Layer 7 API Management

Expand all | Collapse all

OAuth 2.0 Steps

Jump to Best Answer
  • 1.  OAuth 2.0 Steps

    Posted 09-07-2017 06:43 AM

    Hi guys I am working on Policy Manager v8.3 & OAuth 2.0 v3.4.0. I have Policy Manager installed with OAuth Toolkit in Policy Manger.

     

    I know how OAuth works, but I am confused on how to implement it in Policy Manager.

     

    I want to secure one of my service(API Proxy) with OAuth 2.0. As of now I do not want to use API Portal.

    1. How can I get client_id,secret?
    2. Any grant type is fine as this is a demo.
    3. Which Assertion should I use in my policy?
    4. How will I get an access_token?
    5. How to validate it in my policy?

     

    I know I am asking too many questions. Please help me out with suggestions & sample policies if available.

    dasjo02

    Thanks



  • 2.  Re: OAuth 2.0 Steps
    Best Answer

    Posted 09-07-2017 08:31 AM
      |   view attached

    Hi Siddharth,

     

    I have included some reference points below to help you here. A sample policy of an OAuth protected endpoint is attached. Let me know of any questions.

     

    1. You will need to register a client in OAuth Manager

    ref:  Using the OAuth Manager - CA API Management OAuth Toolkit - 3.0 - CA Technologies Documentation 

     

    2. To generate tokens using the different grant types

    ref: OAuth Request Scenarios - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation 

     

    Example using client credentials:

     

    3. To protect a service using OAuth you can use the  'OTK Require OAuth 2.0 Token' assertion

    Ref: Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation 

     

    4. Please refer to step 2 for generating the access / refresh tokens.

     

    5. This assertion mentioned in step 3 will validate the token

     

    Regards,

    Joe

    Attachment(s)

    zip
    oauth_protected.xml.zip   786B 1 version


  • 3.  Re: OAuth 2.0 Steps

    Posted 09-08-2017 07:24 AM

    Thanks dasjo02 for the detailed answer.

    Thanks crusi01 for the info, I re-checked & my policy manager version is 9.1.0 & OTK is 3.4.0

     

    I logged into OAuth Client Manager & saw that one client for OAuth 2.0 was already there.

    In List Keys I got the client_id, secret & scope values.

     

    I used https://api.layer7gateway.com/auth/oauth/v2/token?grant_type=client_credentials&client_id=****&client_secret=****&scope=****

    Added the Header & used POST Verb

     

    It is giving me invalid client credentials 401 Unauthorized.

     

    Any idea why I am getting an error? I am giving correct client id secret & scope as per OAuth 2.0 client.



  • 4.  Re: OAuth 2.0 Steps

    Posted 09-08-2017 09:01 AM

    Hi siddharth-b,

     

    I typically see this when the client_id and/or client_secret are incorrect.

     

    What header value are you adding? The client_id/client_secret should appear only in the message body OR the request header as a base64 encoded value. It should not appear in both. See my example below using the default test clients, notice no headers are being added as I have the values as part of the body. If using the header however I would also make sure the type is set correct as BASIC (not Bearer as that is for tokens),

     

    ie:

    Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=

     

    If you could provide a screenshot of your setup it may provide more information, blanking out any sensitive details.

     

     

    Regards,

    Joe



  • 5.  Re: OAuth 2.0 Steps

    Posted 09-08-2017 09:07 AM

    Ohk I was passing the client_id, secret & scope as query params with the URL. I will try sending them as URL Encoded values or as a Auth Header with Basic <base64encoded> value.

     

    In Header I gave Content-Type - x-www-urlencoded



  • 6.  Re: OAuth 2.0 Steps

    Posted 09-08-2017 12:03 PM

    Thanks for your support dasjo02 . I am able to generate an token & validate it also.

    Earlier I was making an mistake by passing data in queryparams. After sending them as url-encoded values I got the token.

     

    I will also be working on JWT & Auth code. Will get in touch with you in-case of queries!!



  • 7.  Re: OAuth 2.0 Steps

    Posted 09-07-2017 08:52 AM

    A few samples on submitting the access token to the OAuth protected endpoint:

     

    Query Parameter

     

    Form body

     

    Authorization header



  • 8.  Re: OAuth 2.0 Steps

    Posted 09-07-2017 06:49 PM

    Hi Siddharth,

    (Thanks for responding Joe).

     

    Be sure that you are using compatible versions of the Policy Manager (CA API Gateway) and the OTK. 
    For CA API Gateway 8.3, the supported OTK version is 3.0. 
    CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 3.0 - CA Technologies Documentation 

    For CA API Gateway 9.1, the supported OTK version is 3.4
    CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation 

     

    Simon



  • 9.  Re: OAuth 2.0 Steps

    Posted 09-11-2017 10:43 AM

    Hi dasjo02, how can I use the password grant type?  Which require username password . . .

     

    Which policy/service should I refer in policy manager otk? 

    It has to authenticated via some IdP right ? 

     

    Any examples of other grant types would be great. 

     

    Thanks 



  • 10.  Re: OAuth 2.0 Steps

    Posted 09-11-2017 01:23 PM

    Hi Siddharth,

     

    The resource owner password credentials grant details can be found as part of the documentation mentioned above, specifically:

     

    OAuth Request Scenarios - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation 

     

    The request is to the /auth/oauth/v2/token endpoint.

     

    By default, the resource owner (uid/pw) are authenticated against the internal identity provider. In the example below I have a user in the IIDP named ADMIN with a password of PASSWORD1 (sample password, that would be terrible for security  )

     

     

    Regards,

    Joe



  • 11.  Re: OAuth 2.0 Steps

    Posted 09-11-2017 01:43 PM

    Yeah I figured it out after posting the question here.  

     

    Now I'm trying Auth code & jwt for which I need Auth code & a assertion jwt. 

     

    Should I be using response_type=token endpoints to get them  ? 



  • 12.  Re: OAuth 2.0 Steps

    Posted 09-13-2017 02:39 AM

    Hi siddharth-b ,

    please check OAuth API Endpoints - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation  for different flow.

    authcode should be this one, OAuth API Endpoints - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation 

     

    You can also check the policy of the oauth test clients as example,

    /oauth/v2/client/authcode

    etc.

    under "OAuth 2.0 Test Clients" folder

     

    Regards,

    Mark



  • 13.  Re: OAuth 2.0 Steps

    Posted 09-13-2017 07:31 AM

    Thanks Mark for the links.

    I was able to make calls through the Test Clients.

    But for Auth code & Implict when I click on initiate I get an error,

    error:invalid_redirect_uri
    error-desc: mismatching redirect_uri https://api.layer.com:443/a/b/c

     

    OTK was setup by someone else and I am using the OOB configurations.

    Do I need to change redirect uri? 



  • 14.  Re: OAuth 2.0 Steps

    Posted 09-13-2017 08:11 AM

    Hi Siddharth,

     

    Please review this article to resolve the message.

     

    CA API Management - Mismatching redirect_uri error for OAuth Clients 

     

    Regards,

    Joe