Hi all,
I've set up an OCI API Gateway in front of my ORDS REST APIs, and I’m using JWT for authentication (not ORDS’ internal OAuth server, so I don’t have any ORDS clients defined).
This setup works fine. In the API Gateway, I’ve defined two scopes: person.read and person.write. I’d like to use these scopes to control access to certain endpoints in the API Gateway and map these to ORDS Privileges.
Here’s how things are set up:
ORDS
- ORDS-enabled schema:
ORDSTEST
- ORDS-JWT Profile Created
BEGIN
OAUTH_ADMIN.DELETE_JWT_PROFILE('ordstest');
OAUTH_ADMIN.CREATE_JWT_PROFILE(
p_schema => 'ordstest',
p_issuer => 'https://identity.oraclecloud.com/',
p_audience => 'app/ordstest/',
p_jwk_url =>'https://idcs_url:443/admin/v1/SigningCert/jwk'
);
COMMIT;
END;
/
- IDCS Confidential Apps (Resource Server and Clients) to handle to JWT Authentication and issue Bearer Token
- ORDS module:
person (has multiple templates and handlers)
- ORDS privileges:
person.read and person.write
My issue is: how do I assign both person.read and person.write privileges to the person module without using ORDS clients?
With ORDS clients, I understand that privileges are assigned via roles, and roles are linked to clients. But since I’m using JWTs issued by IDCS, not ORDS, I don't have clients to configure.
If there's no way to directly map multiple ORDS privileges to JWT scopes, I guess I can just use a single ORDS privilege like person_access and enforce finer-grained scope checks at the API Gateway level. But I was hoping for a more direct mapping between APIGW scopes and ORDS privileges.
Any ideas or guidance would be much appreciated!
Thanks in advance.