Problem

Speed up the auth token generation process for Sunbird Adopters

Solution

API's to the onboard consumer and generates the token

• Use the adminutil container that will expose the Kong admin onboard consumer API outside.

• Protect this API by auth token

• Share this token with the support team, with this there will be no dependency on gateway team

Configurations

Solution 

Use the config service to maintain this configuration. 

file name: consumers.config

{
    "allow_signup": true,
    "services": {
        "admin-util": {
        "access-groups": {
        "consumers":{
            "sunbird_adopter":{
                "groups":[
                "echoUser",
                "orgAdmin",
                "orgUpdate",
                "orgUser",
                "userAdmin",
                "userUpdate ",
                "publicUser",
                "dataAdmin",
                "dataUpdate ",
                "domainAdmin",
                "domainUpdate",
                "domainUser",
                "dialcodeAdmin",
                "dialcodeUpdate",
                "appAdmin",
                "appUpdate"
                ]
            }
            }
        }
    }
    }
}

Implementation details

Creating a consumer

• Register a consumer

  • username={username} // Unique & unmodifiable name

Request:

POST /v1/consumer/create

{
   "id":"ekstep.api.consumer.create",
   "ver":"1.0",
   "ets":1489054878488,
   "params":{
      "msgid":""
   },
   "request":{
      "username":"",
      "group":"sunbird_adopter"
   }
}


Response:

{
  "id": "ekstep.api.consumer.create",
  "ver": "1.0",
  "ets": 1489054878488,
  "params": {
    status: "",
    err: "",
    errmsg: "",
    msgid: "",
    resmsgid: "",
  }
  "result": {
    key: "", //the key generated to uniquely identify the consumer
    secret: "" //secret for signing the token.
    jwt: "" // jwt token created using key and secret
    username: "",
  }
}

Error codes

• INTERNAL_ERROR: Unknown/Unhandled error (equivalent HTTP 500)

• CONSUMER_GET_ERROR: Error when getting existing consumer
  CONSUMER_DUPLICATE_ERROR: Error when creating consumer if consumer already exist with same username

• GROUP_ASSIGN_ERROR: Error when assigning a consumer to the default group

• CREATE_CREDENTIAL_ERROR: Error when creating a credential

• BAD_REQUEST

  : Invalid request. Following are the reasons for this error

  • JSON is not parsable

  • mandatory fields missing (username)

  • username has space

  • username is of type UUID (Due to Kong limitation, the username cannot be UUID)

Configure the access control for a consumer

• Attaching consumer to the group(s)

  • groups={list-of-group-names}

Get consumer details

Request:

POST /v1/consumer/{consumer_name}/read

{
  "id": "ekstep.api.consumer.read",
  "ver": "1.0",
  "ets": 1489054878488
  "params": {
    msgid: "",
 }
}

Response:

{
  "id": "ekstep.api.consumer.read",
  "ver": "1.0",
  "ets": 1489054878488
  "params": {
    status: "",
    err: "",
    errmsg: "",
    msgid: "",
    resmsgid: "",
  },
  "result": {
    username: "",
    groups: ["contentUser", "contentAdmin"]
  }
}

Delete consumer

Request:

POST /v1/consumer/{consumer_name}/delete

{
  "id": "ekstep.api.consumer.delete",
  "ver": "1.0",
  "ets": 1489054878488
  "params": {
    msgid: "",
 }
}

Response:

{
  "id": "ekstep.api.consumer.read",
  "ver": "1.0",
  "ets": 1489054878488
  "params": {
    status: "",
    err: "",
    errmsg: "",
    msgid: "",
    resmsgid: "",
  }
}

Protect these API’s from public access

We can do this using JWT and giving these API’s access to the particular consumer.

Implementation

• Onboard the new consumer. E.g sunbirdAdmin

• Add the ACL to these API’s. E.g consumerAdmin

• Give this ACL access to sunbirdAdmin.