Sascha Preibisch

OAuth Toolkit (OTK) and IFTTT - Tutorial

Blog Post created by Sascha Preibisch Employee on Jun 25, 2018

Hi everybody!


First of all, thanks to everybody who participated in the OTK + IFTTT webcast of last week. I hope it was useful!


In the meantime I have updated the artifacts and placed them in GitHub so that anybody can try the tutorial themselves. It contains the following:

  • a docker-compose file. Using that will launch a CA API Gateway 9.3 including OTK and the IFTTT APIs of the webcast. Note: OTK is ready to go, no need for any configurations!
  • a SOAPUI project which can be used to verify that the CA API Gateway is up and running. It includes tests for the IFTTT APIs but also a test suite for OTK. Feel free to leverage that in other OTK related projects
  • Instructions for configurations


As an existing customer it should only take you a few minutes to get the system up and running, otherwise you will have to request a CA API Gateway license first. How to get it is described in the tutorial.


Content of the tutorial

The tutorial is built around the virtual bank 'CA OTK Tutorial Bank' that wants to engage more with customers. For that reason it has created an application called 'Account Monitor'. 'Account Monitor' allows customers to get notified if a selected account has changed with a given amount. One feature includes the ability for customers to receive an email notification. The other one enhances the usability of the online banking web site. If the account has changed and the user logs into his online banking system, he finds himself directly at the referenced account, no need to choose it first.


The setup looks something like this (taken from the presentation):


Something to keep in mind

It is very easy to get started with OTK and IFTTT. However, it is important to remember how IFTTT works. IFTTT is a platform that allows anyone to build an applications. Endusers are then able to combine them in many different means. IFTTT itself is an oauth client of any application. With that, IFTTT is always part of the communication flow between combined applications. For that reason, no sensitive data should be exchanged or exposed via an application.


In the tutorial, the 'Account Monitor' notifies endusers about the account, the amount, and a transaction id. In a real life scenario 'Account Monitor' should just notify the user that a change has happened, with minimum details included. What to expose is very much a per-use case question. It architecture of IFTTT just needs to be considered.



The tutorial can be found in GitHub,  right here! Clone or download the project and switch into the directory ca-apim-otk-and-ifttt. The easiest way to use it, is to have the file of that directory open in a browser while setting up the system. 


The presentation and the replay are located here: [RECAP] OAuth integration with IFTTT - June 19, 2018 


As always, any feedback is welcome!