The ETSI NFV MANO supports OAuth 2.0 authentication for SOL003 Or-Vnfm reference point. The NFVO makes a token request to
ESC providing the client credentials such as client id and client secret for authentication. In turn, ESC verifies the request
and returns the access token.
Note
|
ETSI supports both basic authentication as well as subscriptions for NFVO connections over SOL003.
|
The NFVO makes a POST request providing the client id and secret as primary authentication.
Method Type
POST
URL
{apiRoot}/oauth2/token
Header
Authorization: Basic {base 64 encoded CLIENT_ID:CLIENT_SECRET}
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Body
grant_type=client_credentials
ESC returns the access token in response.
Example:
{
"access_token": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjaHJpcyIsImlzcyI6IkVUU0ktVk5GTSIsImlhdCI6MTU1ODYwMzk2NiwiZXhwIjoxNTU4NjA0NTY2f
Q.lAtre7vdCKJjgzNs7p9P3NS2qMcXegC-oWXmy5Kakn0AL95gLWF6liOqPViMZNnWZLOsG5r1kPnGoBWnN0tgIw",
"token_type": "bearer",
"expires_in": 600
}
The access token is then used to access the or_vnfm endpoints.
Example:
Method
GET
URL
{apiRoot}/vnflcm/v2/subscriptions
Headers
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjaHJpcyIsImlzcyI6IkVUU0k
tVk5GTSIsImlhdCI6MTU1ODYwMzk2NiwiZXhwIjoxNTU4NjA0NTY2fQ.lAtre7vdCKJjgzNs
7p9P3NS2qMcXegC-oWXmy5Kakn0AL95gLWF6liOqPViMZNnWZLOsG5r1kPnGoBWnN0tgIw
Note
|
The existing tokens become invalid if the ETSI service is restarted.
|
Accessing and Updating the OAuth Properties File
ESC stores the client id and secret in the new etsi-production.yaml properties file in the same location as the etsi-production.properties file. The new escadm etsi commands are available to maintain the client id and secret values. The client secret is encrypted
the same way as the existing rest username.
To add or update a client id
sudo escadm etsi oauth2_clients --set <CLIENT_ID>:<CLIENT_SECRET>
To remove a client id
sudo escadm etsi oauth2_clients --remove <CLIENT_ID>
Note
|
Restart the ETSI services after updating the OAuth 2.0 values.
|
For information on other properties, see ETSI Production Properties.
OAuth Calls from ETSI to the NFVO
ESC supports OAUTH 2.0 calls from ETSI to the NFVO.
The following properties are added to the etsi-production.properties file:
nfvo.clientID=<YourClientID>
nfvo.clientSecret=<YourClientSecret>
nfvo.tokenEndpoint=<Your NFVO Token Endpoint>
nfvo.authenticationType=OAUTH2
The Client id, ClientSecret and TokenEndpoint must match that of the OAUTH 2.0 Server. The authentication type determines
authentication of the outgoing calls from ESC to the NFVO. The authentication type must be either BASIC, or OAUTH2.
The tokens from the NFVO are stored against the token endpoint in the properties file.
When the NFVO sends a call request, ETSI checks for the tokens stored against the token endpoint. If the token has not expired,
then ETSI adds the old token to the header of the request and executes the call. A new token is required if the token fails
to execute.
If there are no tokens against the token endpoint, then new tokens are required to execute the call.
OAuth 2.0 Notification and Subscription
The subscription payloads must add the following to enable OAuth 2.0 authentication with the notifications:
{
"authentication": {
"authType": [
"OAUTH2_CLIENT_CREDENTIALS"
],
"paramsOauth2ClientCredentials": {
"clientId": <client_id>,
"clientPassword": <client_secret>,
"tokenEndpoint": <token_endpoint>
}
}
}