search

solo-io / gloo-portal-issues

Public tracker for issues related to Gloo Portal
https://docs.solo.io/gloo-portal/latest/
1 stars 3 forks source link

Support multiple usage plans for an API Product when using OAuth authPolicy #184

Closed ashpost closed 1 year ago

ashpost commented 1 year ago

API Products support multiple usage plans when using ApiKey as authPolicy, but are limited to a single usage plan when using OAuth. We would like the ability to use OAuth as an authentication method for API clients and use API keys to associate the client with one of multiple usage plans on an API Product.

It looks like this can be achieved by using our existing customAuthConfig support in combination with the existing ApiKey usage plan support. Given the following OAuth AuthConfig:

apiVersion: enterprise.gloo.solo.io/v1
  kind: AuthConfig
  metadata:
    name: oauth-config
    namespace: gloo-system
  spec:
    configs:
    - name: basic_oauth
      oauth2:
        accessTokenValidation:
          jwt:
            issuer: http://dex.dex.svc.cluster.local:32000/
            remoteJwks:
              refreshInterval: 60s
              url: http://dex.dex.svc.cluster.local:32000/keys

An API Product can be configured to use both ApiKey and OAuth with the following:

usagePlans:
  tier1:
   authPolicy:
     apiKey: {}
   customAuthConfig:
     name: oauth-config
     namespace: gloo-system
   displayName: Tier 1 plan using OAuth and ApiKey
   rateLimit:
     requestsPerUnit: 3
     unit: MINUTE
  tier2:
   authPolicy:
     apiKey: {}
   customAuthConfig:
     name: oauth-config
     namespace: gloo-system
   displayName: Tier 2 plan using OAuth and ApiKey
   rateLimit:
     requestsPerUnit: 30
     unit: MINUTE

We will also need an update to Developer Portal to recognize usage plans that are using both ApiKey and OAuth together via customAuthConfig. One gap area right now is that OAuth Usage Plans in Portal currently expose two additional fields to facilitate generating auth tokens from within the Dev Portal UI:

Not clear where Dev Portal will get these values with the approach proposed above.

chrisgaun commented 1 year ago

We will add third option of oauth AND API key

kcbabo commented 1 year ago

Updated issue description and title to better reflect the scope of work and proposed approach.

bewebi commented 1 year ago

One gap area right now is that OAuth Usage Plans in Portal currently expose two additional fields to facilitate generating auth tokens from within the Dev Portal UI

I think we can bridge this gap by adding oauthAuthorizationUrl and oauthTokenUrl to the ProductSelector and applying those if any OAuth configs are found to apply to the selected Products (whether via OAuth AuthPolicy directly or via CustomAuthConfig)

This may have the side effect of allowing us to facilitate multiple UsagePlans with OAuth AuthPolicys, though this requires more investigation on my part and is not really in scope for this ask, since I understand that the customer's use case is to have both API Key and OAuth.

bewebi commented 1 year ago

This is released in 1.3.0-beta22