How to Create OAuth 2.0 RSA SHA256 for Google Cloud Platform?

Version 1

    Hello,

     

    This discussion will explain how to connect the Google Cloud Platform (GCP) via the IICS Application Integration.

    There will be details about the OAuth 2.0 connection using RSA SHA 256, as well as using Google Cloud Storage service.

    For more on the Google Cloud Platform OAuth 2.0 please visit this link: Using OAuth 2.0 for Server to Server Applications  |  Google Identity

    This website will be referenced to help create the JSON Web Token needed to be passed.

     

    As prerequisites, you will need access to the Google Cloud Platform, to the service account json, which has the private key tied to the service account. Also, you will need to ensure your service account has permissions to write to Google Cloud Storage.

     

    Alright, let's begin!

     

    1. Setting up the Service & App Connector in Application Integration

    1. In IICS, go to the Application Integration service and Create a new "Service Connector"

    2. Name the connector what you would like, example "GoogleCloudPlatform"

    3. Add two Connection Properties. One called "oauth_url" & another called "storage_url".

    4. In the Actions tab, change the Action Name, example "POST OAuth Token"

    5. On the Input tab, add two Input Fields. One called "grant_type" & another called "assertion". These are parameters and you can make them required if you like. "grant_type" can Test with "urn:ietf:params:oauth:grant-type:jwt-bearer". Our "assertion" field can be generated using jwt.io,

          a. Go to the website http://jwt.io

          b. In the debugger, change the Algorithm to RS256. Leave the red Header.

          c. Change the payload as specified in the GCP OAuth 2.0 documentation

               1. Example {

                                         "iss": "example@developer.gserviceaccount.com",

                                         "scope": "https://www.googleapis.com/auth/devstorage.read_only",

                                         "aud": "https://oauth2.googleapis.com/token",

                                         "exp": 1328554385,

                                         "iat": 1328550785

                                       }

          d. iss is the email address of the Google Cloud Platform service account. scope is a

              space-delimited list of the permissions that the application requests. To explore permissions that can be used use this developer tool: https://developers.google.com/oauthplayground/

          e. You can use this website to calculate the exp & iat, which are in EPOCH time: https://www.epochconverter.com/

               1. iat The time the assertion was issued, specified as seconds since 00:00:00 UTC, January 1, 1970. (1328550785, smaller number)

               2. exp The expiration time of the assertion, specified as seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum of 1 hour after the issued time. (1328554385, bigger number)

          f. Next get the Public and Private Keys of the service user that you used in the iss payload.

          g. Go back to jwt.io. Take your payload you changed and replace the default payload. In the signature, change the public and private keys to the one used by your service account.

          h. http://jwt.io will update with a full JWT, which is our GCP assertion. Copy the whole jwt.io generated JWT. Paste into the Service Connector input field we created called "assertion". the Test with value will now look something like this:

    eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA

     

     

    6. On the Binding tab, update the URL. Use the formula button to open a new window. Change the type to XQuery and use the oauth_url Connection Property. Click OK. It should look like this {$oauth_url}

    7. Verb will be POST, Multi Using: "SemiColon separated", Authentication Type: "Custom"

    8. Add a new HTTP Header. Name: Content-Type; Source: application/x-www-form-urlencoded

    9. Binding Type: "Form"

     

     

    10. On the Output tab, add a new Output Field. You can name this what you like, example output_access_token. Type: Text, Get From: Property: access_token

    11. On the Test Results tab, Click the green "Test". Our new output_access_token should be displayed and we get a 200 back. If not, do not fret. Check the errors. It could be a simple EPOCH time issue, which means you need to repeat 5e. If not, look up errors online.

    12. Now we will add the Google Cloud Storage API. Add a new Action and give it a Action Name, example POST Storage.

    13. On the Input tab, add 5 new Input Fields, none will be Parameter. Examples: token, project_name, file_name, uploadType, & input_payload.

     

     

    14. On the Binding tab, update the URL. Use the formula button to open a new window. Change the type to XQuery. Use Connection Property storage_url, add project_name, file_name, uploadType.

            Click OK. Results example: {$storage_url}{$project_name}{$file_name}{$uploadType}

    15. Verb will be POST, Multi Using: "Semicolon separated", Authentication Type: "Custom"

    16. Add 3 new HTTP Headers. Authorization: {fn:concat("Bearer ",$token )}, Content-Type: application/json, Accept: application/json

    17. Binding Type: Custom; Body: {$input_payload}

     

     

    18. On the Output tab, add a new Output Field. You can name this what you like, example output. Type: Text, Get From: Property: id

    19. First Save, then Publish.

    20. Create a new App Connector. Name this as you wish, example "GoogleCloudPlatform". In Type drop down, look for the newly published Google Cloud Platform Service Connector.

    21. After the App Connector updates, update the storage_url: https://storage.googleapis.com/upload/storage/v1/b/

              and the oauth_url: https://oauth2.googleapis.com/token

              First Save, then Publish.

     

    22. Great Job! Now let's get to building our Process.

     

    2. Create the Application Integration Process

    1. Create a new Process. On the Start General Name use an appropriate name, ex: pr_Source_to_GCS

    2. On Start; Binding: REST/SOAP; I recommend an allowed group to limit exposure, since this process will be public.
          If you are fearless then check the "Allow anonymous access". Leave all else as default.

    3. For this demo, we will not be using Input Fields.

    4. Add a new Output Field called "output". Type: List of Any.

    5. Add 15 new Temp Fields:    

     

    Name

    Type

    temp_json

    Text

    temp_token_exp

    Date Time

    temp_token_iat

    Date Time

    temp_assertion

    Text

    temp_assert_header

    Text

    temp_assert_claim

    Text

    temp_assert_signature

    Text

    temp_oauth_type

    Text

    temp_token_iss

    Text

    temp_token_scope

    Text

    temp_token_aud

    Text

    temp_generate_claim

    Text

    temp_token_privKey

    Text

    temp_combined

    Text

    temp_token_exp_epoc

    Text

    6. In Advanced, change the Tracing Level to "Verbose" for troubleshooting.

    7. Add a new Assignment step after the Start

          a. Add the below:

     

    Field

    Assigned Using

    From

    temp_token_iss

    Content

    Use your service account email

    temp_token_scope

    Content

    https://www.googleapis.com/auth/devstorage.read_write

    temp_token_aud

    Content

    https://oauth2.googleapis.com/token

    temp_token_iat

    Formula

    (xs:dateTime(fn:substring-before(fn:string(fn:current-dateTime()), '.')) - xs:dateTime("1970-01-01T00:00:00-00:00")) div xs:dayTimeDuration("PT1S")

    temp_token_exp

    Time from Now

    5; Minutes (maximum is 60)

    temp_token_exp_epoc

    Formula

    (xs:dateTime(fn:substring-before(fn:string($temp.temp_token_exp ), '.')) - xs:dateTime("1970-01-01T00:00:00-00:00")) div xs:dayTimeDuration("PT1S")

     

    temp_token_privKey

    Formula

    Use your Private Key with single quotes '' and ending with a line break

    Example: '---Begin Private Key-----

    dfghjklkjhgfdfghjkkjhgfghjklkjhghjk

    ---End Private Key---

    '

         8. Add a new Assignment

    8. Add a new Assignment

         a. Add a new field:

     

    Field

    Assigned Using

    From

    temp_generate_claim

    Formula

    '{"iss":"' || $temp.temp_token_iss ||'","scope":"' || $temp.temp_token_scope ||'","aud":"' || $temp.temp_token_aud ||'","exp":' || $temp.temp_token_exp_epoc  ||',"iat":'||$temp.temp_token_iat || '}'

         9. Add another Assignment. This will start to create the JWT.

    9. Add another Assignment. This will start to create the JWT

         a. Add the below in the assignment:

     

    Field

    Assigned Using

    From

    temp_assert_header

    Formula

    util:base64EncodeUrl('{"alg":"RS256","typ":"JWT"}')

    temp_assert_claim

    Formula

    util:base64EncodeUrl($temp.temp_generate_claim )

    temp_combined

    Formula

    fn:concat($temp.temp_assert_header , '.',$temp.temp_assert_claim )

    temp_assert_signature

    Formula

    dsig:signWithKeyString($temp.temp_combined , $temp.temp_token_privKey  , "RSA", "SHA256", "Base64Url")

         10. Add another Assignement. This will create the assertion the / JWT for our Google Cloud Platform OAuth 2.0 Connector

    10. Add another Assignment. This will create the assertion/JWT for out Google Cloud Platform OAuth 2.0 Connector.

          a. Add the below

     

    Field

    Assigned Using

    From

    temp_assertion

    Formula

    $temp.temp_assert_header || '.' || $temp.temp_assert_claim || '.' || fn:substring-before($temp.temp_assert_signature,'..')

         11. Add a new Service

    11. Add a new Service

          a. Update the Service Type to Connection

          b. Connection will be the App Connection created earlier, GoogleCloudPlatform

          c. Action will be the POST OAuth, or the name you choose

          d. On the Input Fields the two available, grant_type & assertion

     

    Name

    Value

    Value:input

    grant_type

    Content

    urn:ietf:params:oauth:grant-type:jwt-bearer

    assertion

    Field

    temp_assertion

         12. Add a new Service after the POST OAuth

    12. Add a new Service after the POST OAuth

          a. Update the Service Type to Connection

          b. Connection will be the App Connection created earlier, GoogleCloudPlatform

          c. Action will be the POST Storage, or the name you choose

          d. On the Input Fields add the available like below:

     

    Name

    Value

    Value:input

    token

    Field

    output_access_token

    project_name

    Field

    Project Name (Example: dev-bucket/)

    file_name

    Formula

    'o?name='|| 'folder/subfolder/filename'

    uploadType

    Content

    &uploadType=media

    input_payload

    Content

    Data to pass to Google Cloud Storage. You can make this dynamic as well

         13. Add another Assignment

    13. Add another Assignment

         a. Add a field

     

    Field

    Assigned Using

    From

    output

    Field

    output

         14. First Save, then Publish. Go to the Property details to find the public REST/SOAP address to call Process.

    14. First Save, then Publish. Go to the Property details to find the public REST/SOAP address to call Process.

     

     

    Congratulations and awesome job for those who go their process to work. Above is what your process will look like once done, except for the payload service in the middle. I look forward to your feedback as this is my first article posted here on Informatica KB.

     

    -Evan Fiore

     

    Message was edited by: Evan Fiore, Updated to include screen shots for Steps 1.1 - 1.22

     

    This document was generated from the following discussion: How to Create OAuth 2.0 RSA SHA256 for Google Cloud Platform?