It is an Authorization protocol, that enables applications to access information on behalf of users.
In Oauth, the information is accessed from the resource using an Access token.
How to get the Access token?
1. The application users pass the key and secret to the service provider’s authorization endpoint and receive the access token.
2. Once the access token is received, this can be used to access the resources of the service provider.
3. The Service provider can set the expiration for the Access token.
4. If it expires application users follow the steps to get the access token again.
There are different ways we can implement Oauth based on different grant types. Here is the list of grant types.
- Client Credentials
- Resource owner Password Credentials
- Authorization code.
- Implicit
Understand the below-implemented Roles while implementing Oauth.
resource owner:
- It is capable of granting access to a protected resource.
resource server:
- It stores client’s necessary details.
Client(Application):
- It makes a call to protected resource using resource owners authorization.
authorization server:
- It issues access_token after successfully authenticating the resource owner.
Client Credentials (Grant Type)
Here Application/client sends the request to the authorization server (the request contains the client ID and client secret). The authorization server validates these credentials and, if it is valid returns back with the access token.
The application/client receives this access token and it calls the resource server to get the necessary details. In this case, it passes the Access token. it reaches the resource server first it validates the access token, if it is valid then it will respond back with the necessary details.
Let’s implement this logic in Apigee.
Implement OAuth v2.0 using client_credentials grant type in Apigee.
In this implementation, we will create 2 API proxies.
One proxy acts as an Authorization Server.
- It accepts client_id(key) and client_secret(secret).
- if it is matched with the developer App credentials then it generates access_token and returns to the Application.
Note: The API product containing this API proxy should associated with the developer App
The other proxy will act as a Resource Server.
- It accepts the access_token, if it is valid then it performs the necessary action.
create a no target proxy "authtoken" this proxy will generate the access_token.
next - passthrough - eval - create and deploy - edit proxy - develop tab.
In the proxy endpoint --> preflow --> request. we will add the OAuth v2.0 policy.
policy code should look like the below
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 continueOnError="false" enabled="true" name="OAuth-v20-1">
<DisplayName>OAuth v2.0-1</DisplayName>
<Properties/>
<Attributes/>
<ExternalAuthorization>false</ExternalAuthorization>
<!-- operation should not "VerifyAccessToken" it should be "GenerateAccessToken" -->
<Operation>GenerateAccessToken</Operation>
<!-- expires in ms -->
<ExpiresIn>3600000</ExpiresIn>
<!-- we need to mention the grant type-->
<SupportedGrantTypes>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<!-- we will pass grant types from the query params-->
<GrantType>request.queryparam.grant_type</GrantType>
<GenerateResponse enabled="true"/>
<Tokens/>
<RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
</OAuthV2>
Save and deploy this proxy
Create reverse proxy with target endpoints: https://virtserver.swaggerhub.com/jihobe4823/Indian-Air-Flight-API/v1/flights
next - select option OAuth 2.0 (next)- select eval - create and deploy - edit proxy - develop
This proxy already having two policies
1. Bcz we selected OAuthe 2.0 policy
2. It added remove header authorization policy.
Code of OAuthe 2.0 policy and remove header authorization policy looks like below.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="verify-oauth-v2-access-token">
<DisplayName>Verify OAuth v2.0 Access Token</DisplayName>
<!-- operation id "VerifyAccessToken" -->
<Operation>VerifyAccessToken</Operation>
<!-- after verifying the access token. it will get removed from the request header -->
</OAuthV2>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="remove-header-authorization">
<DisplayName>Remove Header Authorization</DisplayName>
<!-- here it will remove the authorization header -->
<Remove>
<Headers>
<Header name="Authorization"/>
</Headers>
</Remove>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
Save and deploy
Two proxies are created now.
Create a product and add these two proxies there.
Scroll down and click add an operation to add a proxy
click on save
Use same process and add another proxy also
click on save to save the product.
This product has two proxies.
Register the developer to give API product access through app.
For that first, add the developer.
+Developer - fill in the details and click Create.
Add API products to an app by adding +App
fill in the details and add API products to it and then approve the products
Click on create.
Now authproduct is associated with the flightApp.
Now we have the key and secret from flightApp. By using this call the first service, then we will get the access token
Call the first service using the first proxy URL https://34.36.30.222.nip.io/authtoken with POST operation. we need to pass query param grant_type = client_credentials and **client_id(value of key)**and client_secret(value of secret) in the body, the body of formate x-www-form-urlencoded.
we will get an access token
using access_token: Vg02lfANa8oY4yJwhsHqwBfbS9Ar can get the data from the resource.
Call the second proxy URL: https://34.36.30.222.nip.io/getflightdetails with the GET operation and pass the access_token from the header.
add to the header:
-Authorization: Bearer(token_type) Vg02lfANa8oY4yJwhsHqwBfbS9Ar (access_token)
if we send an invalid access token we will get an error.
