Layer7 API Management

Expand all | Collapse all

Sample policy for GW to reach a remote Oauth protected API

Jump to Best Answer
  • 1.  Sample policy for GW to reach a remote Oauth protected API

    Posted 03-11-2020 05:47 PM
    We use ver 9.4 and OTK.
    We have implemented an Authorization fragment to authenticate Oauth2 access to our APIs.
    We also have to post to third party APIs from the GW but I have not been able to figure that out nor find an example.

    Can someone please help with a sample implementation or point me in the right direction.

    Bob Kohler


  • 2.  RE: Sample policy for GW to reach a remote Oauth protected API

    Posted 03-11-2020 06:41 PM
    Dear Bob,
    Is the gateway working as an Oauth authentication server?
    If yes, you don't need extra policy, as the OTK implements the Oauth sever. You just need to create oauth client (usually an oauth client for an app), the app (oauth client) call the otk authentication api, and retrieve the oauth token after authentication, and then call gateway API with the token ( in gateway API, use "OTK Require OAuth 2.0 Token" assertion to validate the token)
    You may refer to OTK document for more details,
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/registering-clients-with-the-oauth-manager.html
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/apis-and-assertions.html

    If you installed oauth test client while install the OTK, it will be a good example of using OTK APIs for different Oauth flow,
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/verify-the-installation/run-the-oauth-2-0-test-client.html

    If you are not using OTK as oauth sever, but authenticate against a 3rd party oauth server, you may refer to the document/specification of the oauth server on how to perform oauth authentication.

    Regards,
    Mark


  • 3.  RE: Sample policy for GW to reach a remote Oauth protected API

    Posted 03-13-2020 06:29 PM
    Thanks, I've been tinkering with RetrieveOAuthToken, but I was wondering how to manage the token after retrieval.  Like if it lasts 60 minutes before refreshing it.


  • 4.  RE: Sample policy for GW to reach a remote Oauth protected API
    Best Answer

    Posted 03-15-2020 06:36 PM
    The token should be usually retrieved and kept on client side, if you retrieve token on gateway, you can set the cookie with "Manage Cookie" assertion.

    The lifetime of token is another thing, it is maintained by oauth server, for otk, you may refer to,
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/customizing-the-oauth-toolkit/configure-token-lifetime-properties.html

    Regards,
    Mark


  • 5.  RE: Sample policy for GW to reach a remote Oauth protected API

    Posted 04-08-2020 11:26 AM
    Do you have sample CA API policy where we retrieve OAuth token as a client and turn around and use it to post a message ?


  • 6.  RE: Sample policy for GW to reach a remote Oauth protected API

    Posted 03-12-2020 01:26 AM
    Hey Robert,

    In the route via http assertion you can configure the OAuth token for the remote APIs.

    Its located in the authentication Tab.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/policy-assertions/assertion-palette/message-routing-assertions/route-via-http-s-assertion.html

    Hope this helps