diff --git a/docs/diagrams/apiml-oidc-auth-no-mf-id-seq.puml b/docs/diagrams/apiml-oidc-auth-no-mf-id-seq.puml deleted file mode 100644 index 096e8b1177..0000000000 --- a/docs/diagrams/apiml-oidc-auth-no-mf-id-seq.puml +++ /dev/null @@ -1,36 +0,0 @@ -@startuml -'https://plantuml.com/sequence-diagram - -autonumber -actor User -actor "User Agent" as Agent -actor OIDC as OIDC -actor "API ML GW" as GW - -User -> Agent: Do stuff -Agent -> GW: /gateway/oauth2/authorization/ -GW -> OIDC: Initiate OIDC flow [client_id, client_secret] -loop [MFA] -OIDC -> Agent: Request user credentials -User <-> Agent: Provide credentials -Agent -> OIDC: Validate credentials -end -OIDC --> GW: Return Auth Code / JWTs[access,refresh,identity] -GW -> Agent: set-cookie access token -Agent -> GW: Request resources [access token] -group validate -GW -> GW: Validate access token -GW -> OIDC: Validate access token -end -alt Validation success -GW -> GW: Cache access token validity -GW -> SAF: Map distributed ID to mainframe ID -SAF -> GW: No mapping exists for distributed ID -GW -> Service: call API service with OIDC-token -Service -> Service: Validate access token -Service --> GW: return Response -end -GW --> Agent: Response - - -@enduml \ No newline at end of file diff --git a/docs/diagrams/apiml-oidc-auth-seq.puml b/docs/diagrams/apiml-oidc-auth-seq.puml index e90032b3f9..2545d4839f 100644 --- a/docs/diagrams/apiml-oidc-auth-seq.puml +++ b/docs/diagrams/apiml-oidc-auth-seq.puml @@ -10,7 +10,7 @@ actor "API ML GW" as GW User -> Agent: Do stuff Agent -> GW: /gateway/oauth2/authorization/ GW -> OIDC: Initiate OIDC flow [client_id, client_secret] -loop [MFA] +group MFA OIDC -> Agent: Request user credentials User <-> Agent: Provide credentials Agent -> OIDC: Validate credentials @@ -18,18 +18,22 @@ end OIDC --> GW: Return Auth Code / JWTs[access,refresh,identity] GW -> Agent: set-cookie access token Agent -> GW: Request resources [access token] -group validate GW -> GW: Validate access token -GW -> OIDC: Validate access token -end -alt Validation success GW -> GW: Cache access token validity +group map user GW -> SAF: Map distributed ID to mainframe ID +end +alt mapping success GW -> GW: Create Zowe JWT GW -> Service: call API service with Zowe JWT Service -> Service: Validate JWT Service --> GW: return Response end +alt mapping failure +GW -> Service: call API service with access token +Service -> Service: Validate access token +Service --> GW: return Response +end GW --> Agent: Response diff --git a/docs/extend/extend-apiml/api-mediation-oidc-authentication.md b/docs/extend/extend-apiml/api-mediation-oidc-authentication.md index 2d8ea735ac..ce5e4b4a15 100644 --- a/docs/extend/extend-apiml/api-mediation-oidc-authentication.md +++ b/docs/extend/extend-apiml/api-mediation-oidc-authentication.md @@ -54,31 +54,12 @@ The following diagram illustrates the interactions between the participants of t **Note:** The URL to the specific authorization server's `UserInfo` endpoint should be set using the property `components.gateway.apiml.security.oidc.userInfo.uri`. +**When user mapping exists** + 6. The API ML Gateway fetches the distributed user identity from the distributed access token and maps this user identity to the user mainframe identity using SAF. 7. The API ML Gateway calls the requested mainframe service/s with mainframe user credentials (Zowe JWT, SAF IDT, or PassTicket) which are expected by the target mainframe service. -## Authentication Flow when no user mapping exists - -The following diagram illustrates the interactions between the participants of the OIDC based API ML authentication process when the distributed user is not mapped to the mainframe ID. - -![APIML OIDC Workflow](../../images/api-mediation/apiml-oidc-auth-no-mf-id-seq.png) - -### Workflow description when distributed user not mapped to mainframe ID - -1. When a user wants to access mainframe resources or services using the client application without valid authentication or an access token, the client redirects the user agent to the login end-point of the distributed OIDC provider. -2. The user is asked to provide valid credentials (authentication factors). -3. After successful validation of all authentication factors, the OIDC provider grants the client an Access Token. -4. The user agent can then request from API ML Gateway the needed mainframe resources presenting the access token in the request. -5. The Gateway validates the access token in two ways: - 1. By cryptographically validating the token using the public key retrieved from the authorization server's JSON Web Key Set(JWKS) endpoint, matching the token's key ID with the key IDs provided. (`components.gateway.apiml.security.oidc.validationType: JWK`). - - **Note:** The URL to the specific authorization server's JWKS endpoint should be set using the property `components.gateway.apiml.security.oidc.jwks.uri`. - - **Note:** The interval can be set using the property `components.gateway.apiml.security.oidc.jwks.refreshInternalHours` (The default value is one hour). - - 2. By querying the `UserInfo` endpoint to verify the token's validity and retrieve user information (`components.gateway.apiml.security.oidc.validationType: endpoint`). - - **Note:** The URL to the specific authorization server's `UserInfo` endpoint should be set using the property `components.gateway.apiml.security.oidc.userInfo.uri`. +**When user mapping does not exist** 6. The API ML Gateway fetches the distributed user identity from the distributed access token and request mainframe identity using SAF. SAF replies with empty user ID message. 7. The API ML Gateway calls the requested mainframe service/s with the access token in the OIDC-token header. diff --git a/docs/images/api-mediation/apiml-oidc-auth-no-mf-id-seq.png b/docs/images/api-mediation/apiml-oidc-auth-no-mf-id-seq.png deleted file mode 100644 index 97e546b182..0000000000 Binary files a/docs/images/api-mediation/apiml-oidc-auth-no-mf-id-seq.png and /dev/null differ diff --git a/docs/images/api-mediation/apiml-oidc-auth-seq.png b/docs/images/api-mediation/apiml-oidc-auth-seq.png index 0fac37e5d2..2b6d97c3f1 100644 Binary files a/docs/images/api-mediation/apiml-oidc-auth-seq.png and b/docs/images/api-mediation/apiml-oidc-auth-seq.png differ