Layer7 API Management

  • 1.  MAG: client credentials flow example

    Posted Aug 22, 2017 09:58 AM

    Does anyone have some example code showing how to use a client credentials grant flow to to then call an oauth protected API with the MAG SDK ?

     

    The docs are pretty useless.

     

    It talks about setting the grant flow here:

     

    Android Guides | CA Mobile App Services 

     

    but not then what you are supposed to do after that. I'd still expect some sort of 'login' to get a token (albeit one issued on a CC grant)... but none of the MASFoundation login methods seem appropriate.

     

    flow I want here:

     

    - an API on GW is secured to allow only Client credential granted tokens access (it is a password reset API so no user can be logged on at this point)

    - policy on GW easy enough and already written (checks subscriber_id is trusted client name)

     

    In non SDK use, app would simply call the /token API asking for a grant of client_credentials and passing client id, and secret. Get token back, and then use this token to call the protected API.

     

    Now, I'm assuming this is also possible with the SDK as it mentioned client credentials grant flow, but it seems to be only half described (MAS.setGrantFlow(MASConstants.MAS_GRANT_FLOW_CLIENT_CREDENTIALS);)

     

    what then ? I'd expect to have to do a CC login before I contruct the call to my protected API surely ?

     



  • 2.  Re: MAG: client credentials flow example

    Posted Aug 22, 2017 02:32 PM

    Hi Smith,

     

    Thanks for posting a question, and I'm sorry for the confusion from the doc.

     

    The primary purpose of SDK is to make application developers' life easy to build an app using MAG and OTK.

    In that sense, we made it pretty simple for client credentials; after setting the grant flow of SDK, what you have to do is to simply invoke an API that you created.  SDK will take care of all device registration against MAG, and anonymous authentication against OTK.

     

    To get into more details, what happens on Mobile SDK when you invoke an API are:

    1. Mobile SDK will validate all credential if the request is marked as non-public request (which requires valid token)
    2. If any of credential is missing, Mobile SDK will try to perform any registration or authentication as needed
    3. If end-user interaction is required (for user credentials in password flow), Mobile SDK will notify the application that some action needs to be taken from the application layer (displaying login dialog or asking user credentials)
    4. If no end-user interaction is required (for client credentials flow), Mobile SDK will take care of everything by itself

     

    It is also possible that you can explicitly authenticate the user in password flow, but there is no explicit or implicit authentication required in client credentials flow; you will have to simply invoke an API.

     

    Hope this answers your question, and please let us know if you need any further assistance.

     

    Thanks,



  • 3.  Re: MAG: client credentials flow example

    Posted Aug 23, 2017 04:25 AM

    thanks for your reply - some questions:

     

    1. how do you mark a request as being non-public ?

    2. ok - so assuming we've set MAS to CC grant flow, and marked the request (via the builder?) as non public, I'd expect to see the SDK fire out a token request with client credentials to get a token yes ?

     

    An example would still very much be useful here. From the SDK side things might be all hidden, but from the GW side I very much need to know how to get it working, since my API has to accept CC tokens (and validate them) - as I say - that bit I've done - so I need to tell the mobile developers how to code to produce this call - I cannot build and test it myself from my location.



  • 4.  Re: MAG: client credentials flow example
    Best Answer

    Posted Aug 23, 2017 01:42 PM

    Hi,

     

    1. In Android, you can set this flag in MAGRequestBuilder.setPublic().  By default, the request is set as non-public request so that it requires all registration and authentication.
    2. Yes, that's true.

     

    CA MAG & MAS: Android Tutorials for Developers - YouTube  might be helpful, but I don't this specifically covers how to make CC tokens; as I said, for CC, regardless which state you are (whether you are already anonymously authenticated or not, or registered or not), by simple invoking an API, SDK will perform registration and authentication.

     

    Also, please keep in mind that Android SDK's default grant flow is Password; you may want to double check if you explicitly set the grant flow as client credentials.

     

    Please let me know if you need any further assistance.

     

    Thanks,