Hi guys I am working on Policy Manager v8.3 & OAuth 2.0 v3.4.0. I have Policy Manager installed with OAuth Toolkit in Policy Manger.
I know how OAuth works, but I am confused on how to implement it in Policy Manager.
I want to secure one of my service(API Proxy) with OAuth 2.0. As of now I do not want to use API Portal.
I know I am asking too many questions. Please help me out with suggestions & sample policies if available.
I have included some reference points below to help you here. A sample policy of an OAuth protected endpoint is attached. Let me know of any questions.
1. You will need to register a client in OAuth Manager
ref: Using the OAuth Manager - CA API Management OAuth Toolkit - 3.0 - CA Technologies Documentation
2. To generate tokens using the different grant types
ref: OAuth Request Scenarios - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation
Example using client credentials:
3. To protect a service using OAuth you can use the 'OTK Require OAuth 2.0 Token' assertion
Ref: Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation
4. Please refer to step 2 for generating the access / refresh tokens.
5. This assertion mentioned in step 3 will validate the token
Thanks dasjo02 for the detailed answer.
Thanks crusi01 for the info, I re-checked & my policy manager version is 9.1.0 & OTK is 3.4.0
I logged into OAuth Client Manager & saw that one client for OAuth 2.0 was already there.
In List Keys I got the client_id, secret & scope values.
I used https://api.layer7gateway.com/auth/oauth/v2/token?grant_type=client_credentials&client_id=****&client_secret=****&scope=****
Added the Header & used POST Verb
It is giving me invalid client credentials 401 Unauthorized.
Any idea why I am getting an error? I am giving correct client id secret & scope as per OAuth 2.0 client.
I typically see this when the client_id and/or client_secret are incorrect.
What header value are you adding? The client_id/client_secret should appear only in the message body OR the request header as a base64 encoded value. It should not appear in both. See my example below using the default test clients, notice no headers are being added as I have the values as part of the body. If using the header however I would also make sure the type is set correct as BASIC (not Bearer as that is for tokens),
Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
If you could provide a screenshot of your setup it may provide more information, blanking out any sensitive details.
Ohk I was passing the client_id, secret & scope as query params with the URL. I will try sending them as URL Encoded values or as a Auth Header with Basic <base64encoded> value.
In Header I gave Content-Type - x-www-urlencoded
Thanks for your support dasjo02 . I am able to generate an token & validate it also.
Earlier I was making an mistake by passing data in queryparams. After sending them as url-encoded values I got the token.
I will also be working on JWT & Auth code. Will get in touch with you in-case of queries!!
A few samples on submitting the access token to the OAuth protected endpoint:
(Thanks for responding Joe).
Be sure that you are using compatible versions of the Policy Manager (CA API Gateway) and the OTK. For CA API Gateway 8.3, the supported OTK version is 3.0. CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 3.0 - CA Technologies Documentation For CA API Gateway 9.1, the supported OTK version is 3.4CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation
Hi dasjo02, how can I use the password grant type? Which require username password . . .
Which policy/service should I refer in policy manager otk?
It has to authenticated via some IdP right ?
Any examples of other grant types would be great.
The resource owner password credentials grant details can be found as part of the documentation mentioned above, specifically:
OAuth Request Scenarios - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation
The request is to the /auth/oauth/v2/token endpoint.
By default, the resource owner (uid/pw) are authenticated against the internal identity provider. In the example below I have a user in the IIDP named ADMIN with a password of PASSWORD1 (sample password, that would be terrible for security )
Yeah I figured it out after posting the question here.
Now I'm trying Auth code & jwt for which I need Auth code & a assertion jwt.
Should I be using response_type=token endpoints to get them ?
Hi siddharth-b ,
please check OAuth API Endpoints - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation for different flow.
authcode should be this one, OAuth API Endpoints - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation
You can also check the policy of the oauth test clients as example,
under "OAuth 2.0 Test Clients" folder
Thanks Mark for the links.
I was able to make calls through the Test Clients.
But for Auth code & Implict when I click on initiate I get an error,
error:invalid_redirect_urierror-desc: mismatching redirect_uri https://api.layer.com:443/a/b/c
OTK was setup by someone else and I am using the OOB configurations.
Do I need to change redirect uri?
Please review this article to resolve the message.
CA API Management - Mismatching redirect_uri error for OAuth Clients