Layer7 API Management

Expand all | Collapse all

OTK : How to secure API?

  • 1.  OTK : How to secure API?

    Posted 12-25-2016 12:24 PM

    I have just setup OTK 3.0 and can access oauth/manager and /oauth/v2/client/authcode .  I have created new client key and  now try to use in my API policy.  I have drop fragment OTK require 2.0 and try to pass access_token thru query parameter.  But it is not working.  Need Help.   Sample Policy and soap call.  Any other documentation which can help me to use other OTK fragment?





  • 2.  Re: OTK : How to secure API?

    Broadcom Employee
    Posted 12-27-2016 09:29 AM

    Hi gangotri,


    You may want to take a look at this document: Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation 


    It is from a newer version of OTK but mostly still applies to your version. You can use the encapsulated assertion 'Require OAuth 2.0 Token' to retrieve the access token. Note encapsulated vs the policy fragment you mentioned. This can be found in your assertion palette.The token can be passed as an authorization header, ie: Authorization: Bearer <Token> or query parameter named as 'access_token'. 


    Example Request:


    The assertion logic is set to use either of these options as seen below. You can simply drag this to the top of your policy without further modification. As long as the token is passed in either manner (and the token is valid) you will gain access.




  • 3.  Re: OTK : How to secure API?

    Posted 12-27-2016 11:15 AM

    Can you guide me on generating new token.  It works thru soapui (see screen shot 1) but if I call same thing thru my API and calling the same backend token endpoint it gives error.  . see screen shot 2 as sample policy and screen shot 3 as soap call.




    gateway error log.

  • 4.  Re: OTK : How to secure API?

    Broadcom Employee
    Posted 12-27-2016 11:36 AM

    Can you change the content type to 'application/x-www-form-urlencoded' in SOAPUI and try this again? A full policy export of the endpoint that is routing to the token endpoint would also be helpful in debugging this.


    If that does not help it may be best to open a support case so we can review the policies further. 

  • 5.  Re: OTK : How to secure API?

    Posted 11-12-2018 05:19 PM

    Can you please add assertion to frame this API in this block.