Layer7 API Management

Hi guys I am working on Policy Manager v8.3 & OAuth 2.0 v3.4.0. I have Policy Manager installed with OAuth Toolkit in Policy Manger.

I know how OAuth works, but I am confused on how to implement it in Policy Manager.

I want to secure one of my service(API Proxy) with OAuth 2.0. As of now I do not want to use API Portal.

1. How can I get client_id,secret?
2. Any grant type is fine as this is a demo.
3. Which Assertion should I use in my policy?
4. How will I get an access_token?
5. How to validate it in my policy?

I know I am asking too many questions. Please help me out with suggestions & sample policies if available.

dasjo02

Thanks

Hi Siddharth,

I have included some reference points below to help you here. A sample policy of an OAuth protected endpoint is attached. Let me know of any questions.

1. You will need to register a client in OAuth Manager

ref:  Using the OAuth Manager - CA API Management OAuth Toolkit - 3.0 - CA Technologies Documentation 

2. To generate tokens using the different grant types

ref: OAuth Request Scenarios - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation 

Example using client credentials:

3. To protect a service using OAuth you can use the  'OTK Require OAuth 2.0 Token' assertion

Ref: Secure an API Endpoint with OAuth - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation 

4. Please refer to step 2 for generating the access / refresh tokens.

5. This assertion mentioned in step 3 will validate the token

Regards,

Joe

Thanks dasjo02 for the detailed answer.

Thanks crusi01 for the info, I re-checked & my policy manager version is 9.1.0 & OTK is 3.4.0

I logged into OAuth Client Manager & saw that one client for OAuth 2.0 was already there.

In List Keys I got the client_id, secret & scope values.

I used https://api.layer7gateway.com/auth/oauth/v2/token?grant_type=client_credentials&client_id=****&client_secret=****&scope=****

Added the Header & used POST Verb

It is giving me invalid client credentials 401 Unauthorized.

Any idea why I am getting an error? I am giving correct client id secret & scope as per OAuth 2.0 client.

Hi siddharth-b,

I typically see this when the client_id and/or client_secret are incorrect.

What header value are you adding? The client_id/client_secret should appear only in the message body OR the request header as a base64 encoded value. It should not appear in both. See my example below using the default test clients, notice no headers are being added as I have the values as part of the body. If using the header however I would also make sure the type is set correct as BASIC (not Bearer as that is for tokens),

ie:

Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=

If you could provide a screenshot of your setup it may provide more information, blanking out any sensitive details.

Regards,

Joe

Ohk I was passing the client_id, secret & scope as query params with the URL. I will try sending them as URL Encoded values or as a Auth Header with Basic <base64encoded> value.

In Header I gave Content-Type - x-www-urlencoded

Thanks for your support dasjo02 . I am able to generate an token & validate it also.

Earlier I was making an mistake by passing data in queryparams. After sending them as url-encoded values I got the token.

I will also be working on JWT & Auth code. Will get in touch with you in-case of queries!!

A few samples on submitting the access token to the OAuth protected endpoint:

Query Parameter

Form body

Authorization header

Hi Siddharth,

(Thanks for responding Joe).

Be sure that you are using compatible versions of the Policy Manager (CA API Gateway) and the OTK. 
For CA API Gateway 8.3, the supported OTK version is 3.0. 
CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 3.0 - CA Technologies Documentation 

For CA API Gateway 9.1, the supported OTK version is 3.4
CA API Management OAuth Toolkit - Home - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation 

Simon

Hi dasjo02, how can I use the password grant type?  Which require username password . . .

Which policy/service should I refer in policy manager otk? 

It has to authenticated via some IdP right ? 

Any examples of other grant types would be great. 

Thanks 

Hi Siddharth,

The resource owner password credentials grant details can be found as part of the documentation mentioned above, specifically:

OAuth Request Scenarios - CA API Management OAuth Toolkit - 3.2 - CA Technologies Documentation 

The request is to the /auth/oauth/v2/token endpoint.

By default, the resource owner (uid/pw) are authenticated against the internal identity provider. In the example below I have a user in the IIDP named ADMIN with a password of PASSWORD1 (sample password, that would be terrible for security  )

Regards,

Joe

Yeah I figured it out after posting the question here.  

Now I'm trying Auth code & jwt for which I need Auth code & a assertion jwt. 

Should I be using response_type=token endpoints to get them  ? 

Hi siddharth-b ,

please check OAuth API Endpoints - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation  for different flow.

authcode should be this one, OAuth API Endpoints - CA API Management OAuth Toolkit - 3.4 - CA Technologies Documentation 

You can also check the policy of the oauth test clients as example,

/oauth/v2/client/authcode

etc.

under "OAuth 2.0 Test Clients" folder

Regards,

Mark

Thanks Mark for the links.

I was able to make calls through the Test Clients.

But for Auth code & Implict when I click on initiate I get an error,

error:invalid_redirect_uri
error-desc: mismatching redirect_uri https://api.layer.com:443/a/b/c

OTK was setup by someone else and I am using the OOB configurations.

Do I need to change redirect uri? 

Hi Siddharth,

Please review this article to resolve the message.

CA API Management - Mismatching redirect_uri error for OAuth Clients 

Regards,

Joe