Setting up OAUTH 2.0 Authorization

Contents

Configuring OAUTH Token End Point
- Create an OAUTH Token End Point project
- Deploy the OAUTH Token Endpoint project
Enabling OAUTH security for Protected API Resources
- While creating a project
- To an existing project
Configuring Client Subscription and Generating API Key
Obtaining access token from Token Endpoint
Accessing protected resources using access token

OAuth enables authorization of applications by generating an Access Token and then by verifying this access token instead of relying on a specific password.

This section explains steps to set up Client Credentials grant type in OAuth 2.0 specification. In this grant type, the client can request an access token using only its client credentials (consumer key and secret)

Topics related to OAUTH

Icon

OAuth Token End Point
Under the "Secure API with" option in the From REST or HTTP Service section

Sections below explain how to use OAUTH mentioned in the sections above.

Configuring OAUTH Token End Point

To configure OAUTH Token End Point, the first step is to create a project using OAUTH Token Endpoint.

Create an OAUTH Token End Point project

From the API Dashboard, click API Projects - Manage API Projects and select OAuth Token End Point option from Add API Project drop-down list present in the upper-right part of the API Projects panel.

Figure 1: Providing attributes to create OAuth Token End Point Project

The following values are used in the above figure as a sample:

Property	Description
Display Name	AccessToken
Version	1.0
Proxy Context Path	accesstoken
Method	POST
Access Token Expiry Time	600000

After creating the project, double-click the AccessToken project to get into the project. Notice the configuration settings that take place automatically:

a) Go to the Policies section to check that the OAUTH Token End Point Policy is set.

Figure 2: OAuth Token End Point Policy Configuration auto-populated

b) Go to the Resources section to check that the OAUTH Token End Point Policy is added to the Proxy Request endpoint.

Figure 3: OAuth Token End Point Policy added to Proxy Request endpoint in Resources

Deploy the OAUTH Token Endpoint project

To deploy the project, select the AccessToken project, click the Deploy button and then choose a Server Group of your choice.

This project acts as an endpoint to generate access tokens which can be published to clients for obtaining tokens.

Enabling OAUTH security for Protected API Resources

Now that the Access Token Endpoint is ready to receive requests from the clients with valid registration, the OAuth Verify Access Token policy can be created and attached to the Proxy Request endpoint of the resource. This can be done while creating a project or to an existing project.

While creating a project

While creating a new REST/HTTP or WSDL project, choose the "OAuth 2.0 Access Tokens" option for the Secure API with property.

Figure 4: Choosing to apply OAuth Access Token while creating a project

a) Go to the Policies section to check that the Verify Token Policy configuration is set.

Icon

The following configuration settings that take place automatically

Figure 5: OAuth Verify Access Token Policy added to Proxy Request endpoint in Resources

b) Go to the Resources section to check that the Verify Token Policy is added to the Proxy Request endpoint.

Figure 5: OAuth Verify Access Token Policy Configuration Auto -populated

To an existing project

With an already existing project, the policy needs to be manually added and attached to the resource.

Refer to the Adding a Policy section and the previous section OAUTH 2.0 for adding the OAuth Verify Access Token policy and for manually selecting the Query option as the access token location.

Go to the Resources section, click the Proxy Request endpoint in the DefaultResource and add the OAuth Verify Access Token policy by clicking the Edit button and then using the left arrow button.

Figure 6: Adding the Verify Access Token policy to Resources after manual configuration

Configuring Client Subscription and Generating API Key

Create a product and add the OAuth-secured API project to it. Then create a Client and Client Subscriptions. To do this, use Apps - Manage API Products and Client Subscriptions prompt in the Dashboard and follow the steps mentioned in the Adding Products, Clients and Client Subscriptions section.

After creating the Client Subscription with the product, Generate Consumer Key and Consumer Secret.

Figure 7: Generating Consumer Key and Consumer Secret

When the set up from the API Dashboard is over, the client may be provided with the keys that are generated for communication.

Obtaining access token from Token Endpoint

When the client sends a request which carries a valid Consumer Key and Consumer Secret to the Token End Point in order to get an access token, the Token End Point verifies the credentials and returns the access token back to the client.

To send the request using Postman, provide the following values in the postman and click Send button:

Method: POST
URL: Project proxy URL
Header
- name: grant_type
- Value: client_credentials
Parameter Format: x-www-form-urlencoded
Parameters
- Client_id (Consumer Key generated from Client Subscription)
- Client_secret (Consumer Secret generated from Client Subscription)

When a valid request is sent, an access token is generated as shown in the above figure.

Accessing protected resources using access token

After receiving the Access Token, it is sent along with the request as a query parameter(since Query is set in VerifyAccessTokenPolicy) to access the protected API. The Request URL will be in the following format:

<url from documentation>?access_token=<value generated in postman>