I have configured OTK 3.5 but I am not aware of the steps I should follow to add "OAuth" assertions and secure API. Can anyone please provide example with screenshots to secure REST API using OTK. (I would probable prefer Authorization code grant type for this)
Did you have a chance to go through Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation
Yes I added that assertion. Right now what I am doing is I am calling access token URL directly through my browser and once I get the access token, I add the access token parameter in my API call and calling the API. This is perfectly working for me. But is there any assertion which I can add to my published API policy for getting access token?
You may try Retrieve Token Assertions, OAuth Client Assertions - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation .
Can u please provide example of how end to end this should work for a published API and how to test it
As per my understanding ...
To secure an API, just put "OTK Require OAuth x.0 Token" assertion to the beginning of the policy of the API.
Then only the http request contains the valid token can access this API successfully.
Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation
So, before call the API from the client (an app, or a browser, etc.), the client need to authorize first.
To do so, you may publish another authorize service (or just a policy fragment for protected APIs) to use Retrieve Token Assertions to get the access token and then route to the protected API.
Or, the client can call the OAuth API endpoints directly to retrieve the access token, then call the protected API.
Here is the list of Oauth api endpoints,
OAuth API Endpoints - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation