Establish Handshake with LH API (Part 2)

[jason-gcio]

Background

Now that Platform has finally told us that generating the keys is our duty (and storing them in AWS Parameter Store) (thanks to Jeremy B.), we can continue with the technicals.

Tasks

• [x] Send public JWK over to LH/api@va.gov
• [x] Get client ID back from LH
• [x] Make a cURL request (GET current PoA) using Sandbox user

Acceptance Criteria

• [x] We will be able to hit LH's sandbox and test endpoint connectivity (via cURL)

Spike Braindump

There are several steps in making an API request. At a high level they are:

1. Create a JWT
2. Sign the JWT with your private key
3. Using the signed JWT (called a client assertion), request an access token from LH's token service
4. Take that access token and include in the Authorization header for Benefits-Claims API requests

The above steps in more granularity

• create JWT with following claims:
  • iss, sub, aud,exp,
  • example code:

    payload =       {
    iss: 'INSERT CLIENT ID HERE',
    sub: 'INSERT CLIENT ID HERE',
    aud: 'https://deptva-eval.okta.com/oauth2/ausdg7guis2TYDlFe2p7/v1/token',
    exp: 15.minutes.from_now.to_i
    }

• create key to sign JWT: rsa_key = OpenSSL::PKey::RSA.new(File.read('/path/to/private_key.pem'))
• sign JWT using private rsa_key, which you will then use as your client assertion when requesting an access token

  token = JWT.encode(payload, rsa_key, 'RS256')

• send client assertion in request for access token:

  curl --location --request POST 'https://sandbox-api.va.gov/oauth2/claims/system/v1/token' \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
  --data-urlencode 'client_assertion={{signed-assertion-here}}' \
  --data-urlencode 'scope=claim.read claim.write'

That will return a response similar to this:

{"access_token":"eyJraWQiOiJFSVJKTm12Ykk3eUJwbXJzRDg2R09kYTlUa2FNNS16US1mZlMwYzRhRllBIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjk1ZEgxSXZmU3lZOThlZFZMMW1EZGRDeTBaZzhoSWZFN19iVmdoQzlTWnMiLCJpc3MiOiJodHRwczovL2RlcHR2YS1ldmFsLm9rdGEuY29tL29hdXRoMi9hdXNkZzdndWlzMlRZRGxGZTJwNyIsImF1ZCI6Imh0dHBzOi8vc2FuZGJveC1hcGkudmEuZ292L3NlcnZpY2VzL2NsYWltcyIsImlhdCI6MTY0MjUyNDExNiwiZXhwIjoxNjQyNTI0NDE2LCJjaWQiOiIwb2FlZnljZWF5bWNYODhqOTJwNyIsInNjcCI6WyJjbGFpbS53cml0ZSIsImNsYWltLnJlYWQiXSwic3ViIjoiMG9hZWZ5Y2VheW1jWDg4ajkycDcifQ.ZdTnlAP4rEStVDPB3dy20bs9Pzo6AnOoeZgJ_ow74cNF_0cPnkSnM-Wcuw4yS1DIO9-XqBBsvrPpZ6VD2DMbkWL6qDk5_vfGy1XWKMbPn31-6HPjUeRfIjXP358_fq_0b6YZDEaOG_g7pN4QkwcHJPTpEV8_03VElAKmqLnkxCwcTl7GGnWXsjb_3y6IuoALgiAhIhWcnwsSid4UuCN9gY2iKPhSwz3jkvxLElN92Xz090OEBIrbgdY3pm7B9LZvIwl76rdv01hWF32rzWwPSc4LaI4YoWxH9FzKl-T7NToL8zLz94D6BQhQCszx8z4ZDnt2sEMEOou6i_lxMsD0QQ","token_type":"Bearer","scope":"claim.write claim.read","expires_in":300,"state":null}

Finally, take that access_token and put it inside the Authorization header of a Benefits-Claims API call. For example, to get the veteran's current Rep:

curl -X GET 'https://sandbox-api.va.gov/services/claims/v1/forms/2122/active' \
  --header 'X-VA-SSN: 796127677' \
  --header 'X-VA-First-Name: Janet' \
  --header 'X-VA-Last-Name: Moore' \
  --header 'X-VA-Birth-Date: 1949-05-06' \
  --header 'Authorization: Bearer eyJraWQiOiJFSVJKTm12Ykk3eUJwbXJzRDg2R09kYTlUa2FNNS16US1mZlMwYzRhRllBIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjk1ZEgxSXZmU3lZOThlZFZMMW1EZGRDeTBaZzhoSWZFN19iVmdoQzlTWnMiLCJpc3MiOiJodHRwczovL2RlcHR2YS1ldmFsLm9rdGEuY29tL29hdXRoMi9hdXNkZzdndWlzMlRZRGxGZTJwNyIsImF1ZCI6Imh0dHBzOi8vc2FuZGJveC1hcGkudmEuZ292L3NlcnZpY2VzL2NsYWltcyIsImlhdCI6MTY0MjUyNDExNiwiZXhwIjoxNjQyNTI0NDE2LCJjaWQiOiIwb2FlZnljZWF5bWNYODhqOTJwNyIsInNjcCI6WyJjbGFpbS53cml0ZSIsImNsYWltLnJlYWQiXSwic3ViIjoiMG9hZWZ5Y2VheW1jWDg4ajkycDcifQ.ZdTnlAP4rEStVDPB3dy20bs9Pzo6AnOoeZgJ_ow74cNF_0cPnkSnM-Wcuw4yS1DIO9-XqBBsvrPpZ6VD2DMbkWL6qDk5_vfGy1XWKMbPn31-6HPjUeRfIjXP358_fq_0b6YZDEaOG_g7pN4QkwcHJPTpEV8_03VElAKmqLnkxCwcTl7GGnWXsjb_3y6IuoALgiAhIhWcnwsSid4UuCN9gY2iKPhSwz3jkvxLElN92Xz090OEBIrbgdY3pm7B9LZvIwl76rdv01hWF32rzWwPSc4LaI4YoWxH9FzKl-T7NToL8zLz94D6BQhQCszx8z4ZDnt2sEMEOou6i_lxMsD0QQ'

And that will return whatever response based on the endpoint we are using. For the call above, it would return:

{"data":{"id":null,"type":"claims_api_power_of_attorneys","attributes":{"status":"updated","date_request_accepted":"2022-01-11","representative":{"service_organization":{"first_name":null,"last_name":null,"organization_name":"074 - AMERICAN LEGION","phone_number":null,"poa_code":"074"}},"previous_poa":"095"}}}

Todo's / New Tickets

• [ ] Store private RSA key in AWS Parameter Store and make DevOps PR to pull it into settings.local.yml for corresponding env(s) (staging.va.gov, prod, etc). Staging Example
• [ ] create api client in vets-api
  • store configuration in vets-api settings.yml. example here
  • Duplicate Veterans Health API client and adjust for Benefits-Claims API. There are 3 files under lib/lighthouse/veterans_health/ so create a new folder lib/lighthouse/benefits_claims/ and copy client.rb configuration.rb and jwt_wrapper.rb over. Also copy the client spec spec/lib/lighthouse/veterans_health/client_spec.rb to similar location (spec/lib/lighthouse/benefits_claims/?) and adjust specs to hit new client class, such as Lighthouse::BenefitsClaims::Client. Then run the tests and begin to make them pass.

[RudyOnRails]

@jason-gcio ok, I think I have documented the basics. Let me know if anything is missing or needs tweaking/better-wording.

Should I make tickets for the next steps?