Skip to Content
Last modified by Carlijn Kokkeler on 2024/09/03 12:28
From version 5.1
edited by Erik Bakker
on 2022/06/13 09:39
Change comment: There is no comment for this version
To version 13.1
edited by Eva Torken
on 2023/12/07 14:59
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 - XPath Advanced
1 +API Gateway Security - External IDP
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ebakker
1 +XWiki.etorken
Default language
... ... @@ -1,0 +1,1 @@
1 +en
Content
... ... @@ -1,93 +1,53 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -Within the crash course, we already explained XPath conceptually. In that same microlearning, we also looked at some more uncomplicated cases of using XPath within your transformation. If you need to brush up on that knowledge, please check out this [microlearning](crashcourse-platform-create-transformation-xpath-basic.md). In the intermediate microlearning on this subject, we built upon that knowledge. Please check out this [microlearning](intermediate-create-your-transformations-xpath-intermediate.md) if you need a refresher on that. In this microlearning, we will build upon that knowledge and look at some concrete, practical examples that could be useful in your project.
2 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
3 3  
4 4  Should you have any questions, please get in touch with [[academy@emagiz.com>>mailto:academy@emagiz.com]].
5 5  
6 -* Last update: October 25th, 2021
7 -* Required reading time: 6 minutes
8 -
9 9  == 1. Prerequisites ==
10 10  
11 -* Advanced knowledge of the eMagiz platform
12 -* [[XPath Basic>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-create-transformation-xpath-basic.WebHome||target="blank"]]
13 -* [[XPath Intermediate>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.Create your transformations.intermediate-create-your-transformations-xpath-intermediate.WebHome||target="blank"]]
8 +* Expert knowledge of the eMagiz platform
14 14  
15 -
16 16  == 2. Key concepts ==
17 17  
18 -This microlearning focuses on more complex XPath operations.
12 +This microlearning focuses on using an external IDP to validate whether a user is authorized to execute a certain action on your API Gateway and what configuration is needed in eMagiz to make this work.
19 19  
20 -With XPath Advanced, we mean learning that XPath options are complex but could benefit you in your daily work.
14 +* The Token and Issuer URL of the external IDP need to be known
15 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
21 21  
22 -Some of the more complex XPath options are:
17 +== 3. External IDP ==
23 23  
24 -* dateTime calculation
25 -* Filter list
26 -* XPath on JSON
27 -* SpEL notation for XPath
19 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
28 28  
21 +When selecting the option OAuth2.0 (or OpenID Connect) you have the option to use the IDP provided by eMagiz which makes the configuration easy or you could use an external IDP which you have control over and want to use for this purposes.
29 29  
23 +In this microlearning we will highlight what you need to configure in Design and Deploy to make this work within the tooling of eMagiz.
30 30  
31 -== 3. XPath Advanced ==
25 +=== 3.1 Design ===
32 32  
33 -Within the crash course, we already explained XPath conceptually. In that same microlearning, we also looked at some more uncomplicated cases of using XPath within your transformation. If you need to brush up on that knowledge, please check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course Platform.crashcourse-platform-create-transformation-xpath-basic.WebHome||target="blank"]]. In the intermediate microlearning on this subject, we built upon that knowledge. Please check out this [[microlearning>>doc:Main.eMagiz Academy.Microlearnings.Intermediate Level.Create your transformations.intermediate-create-your-transformations-xpath-intermediate.WebHome||target="blank"]] if you need a refresher on that. In this microlearning, we will build upon that knowledge and look at some concrete, practical examples that could be useful in your project.
27 +On the security level of the API Gateway in Design you need to select the desired option, for example OAuth2.0. Instead of not filling in the token and issuer URL, indicating that you want to use the eMagiz IDP, you need to fill these in to reference the IDP of your choice. Below you see an example of how this could be configured.
34 34  
35 -Some of the more complex XPath options are:
29 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-security-config-design.png]]
36 36  
37 -* dateTime calculation
38 -* Filter list
39 -* XPath on JSON
40 -* SpEL notation for XPath
31 +Note that the environmentID in this example should be replaced with an actual environmentID that references your environment.
41 41  
42 -=== 3.1 dateTime calculation ===
33 +=== 3.2 Deploy ===
43 43  
44 -Sometimes we see that a dateTime calculation is needed within a transformation to determine a specific action. As these calculations are not natively supported within the eMagiz platform, you need to use XPath's functionality to calculate the new valid date (or dateTime).
