address review comments

Signed-off-by: ac892247 <[email protected]>
zowe · Nov 28, 2024 · 792ff26 · 792ff26
1 parent 90de9de
commit 792ff26
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 11 deletions.
diff --git a/docs/diagrams/apiml-oidc-auth-no-mf-id-seq.puml b/docs/diagrams/apiml-oidc-auth-no-mf-id-seq.puml
@@ -8,7 +8,7 @@ actor OIDC as OIDC
 actor "API ML GW" as GW
 
 User -> Agent: Do stuff
-Agent -> GW: Open Client App
+Agent -> GW: /gateway/oauth2/authorization/<provider-id>
 GW -> OIDC: Initiate OIDC flow [client_id, client_secret]
 loop [MFA]
 OIDC -> Agent: Request user credentials
@@ -27,6 +27,7 @@ GW -> GW: Cache access token validity
 GW -> SAF: Map distributed ID to mainframe ID
 SAF -> GW: No mapping exists for distributed ID
 GW -> Service: call API service with OIDC-token
+Service -> Service: Validate access token
 Service --> GW: return Response
 end
 GW --> Agent: Response

diff --git a/docs/diagrams/apiml-oidc-auth-seq.puml b/docs/diagrams/apiml-oidc-auth-seq.puml
@@ -8,7 +8,7 @@ actor OIDC as OIDC
 actor "API ML GW" as GW
 
 User -> Agent: Do stuff
-Agent -> GW: Open Client App
+Agent -> GW: /gateway/oauth2/authorization/<provider-id>
 GW -> OIDC: Initiate OIDC flow [client_id, client_secret]
 loop [MFA]
 OIDC -> Agent: Request user credentials
@@ -27,6 +27,7 @@ GW -> GW: Cache access token validity
 GW -> SAF: Map distributed ID to mainframe ID
 GW -> GW: Create Zowe JWT
 GW -> Service: call API service with Zowe JWT
+Service -> Service: Validate JWT
 Service --> GW: return Response
 end
 GW --> Agent: Response

diff --git a/docs/extend/extend-apiml/api-mediation-oidc-authentication.md b/docs/extend/extend-apiml/api-mediation-oidc-authentication.md
@@ -13,10 +13,6 @@ This configuration is useful in advanced deployments of Zowe where client applic
 
 This article details the API ML OIDC authentication functionality, and how to configure the OIDC Authentication feature.
 
-:::note
-The OIDC feature is currently unavailable on ACF2 systems.
-:::
-
 - [Usage](#usage)
 - [Authentication flow](#authentication-flow)
 - [Prerequisites](#prerequisites)
@@ -31,7 +27,7 @@ After successful user login, the OIDC provider grants the client application a J
 Access token is then returned to the user agent in the "apimlAuthenticationToken" cookie.
 The user agent can pass this Access Token with subsequent requests to mainframe services routed through the API ML Gateway.
 The API ML Gateway then validates the OIDC Access Token. If the token is valid, the user identity from that token is mapped to the mainframe identity of the user.
-The API ML Gateway can then create mainframe user credentials (e.g. JWT, PassTicket) according to the service's authentication schema configuration.
+The API ML Gateway can then create mainframe user credentials (e.g. JWT, PassTicket) according to the service's authentication schema configuration or forward valid OIDC access token in case of missing user mapping.
 The request is routed to the target API services with correct mainframe user credentials.
 
 ## Authentication Flow
@@ -74,7 +70,7 @@ The following diagram illustrates the interactions between the participants of t
 - The URL to the specific authorization server's UserInfo endpoint should be set using the property `components.gateway.apiml.security.oidc.userInfo.uri`. If the access token is validated, the outcome is cached for a short time (20 sec by default).
 - The caching interval is configurable with a default value of 20 seconds, which is typically a sufficient amount of time to allow most client operations requiring multiple API requests to complete, while also providing adequate protection against unauthorized access.
 - The API ML Gateway fetches the distributed user identity from the distributed access token and request mainframe identity using SAF. SAF replies with empty user ID message.
-- The API ML Gateway calls the requested mainframe service/s with the access token in the OIDC-token header.
+- The API ML Gateway calls the requested mainframe service/s with the access token in the `OIDC-token` header.
 
 ## Prerequisites
 

diff --git a/docs/images/api-mediation/apiml-oidc-auth-no-mf-id-seq.png b/docs/images/api-mediation/apiml-oidc-auth-no-mf-id-seq.png
diff --git a/docs/images/api-mediation/apiml-oidc-auth-seq.png b/docs/images/api-mediation/apiml-oidc-auth-seq.png
diff --git a/docs/user-guide/api-mediation/configuration-multi-tenancy-routing.md b/docs/user-guide/api-mediation/configuration-multi-tenancy-routing.md
@@ -5,8 +5,8 @@ in isolated sysplex environments. Data from the Central Discovery Service can th
 
 Follow these steps to register with additional Discovery Services:
 
-1. Open the `zowe.yaml` configuration file.
-2. Add the property `components.gateway.apiml.service.additionalRegistration` and set the value to a list of Discovery service clusters to additional Disovery Services.
+1. Open the `zowe.yaml` configuration file.
+2. Add the property `components.gateway.apiml.service.additionalRegistration` and set the value to a list of Discovery service clusters to additional Disovery Services.
 
    **Example:**
    ```
@@ -18,4 +18,10 @@ Follow these steps to register with additional Discovery Services:
       <!-- APIML on System 3 -->
        - discoveryServiceUrls: https://sys3:10011/eureka/,https://sys3:10021/eureka/ 
     ```
-3. Restart Zowe.
+3. Add property `components.gateway.apimlId` and set the value to a unique string to identify gateway for routing.
+
+   **Example:**
+   ```
+   components.gateway.apimlId: apiml1
+    ```
+4. Restart Zowe.