Layer7 API Management

We secure an api with oauth2 authorization code flow. To publish the api onto the portal I did not add the authorize en token calls. In the portal can be seen that these api have a access token  But there is no definition of the authorize en token calls. The question is how to arrange that in this json these two oauth apis can be seen but still in the gateway there is no check on the neccessary oauth tokens?

Hi Janssens,

Which version of the developer portal are you currently using? Would you be able to elaborate a bit on the request?

It sounds like you are questioning how the token was generated to access an OAuth protected API. If you could please provide a bit more information I'd be happy to help.

Regards,

Joe

Sure.

I use the api portal 4.2.

I have an api getAccount to retrieve some account information to the requestor. This api is secured by ouath so the requestor gets an access token for this call bi using the standard oauth2 authorize en token calls. When I publish the getAccount api to the portal, the authorize en token calls can not be seen. And if I publist the getAccount, authorize en token calls together to the portal, the authorize calls are rejected because there is not access token in the authorize call. I can n ot see how arrange this.

Thank you for clarifying. If the API is published via the portal you will need to ensure that you have chosen OAuth from the policy templates. Once the API is synced to your Gateway you will need to use the OAuth endpoints on the external Gateway to generate an access token.

The OAuth endpoints utilized will be on the same Gateway as the published API. To consume the API you must first follow the steps to obtain the token

OAuth Request Scenarios - CA API Management OAuth Toolkit - 4.3 - CA Technologies Documentation 

Once you have the token it can then be passed to the API as either part of the form POST body, authorization header or optionally, though not recommended, via the query parameter.

If I have misunderstood please do let me know.

Regards,

Joe

thanks Joe, the the api calls for the oauth tokens are working correctly. But how will the developer who has access to the portal now what de authorize en token endpoints look like? These two calls are not listed in the portal. 

Hi Janssens,

They would need to be provided with the OAuth details outside of the portal. The amount of calls would depend on the flow, they could use something like the client credentials grant type which will only need the single call to the v2/token endpoint. 

Regards,

Joe

Hi

Did the answers on this thread answered your question? If it did please mark it as the right answer.
When your question is not answered or you still have additional questions please let us know.

With Kind Regards
Dirk

Hi,

the answer is clear.

I just thought that thet authorize and token call definitions were also visible thru the portal, but these have to be provided somewhere else

Met vriendelijke groet,

Jos Janssens | Solution Architect

I&C Klant wil betalen | de Volksbank N.V.

| +31736832523

Van: DirkBleyenberg <communityadmin@communities-mail.ca.com>

Verzonden: woensdag 28 november 2018 17:28

Aan: Janssens, J.M. (Jos) <jos.janssens@devolksbank.nl>

Onderwerp: Re:  - Re: Oauth call in the API Portal

CA Communities <https://communities.ca.com/?et=watches.email.thread>

Re: Oauth call in the API Portal

reply from DIRK BLEYENBERG<https://communities.ca.com/people/DirkBleyenberg?et=watches.email.thread> in CA API Management Community - View the full discussion<https://communities.ca.com/message/242155551-re-oauth-call-in-the-api-portal?commentID=242155551&et=watches.email.thread#comment-242155551>