1 Reply Latest reply on Jul 22, 2021 1:53 AM by Sorabh Agarwal

    How to Create OAuth 2.0 RSA SHA256 for Google Cloud Platform?

    Evan Fiore New Member

      Hello,

       

      This discussion will explain how to connect the Google Cloud Platform (GCP) via the IICS Application Integration.

      There will be details about the OAuth 2.0 connection using RSA SHA 256, as well as using Google Cloud Storage service.

      For more on the Google Cloud Platform OAuth 2.0 please visit this link: Using OAuth 2.0 for Server to Server Applications  |  Google Identity

      This website will be referenced to help create the JSON Web Token needed to be passed.

       

      As prerequisites, you will need access to the Google Cloud Platform, to the service account json, which has the private key tied to the service account. Also, you will need to ensure your service account has permissions to write to Google Cloud Storage.

       

      Alright, let's begin!

       

      1. Setting up the Service & App Connector in Application Integration

      1. In IICS, go to the Application Integration service and Create a new "Service Connector"

      2. Name the connector what you would like, example "GoogleCloudPlatform"

      3. Add two Connection Properties. One called "oauth_url" & another called "storage_url".

      4. In the Actions tab, change the Action Name, example "POST OAuth Token"

      5. On the Input tab, add two Input Fields. One called "grant_type" & another called "assertion". These are parameters and you can make them required if you like. "grant_type" can Test with "urn:ietf:params:oauth:grant-type:jwt-bearer". Our "assertion" field can be generated using jwt.io,

            a. Go to the website http://jwt.io

            b. In the debugger, change the Algorithm to RS256. Leave the red Header.

            c. Change the payload as specified in the GCP OAuth 2.0 documentation

                 1. Example {

                                           "iss": "example@developer.gserviceaccount.com",

                                           "scope": "https://www.googleapis.com/auth/devstorage.read_only",

                                           "aud": "https://oauth2.googleapis.com/token",

                                           "exp": 1328554385,

                                           "iat": 1328550785

                                         }

            d. iss is the email address of the Google Cloud Platform service account. scope is a

                space-delimited list of the permissions that the application requests. To explore permissions that can be used use this developer tool: https://developers.google.com/oauthplayground/

            e. You can use this website to calculate the exp & iat, which are in EPOCH time: https://www.epochconverter.com/

                 1. iat The time the assertion was issued, specified as seconds since 00:00:00 UTC, January 1, 1970. (1328550785, smaller number)

                 2. exp The expiration time of the assertion, specified as seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum of 1 hour after the issued time. (1328554385, bigger number)

            f. Next get the Public and Private Keys of the service user that you used in the iss payload.

            g. Go back to jwt.io. Take your payload you changed and replace the default payload. In the signature, change the public and private keys to the one used by your service account.

            h. http://jwt.io will update with a full JWT, which is our GCP assertion. Copy the whole jwt.io generated JWT. Paste into the Service Connector input field we created called "assertion". the Test with value will now look something like this:

      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA

       

       

      6. On the Binding tab, update the URL. Use the formula button to open a new window. Change the type to XQuery and use the oauth_url Connection Property. Click OK. It should look like this {$oauth_url}

      7. Verb will be POST, Multi Using: "SemiColon separated", Authentication Type: "Custom"

      8. Add a new HTTP Header. Name: Content-Type; Source: application/x-www-form-urlencoded

      9. Binding Type: "Form"

       

       

      10. On the Output tab, add a new Output Field. You can name this what you like, example output_access_token. Type: Text, Get From: Property: access_token

      11. On the Test Results tab, Click the green "Test". Our new output_access_token should be displayed and we get a 200 back. If not, do not fret. Check the errors. It could be a simple EPOCH time issue, which means you need to repeat 5e. If not, look up errors online.

      12. Now we will add the Google Cloud Storage API. Add a new Action and give it a Action Name, example POST Storage.

      13. On the Input tab, add 5 new Input Fields, none will be Parameter. Examples: token, project_name, file_name, uploadType, & input_payload.

       

       

      14. On the Binding tab, update the URL. Use the formula button to open a new window. Change the type to XQuery. Use Connection Property storage_url, add project_name, file_name, uploadType.

              Click OK. Results example: {$storage_url}{$project_name}{$file_name}{$uploadType}

      15. Verb will be POST, Multi Using: "Semicolon separated", Authentication Type: "Custom"

      16. Add 3 new HTTP Headers. Authorization: {fn:concat("Bearer ",$token )}, Content-Type: application/json, Accept: application/json

      17. Binding Type: Custom; Body: {$input_payload}

       

       

      18. On the Output tab, add a new Output Field. You can name this what you like, example output. Type: Text, Get From: Property: id

      19. First Save, then Publish.

      20. Create a new App Connector. Name this as you wish, example "GoogleCloudPlatform". In Type drop down, look for the newly published Google Cloud Platform Service Connector.

      21. After the App Connector updates, update the storage_url: https://storage.googleapis.com/upload/storage/v1/b/

                and the oauth_url: https://oauth2.googleapis.com/token

                First Save, then Publish.

       

      22. Great Job! Now let's get to building our Process.

       

      2. Create the Application Integration Process

      1. Create a new Process. On the Start General Name use an appropriate name, ex: pr_Source_to_GCS

      2. On Start; Binding: REST/SOAP; I recommend an allowed group to limit exposure, since this process will be public.
            If you are fearless then check the "Allow anonymous access". Leave all else as default.

      3. For this demo, we will not be using Input Fields.

      4. Add a new Output Field called "output". Type: List of Any.

      5. Add 15 new Temp Fields:     

       

      Name

      Type

      temp_json

      Text

      temp_token_exp

      Date Time

      temp_token_iat

      Date Time

      temp_assertion

      Text

      temp_assert_header

      Text

      temp_assert_claim

      Text

      temp_assert_signature

      Text

      temp_oauth_type

      Text

      temp_token_iss

      Text

      temp_token_scope

      Text

      temp_token_aud

      Text

      temp_generate_claim

      Text

      temp_token_privKey

      Text

      temp_combined

      Text

      temp_token_exp_epoc

      Text

      6. In Advanced, change the Tracing Level to "Verbose" for troubleshooting.

      7. Add a new Assignment step after the Start

            a. Add the below:

       

      Field

      Assigned Using

      From

      temp_token_iss

      Content

      Use your service account email

      temp_token_scope

      Content

      https://www.googleapis.com/auth/devstorage.read_write

      temp_token_aud

      Content

      https://oauth2.googleapis.com/token

      temp_token_iat

      Formula

      (xs:dateTime(fn:substring-before(fn:string(fn:current-dateTime()), '.')) - xs:dateTime("1970-01-01T00:00:00-00:00")) div xs:dayTimeDuration("PT1S")

      temp_token_exp

      Time from Now

      5; Minutes (maximum is 60)

      temp_token_exp_epoc

      Formula

      (xs:dateTime(fn:substring-before(fn:string($temp.temp_token_exp ), '.')) - xs:dateTime("1970-01-01T00:00:00-00:00")) div xs:dayTimeDuration("PT1S")

       

      temp_token_privKey

      Formula

      Use your Private Key with single quotes '' and ending with a line break

      Example: '---Begin Private Key-----

      dfghjklkjhgfdfghjkkjhgfghjklkjhghjk

      ---End Private Key---

      '

           8. Add a new Assignment

      8. Add a new Assignment

           a. Add a new field:

       

      Field

      Assigned Using

      From

      temp_generate_claim

      Formula

      '{"iss":"' || $temp.temp_token_iss ||'","scope":"' || $temp.temp_token_scope ||'","aud":"' || $temp.temp_token_aud ||'","exp":' || $temp.temp_token_exp_epoc  ||',"iat":'||$temp.temp_token_iat || '}'

           9. Add another Assignment. This will start to create the JWT.

      9. Add another Assignment. This will start to create the JWT

           a. Add the below in the assignment:

       

      Field

      Assigned Using

      From

      temp_assert_header

      Formula

      util:base64EncodeUrl('{"alg":"RS256","typ":"JWT"}')

      temp_assert_claim

      Formula

      util:base64EncodeUrl($temp.temp_generate_claim )

      temp_combined

      Formula

      fn:concat($temp.temp_assert_header , '.',$temp.temp_assert_claim )

      temp_assert_signature

      Formula

      dsig:signWithKeyString($temp.temp_combined , $temp.temp_token_privKey  , "RSA", "SHA256", "Base64Url")

           10. Add another Assignement. This will create the assertion the / JWT for our Google Cloud Platform OAuth 2.0 Connector

      10. Add another Assignment. This will create the assertion/JWT for out Google Cloud Platform OAuth 2.0 Connector.

            a. Add the below

       

      Field

      Assigned Using

      From

      temp_assertion

      Formula

      $temp.temp_assert_header || '.' || $temp.temp_assert_claim || '.' || fn:substring-before($temp.temp_assert_signature,'..')

           11. Add a new Service

      11. Add a new Service

            a. Update the Service Type to Connection

            b. Connection will be the App Connection created earlier, GoogleCloudPlatform

            c. Action will be the POST OAuth, or the name you choose

            d. On the Input Fields the two available, grant_type & assertion

       

      Name

      Value

      Value:input

      grant_type

      Content

      urn:ietf:params:oauth:grant-type:jwt-bearer

      assertion

      Field

      temp_assertion

           12. Add a new Service after the POST OAuth

      12. Add a new Service after the POST OAuth

            a. Update the Service Type to Connection

            b. Connection will be the App Connection created earlier, GoogleCloudPlatform

            c. Action will be the POST Storage, or the name you choose

            d. On the Input Fields add the available like below:

       

      Name

      Value

      Value:input

      token

      Field

      output_access_token

      project_name

      Field

      Project Name (Example: dev-bucket/)

      file_name

      Formula

      'o?name='|| 'folder/subfolder/filename'

      uploadType

      Content

      &uploadType=media

      input_payload

      Content

      Data to pass to Google Cloud Storage. You can make this dynamic as well

           13. Add another Assignment

      13. Add another Assignment

           a. Add a field

       

      Field

      Assigned Using

      From

      output

      Field

      output

           14. First Save, then Publish. Go to the Property details to find the public REST/SOAP address to call Process.

      14. First Save, then Publish. Go to the Property details to find the public REST/SOAP address to call Process.

       

       

      Congratulations and awesome job for those who go their process to work. Above is what your process will look like once done, except for the payload service in the middle. I look forward to your feedback as this is my first article posted here on Informatica KB.

       

      -Evan Fiore

       

      Message was edited by: Evan Fiore, Updated to include screen shots for Steps 1.1 - 1.22