Speed up the auth token generation process for Sunbird Adopters
Problem
Speed up the auth token generation process for Sunbird Adopters
Solution
API's to the onboard consumer and generates the token
Use the adminutil container that will expose the Kong admin onboard consumer API outside.
- Protect this API by auth token
Share this token with the support team, with this there will be no dependency on gateway team
Configurations
We are granting specific groups access to Sunbird adopters. These groups are getting revised whenever there is an addition/deletion/update on the API's. So we will need a central place where we can maintain the configuration.
Solution
Use the config service to maintain this configuration.
file name: consumers.config
Google
{
"allow_signup": true,
"services": {
"admin-util": {
"access-groups": {
"consumers":{
"sunbird_adopter":{
"groups":[
"echoUser",
"orgAdmin",
"orgUpdate",
"orgUser",
"userAdmin",
"userUpdate ",
"publicUser",
"dataAdmin",
"dataUpdate ",
"domainAdmin",
"domainUpdate",
"domainUser",
"dialcodeAdmin",
"dialcodeUpdate",
"appAdmin",
"appUpdate"
]
}
}
}
}
}
}
Implementation details
Creating a consumer
Register a consumer
username={username} // Unique & unmodifiable name
Request:
POST /v1/consumer/create
{
"id":"ekstep.api.consumer.create",
"ver":"1.0",
"ets":1489054878488,
"params":{
"msgid":""
},
"request":{
"username":"",
"group":"sunbird_adopter"
}
}
{
"id": "ekstep.api.consumer.create",
"ver": "1.0",
"ets": 1489054878488,
"params": {
status: "",
err: "",
errmsg: "",
msgid: "",
resmsgid: "",
}
"result": {
key: "", //the key generated to uniquely identify the consumer
secret: "" //secret for signing the token.
jwt: "" // jwt token created using key and secret
username: "",
}
}
INTERNAL_ERROR: Unknown/Unhandled error (equivalent HTTP 500)CONSUMER_GET_ERROR: Error when getting existing consumer
CONSUMER_DUPLICATE_ERROR: Error when creating consumer if consumer already exist with same usernameGROUP_ASSIGN_ERROR: Error when assigning a consumer to the default groupCREATE_CREDENTIAL_ERROR: Error when creating a credentialBAD_REQUEST: Invalid request. Following are the reasons for this error
JSON is not parsable
mandatory fields missing (username)
username has space
username is of type UUID (Due to Kong limitation, the username cannot be UUID)
Configure the access control for a consumer
Attaching consumer to the group(s)
groups={list-of-group-names}
Get consumer details
Request:
POST /v1/consumer/{consumer_name}/read
{
"id": "ekstep.api.consumer.read",
"ver": "1.0",
"ets": 1489054878488
"params": {
msgid: "",
}
}Response:
{
"id": "ekstep.api.consumer.read",
"ver": "1.0",
"ets": 1489054878488
"params": {
status: "",
err: "",
errmsg: "",
msgid: "",
resmsgid: "",
},
"result": {
username: "",
groups: ["contentUser", "contentAdmin"]
}
}Delete consumer
Request:
POST /v1/consumer/{consumer_name}/delete
{
"id": "ekstep.api.consumer.delete",
"ver": "1.0",
"ets": 1489054878488
"params": {
msgid: "",
}
}Response:
{
"id": "ekstep.api.consumer.read",
"ver": "1.0",
"ets": 1489054878488
"params": {
status: "",
err: "",
errmsg: "",
msgid: "",
resmsgid: "",
}
}Protect these API’s from public access
We can do this using JWT and giving these API’s access to the particular consumer.
Implementation
Onboard the new consumer. E.g sunbirdAdmin
Add the ACL to these API’s. E.g consumerAdmin
Give this ACL access to sunbirdAdmin.