
59 -Sometimes you have a large message which contains a certain list within it. However, logic dictates that you can only send the message if at least one entry in the list for which attribute A is filled and attribute B equals type C. To make that happen in XPath, we first need to navigate to the list within the message. As we previously learned, there are two options to do so. One is to use // to navigate to the entity somewhere in the tree directly. The other is to start at the root and walk the tree from there. In this example, we use the latter. That results in the following XPath example: /root/list[attributeB = 'type C']/attributeA !=''. With this XPath, you filter the list on the specified check and subsequently check whether one of those entries that remains has an attributeA which is filled in.
45 +* The Token and Issuer URL of the external IDP need to be known
46 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
47 +* When implementing this you would be the first to do so with this setup.
60 60  
61 -=== 3.3 XPath on JSON ===
49 +== 5. Suggested Additional Readings ==
62 62  
63 -With the release of build number .50, we expanded our offering on JSON messages to resemble much of the functionality we previously offered for XML messages. As a result, you can use XPath expressions on JSON messages within the following components (related to XPath):
64 -
65 -* XPath header enricher
66 -* XPath transformer
67 -* XPath router
68 -
69 -To activate the functionality, simply link the JSON source factory support object to one of these components to achieve the desired result. For more information, check out: https://emagiz.github.io/docs/release-notes/build50.
70 -
71 -=== 3.4 SpEL notation for XPath ===
72 -
73 -Sometimes you want to perform an XPath operation but store the header via a standard message header enricher component. As a result, you need a valid SpEL expression to help you in this cause. To do so, you need to know the correct notation for an XPath expression when using the SpEL language. An example of the correct notation is: #xpath(payload,'/root/entity/attribute')
74 -
75 -
76 -
77 -== 4. Assignment ==
78 -
79 -Check out which of the XPaths we have discussed today can be found within your project.
80 -This assignment can be completed within the (Academy) project you created/used in the previous assignment.
81 -
82 -== 5. Key takeaways ==
83 -
84 -Some of the more complex XPath options are:
85 -
86 -* dateTime calculation
87 -* Filter list
88 -* XPath on JSON
89 -* SpEL notation for XPath
90 -
91 -
92 -
93 -== 6. Suggested Additional Readings ==
94 -
95 -If you are interested in this topic and want more information on it, please read the help text provided by eMagiz and read more information on the following link:
96 -
97 -* https://www.w3schools.com/xml/xpath_intro.asp
98 -
99 -== 7. Silent demonstration video ==
100 -
101 -As this is more of theoretical microlearning, there is no video accompanying the microlearning.)))((({{toc/}}))){{/container}}{{/container}}
51 +If you are interested in this topic and want more information on it please read the help text provided by eMagiz and read the following links:
52 +* [[Crash Course (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.WebHome||target="blank"]]
53 +** [[Crash Course API Gateway (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.WebHome||target="blank"]]
54 +*** [[API Gateway - Introduction (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-introduction||target="blank"]]
55 +)))((({{toc/}}))){{/container}}{{/container}}