Layer7 API Management

 View Only
Expand all | Collapse all

Need OIDC and OAuth 2.0 example

  • 1.  Need OIDC and OAuth 2.0 example

    Posted Apr 01, 2020 05:21 AM
    we have installed OTK in the gateway with Dual GW scenario. Please share your response on below:

    1. when I say oidc and oauth, does it mean that we have to create separate authorization, token and user-info endpoints for oidc and oauth ? or single set of these api will achieve authentication and authorization ?
    2. Our APIs support OIDC (Authorization Code) and OAuth 2.0 framework. can you please share step by step development example to achieve this. I mean assertions and sequence in the policy, etc. A complete example please

    Your quick response is highly appreciated.

    ------------------------------
    Sachin
    Tech Lead
    ------------------------------


  • 2.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 02, 2020 05:10 AM
    If you installed OTK toolkit. 
    Perform the Post Installation Scripts:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/post-installation-tasks.html

    Ref: 
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/verify-the-installation/run-the-oauth-2-0-test-client.html

    it provide you a playground to play with sample client
    https://<urGW>:<urPort>/oauth/v2/client/bcp


    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 3.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 02, 2020 05:23 AM
    Thanks for your reply Ronald.
    I am more interested in the OIDC+Oauth authentication and authorization policy configuration steps through Policy manager. This way I can develop my APIs and test them with L7 OIDC and Oauth framework.

    ------------------------------
    Technology Lead
    Infosys Limited
    ------------------------------



  • 4.  RE: Need OIDC and OAuth 2.0 example
    Best Answer

    Broadcom Employee
    Posted Apr 02, 2020 10:46 AM
    Hello,

    Everything you need to support OIDC and auth code flow is there OOB you don't need to develop anything additional to perform an auth code flow. you would configure your applications with the gateway authorization and token endpoints and the clients information that you registered via oauth manager.
    the token endpoint is /auth/ouath/v2/token
    authorization server is /auth/oauth/v2/authorization
    userinfo is /openid/connect/v1/userinfo

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/oauth-request-scenarios.html




  • 5.  RE: Need OIDC and OAuth 2.0 example

    Broadcom Employee
    Posted Apr 02, 2020 11:35 AM
    Hi Sachin,

    There is a Layer7 video specifically on OAuth and OIDC  that might be helpful:
    https://www.youtube.com/watch?v=v9J95jLXzhI&feature=youtu.be  

    Also, there is a TechTalk coming up on April 29th: 
     https://apiacademy.co/2020/02/techtalks-are-back/  

    Simon Crum
    Lead Technical Writer  |
    Security and API Management
    Broadcom
    604 233 9604










  • 6.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 03, 2020 01:35 AM
    Thanks Simon. I will go through it.

    ------------------------------
    Technology Lead
    Infosys Limited
    ------------------------------



  • 7.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 03, 2020 01:35 AM
    Thanks Berry for your valuable comments. I am new to CA gateway. so asking you multiple questions. Apologies for the trouble...

    When client application calls authorization endpoint,  it will be redirected towards login page where user has to mention user credentials (username and password) and  consent. Question is which credentials user has to provide here. Are these credentials related to external identity provider like ldap or these are the credentials registered in oauth manager. I don't know how credentials are stored in oauth manager or somewhere else. 

    If these credentials are stored in gateway then before authorization call, does user need to be registered in gateway with username and password ? if yes then how, through oauth manager or something else?


    ------------------------------
    Technology Lead
    Infosys Limited
    ------------------------------



  • 8.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 03, 2020 07:41 AM
    You can authenticate the user against a dip (federated IDP or LDAP) 
    Customization:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/customizing-the-oauth-toolkit/customizing-policies.html

    To provide LDAP Related Configuration:- This is the policy you can customize to add you own ldap or user internal idp
    -- OTK User Authentication Extension (Folder:- /OTK/customization/authentication)
     --- Here you provide the assertion to authenticate against
    • LDAP
    • SiteMinder
    • Federated Auth Provider

    -- OTK User Attribute Look Up Extension (Folder:- /OTK/customization/authentication)
     -- Once user is authenticated then you want to extract information like profile,email,firstname,lastname from the relevant endpoint that customization is done over in this policy



    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/otk-user-role-configuration.html

    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 9.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 03, 2020 11:06 AM
    Hi Sachin,

    By default the login page takes credentials and validates it against the Internal Identity Provider of the gateway (where admin user credentials are stored). You can either create a new user in the IIP and use its credentials (this user will then become the resource_owner of the auth_code and access_token) or configure the policy to authenticate against Identity Provider of your time (ldap, database, etc.)​

    ------------------------------
    Services Consultant
    HCL Technologies
    ------------------------------



  • 10.  RE: Need OIDC and OAuth 2.0 example

    Posted Apr 27, 2020 03:30 AM
    Edited by phinix nic Apr 27, 2020 03:30 AM
    This is really amazing. Great information about blog.


  • 11.  RE: Need OIDC and OAuth 2.0 example

    Broadcom Employee
    Posted Apr 27, 2020 03:14 PM

    Glad the blog helped.
    If you're interested, there's a free tech talk tomorrow on OAuth and OpenID Connect.

    Should be really good:

    https://register.gotowebinar.com/register/5604605896898609155

    9 am to 10 am PST. 

    Simon



    ------------------------------
    Lead Writer, APIM
    Broadcom
    ------------------------------