Product Information
Securing your APIs using user roles driven by SAP Cloud Business Rules
Hi experts,
I started with my path with APIs, and I want to share my experience securing APIs using RBAC.
Before anything a few clarifications:
- APIM–>API Management
- ROPG–>Resource Owner Password Grant
- OIDC–>OpenID Connect
- RBAC–>Role Based Access Control
- SCBR–>SAP Cloud Business Rules
As you may know the users are assigned to roles in the Idp to restrict access , and APIs resources are assigned to scopes to restrict consumption, but these two concepts are not connected at all.
In complex scenarios you could need to secure APIs resources using user roles, and the main question here is “how to do it?”, my personal answer is using SCBR to translate User Roles to Allowed Scopes.
DEMO:
- Idp: Okta to handle user authentication ( OIDC APIs ).
- APIM:
- OAuth API:authenticate user, translate user roles to scopes & generate access tokens
- Secured API:verify token, and custom scopes
- SCBP: handle the translation between user roles & custom scopes
-Okta user & roles:
-SAP Cloud Business Rules:
-OAuth API Policies:
- Authenticate user in Idp using OIDC via ROPG
- Get Groups from JWT
- Generate request payload for SCBR
- Get X-CSRF-Token for SCBR
- Call to SCBR API to get the scopes
- Parse the scopes
- Generate token including allowed scopes
-Secured API resources:
BusinessPartnerSet resource:
ProductSet resource:
Policies in PreFlow:
- Verify OAuth token & get custom scopes attached to it
- Generate dynamic scope and validate it
- Raise exception if the scope is not allowed
Testing
Let’s see it in action when the requested scope is not allowed to consume a resource
Debugging OAuth API:
SCBR request:
SCBR response:
Debuging secured API:
Verify Token Policy:
JS Policy:
Raise Exception Policy:
As you can see it is possible to handle scopes dynamically in your APIs using user roles.
Not forget be curious π
Kind Regards.
Max.
Thanks Max,
Very cool walk-through thank you for showcasing the art of the possible forΒ role based access control!
Any thoughts about writing out some more details for users who want to replicate such a scenario themselves? π
Regards,
Elijah
Hi Elijah,
Not really, I need free time to do it, and I have in mind to write another blog related with this topic & Two way ssl, but again I have not too much free time these days, if you or someone else have any specific question let me know π
Kind Regards.
Max.