35 +Normally, eMagiz will automatically update the User Management information based on the configuration in Design. However, because the identity check is not done by eMagiz but by an external party you need to manually enter the roles and users and configure the scope correctly on role level.
45 45  
46 -The XPath standard offers several functions to calculate with dateTime values. The two most used options are dayTimeDuration and yearMonthDuration. With the help of the dayTimeDuration, you can add, subtract, multiple, or divide seconds, minutes, hours, and days regarding the original value. The yearMonthDuration works similarly but then for months and years. An example of such an XPath is: <xsl:value-of xmlns:xs="http://www.w3.org/2001/XMLSchema" select="CDM:StartDate + xs:dayTimeDuration('P1D') * xs:yearMonthDuration('P1M')"/>. In this example, XPath adds one day and subtracts one month from the input date. Note that making this work requires the additional namespace to be defined. Therefore you need a custom snippet within your transformation or a custom transformation to make this work. Furthermore, note that the P1D and P1M could also be filled with the help of parameters to make them dynamic in nature.
37 +To do so navigate to User Management in Deploy and add the users you want manually by pressing the New button and providing them with a name. Do subsequently the same for the roles. On role level do not forget to correctly enter the scope to make the call work. Note that the help text on the scope level gently reminds you what you need to do to make this work.
47 47  
48 -Some examples that we saw during the years:
39 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-scope-configuration.png]]
49 49  
50 -* https://my.emagiz.com/p/question/172825635700358186
51 -* https://my.emagiz.com/p/question/172825635700352588
41 +{{warning}}When implementing this you would be the first to do so with this setup. This means there might be some unexpected behavior when configuring this.{{/warning}}
52 52  
53 -=== 3.2 Filter list ===
43 +== 4. Key takeaways ==
54 54  
55 -Sometimes you have a large message which contains a certain list within it. However, logic dictates that you can only send the message if at least one entry in the list for which attribute A is filled and attribute B equals type C. To make that happen in XPath, we first need to navigate to the list within the message. As we previously learned, there are two options to do so. One is to use // to navigate to the entity somewhere in the tree directly. The other is to start at the root and walk the tree from there. In this example, we use the latter. That results in the following XPath example: /root/list[attributeB = 'type C']/attributeA !=''. With this XPath, you filter the list on the specified check and subsequently check whether one of those entries that remains has an attributeA which is filled in.
45 +* The Token and Issuer URL of the external IDP need to be known
46 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
47 +* When implementing this you would be the first to do so with this setup.
56 56  
57 -=== 3.3 XPath on JSON ===
49 +== 5. Suggested Additional Readings ==
58 58  
59 -With the release of build number .50, we expanded our offering on JSON messages to resemble much of the functionality we previously offered for XML messages. As a result, you can use XPath expressions on JSON messages within the following components (related to XPath):
51 +If you are interested in this topic and want more information, please read the help text provided by eMagiz.
60 60  
61 -* XPath header enricher
62 -* XPath transformer
63 -* XPath router
64 -
65 -To activate the functionality, simply link the JSON source factory support object to one of these components to achieve the desired result. For more information, check out: https://emagiz.github.io/docs/release-notes/build50.
66 -
67 -=== 3.4 SpEL notation for XPath ===
68 -
69 -Sometimes you want to perform an XPath operation but store the header via a standard message header enricher component. As a result, you need a valid SpEL expression to help you in this cause. To do so, you need to know the correct notation for an XPath expression when using the SpEL language. An example of the correct notation is: #xpath(payload,'/root/entity/attribute')
70 -
71 -== 4. Assignment ==
72 -
73 -Check out which of the XPaths we have discussed today can be found within your project.
74 -This assignment can be completed within the (Academy) project you created/used in the previous assignment.
75 -
76 -== 5. Key takeaways ==
77 -
78 -Some of the more complex XPath options are:
79 -
80 -* dateTime calculation
81 -* Filter list
82 -* XPath on JSON
83 -* SpEL notation for XPath
84 -
85 -== 6. Suggested Additional Readings ==
86 -
87 -If you are interested in this topic and want more information on it, please read the help text provided by eMagiz and read more information on the following link:
88 -
89 -* https://www.w3schools.com/xml/xpath_intro.asp
90 -
91 -== 7. Silent demonstration video ==
92 -
93 -As this is more of theoretical microlearning, there is no video accompanying the microlearning.)))((({{toc/}}))){{/container}}{{/container}}
53 +)))((({{toc/}}))){{/container}}{{/container}}