Layer7 API Management

Expand all | Collapse all

How to use "OAuth" assertions for securing API

Jump to Best Answer
  • 1.  How to use "OAuth" assertions for securing API

    Posted 02-14-2017 04:25 AM

    I have configured OTK 3.5 but I am not aware of the steps I should follow to add "OAuth" assertions and secure API. Can anyone please provide example with screenshots to secure REST API using OTK. (I would probable prefer Authorization code grant type for this)



  • 2.  Re: How to use "OAuth" assertions for securing API



  • 3.  Re: How to use "OAuth" assertions for securing API

    Posted 02-14-2017 05:02 AM

    Yes I added that assertion. Right now what I am doing is I am calling access token URL directly through my browser and once I get the access token, I add the access token parameter in my API call and calling the API. This is perfectly working for me. But is there any assertion which I can add to my published API policy for getting access token? 



  • 4.  Re: How to use "OAuth" assertions for securing API

    Posted 02-14-2017 05:37 PM


  • 5.  Re: How to use "OAuth" assertions for securing API

    Posted 02-16-2017 08:11 AM

    Can u please provide example of how end to end this should work for a published API and how to test it



  • 6.  Re: How to use "OAuth" assertions for securing API
    Best Answer

    Posted 02-16-2017 06:09 PM

    As per my understanding ...

    To secure an API, just put "OTK Require OAuth x.0 Token" assertion to the beginning of the policy of the API.

    Then only the http request contains the valid token can access this API successfully.

    Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation 

     

    So, before call the API from the client (an app, or a browser, etc.), the client need to authorize first.

    To do so, you may publish another authorize service (or just a policy fragment for protected APIs) to use Retrieve Token Assertions to get the access token and then route to the protected API.

    Or, the client can call the OAuth API endpoints directly to retrieve the access token, then call the protected API.

    Here is the list of Oauth api endpoints,

    OAuth API Endpoints - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation