Applying OAuth2 Authentication Policy to REST API via Security Manager Provider
In this scenario, the application of the OAuth2 Authentication policy to a API created with REST architecture named Swagger PetStore will be tested.
The numbering in the chart below belongs to the order of the transactions.
- The Security Manager included in Apinizer requests OAuth2 type authentication information from API Client. If this authentication is correct, field number two is switched.
- Apinizer makes requests to the Backend API.
- Backend API responds to Apinizer.
- Apinizer responds to API Client.
Creating the API Proxy
REST API named Swagger Petstore can be accessed at https://petstore.swagger.io/.
First of all, this address must be defined as API Proxy.
For this, click on the API Proxies option under the Development menu.
The page that opens contains the text No records found!, since no proxy has been defined before.
Here, the Create button in the upper right corner is clicked and a new proxy is started to be created.
In this section, it is necessary to choose the type of the API Proxy that will be created.
Since the type of API to be used in this scenario will be Swagger 2.X, this type is chosen.
Clicking on the Enter URL expression will switch to the screen where the address of the API to be used will be entered.
As seen in the image below, the address to access the URL section is entered and the Parse button is clicked.
After the parse process is done, the screen in the image below appears.
Settings for API Proxy can be made on this screen.
- It is specified who will use the API Proxy created with the Usage field. Here, there are options such as publisher, consumer, publisher and consumer.
- The sharing type of the API Proxy created with the Sharing Type field is specified. Here, there are options such as external, internal, external and internal.
- One or both of the two API addresses under the Addresses tab can be selected, if both addresses are selected, Apinizer will perform the Load Balance process itself.
- The Relative Path is the address of the API Proxy that will be accessed.
- The Category List field also allows the created API Proxy to be categorized.
- After these settings are made, the API Proxy is registered.
After saving, click on the Develop tab on the page that opens.
Here, the endpoints of the REST API are listed.
- The policies to be added with the phrase All above these endpoints can be applied to all endpoints.
- The created API Proxy is deployed. For this, click on the Deploy button in the middle above.
- In the next step, it is specified which users will have access to the API Proxy created by adding Credentials.
Creating Credentials
The information of the Credential to be added is as username = apinizer, password = 123123aA.
For this, the Identity Management menu is accessed.
Here, the Credentials menu under the Credential Management menu is clicked.
Click on the Create button enclosed in the rectangle in the upper right corner of the screen that opens.
Here, the required fields are filled with the previously specified information and the credential created by clicking the Save and Deploy button is saved.
The proxy that this credential element will access must be selected. By hovering over the created credential and clicking on the Edit option from the side menu.
On the screen that opens, click on the API Proxy ACL tab, click on the button in this tab, which is indicated in the red rectangle on the image.
On the page that opens, API Proxies in the project currently being worked on are listed. The proxy named Swagger Petstore is selected.
It is stated that the Credential item created by clicking the Add button will have access to this proxy.
There is now an API Proxy in the list that was previously empty.
The Save and Deploy button in the upper right corner is clicked and the transaction is recorded.
Adding Authentication Policy
Now OAuth2 Authentication policy can be added.
Go to the page where API Proxies are listed and the proxy named Swagger Petstore is selected.
Then come to the Develop tab, click the Add Policy button.
On the page that opens, OAuth2 Authentication policy is selected.
Bu ekran üzerinde yer alan ifadeler tek tek incelenirse,
- With the Grant Type field, it is specified how to verify the user information of the token service to be used. If the Client Credentials expression is selected Identity/Role/Group Service cannot be used.
- API proxy key values of the proxy created with the Show API Key field are displayed.
- The Delete Previous Token field invalidates the previously found token.
- A time value is not assigned to the token created with the Token Never Expires field and if this option is not selected, a menu appears in the image below.
- With the Token Expires In field, it is specified how long the token will be valid, this can be adjusted with the time expressions in the drop-down menu.
- The refresh feature of the token created with the Refresh Token Allowed field is activated.
- If this option is selected, the area where the adjustment for how many times it can be renewed is made, and the image of this area is below.
- Refresh Token Count specifies how many times the token will be renewable.
- The Refresh Token Expires In field indicates how long the refreshed token will have a lifetime.
- With the Allow URL Parameters field, when a request for token generation is sent, the information to be sent is only allowed in the message body.
- If this information is requested to be sent as "URL Parameter", this option should be selected, but this is not recommended as it poses a security risk.
- If there is any authentication information in the message that will go to the backend API with the Clear Authentication Information field, this information will be deleted and not sent to the backend API.
- The Add Client Info To Header option specifies whether the client information will be included in the Header that will go to the backend API.
- When this option is checked, an input field that says X-Authenticated-UserId will be created just below it. This field is the default name of the header information.
The settings to be used in this scenario are as shown in the image below. After making these changes, click the Save button in the upper right corner.
Generating Tokens for Authentication
The Public Key information of the relevant proxy is obtained from the Show API Key option in the OAuth2 Authentication policy.
Then, it comes to the Test Console menu under the Test menu.
After coming to this screen, the New button under the Collection tab is clicked and a new Collection is created.
OAuth2 is written in the Name field and the Save button is clicked.
If the expressions on this screen are examined one by one,
- The method type is selected from the method field.
- The address where the token will be obtained is written in the URL field.
- Since the content of the message will be in the body section, the body expression is selected from the tab below.
- The values required to obtain tokens are written here and the Send button is clicked.
The access_token information in the response has been created for use in the proxy for which the OAuth2 Authentication policy has been created.
This token is copied.
It is switched to the page with the API proxy again.
Testing API Proxy
The proxy named Swagger Petstore is selected.
The endpoint named /pet/{petId} under the Develop tab is selected.
This endpoint is tested by clicking the Test Endpoint statement.
The desired petId value in the URL is entered as 2, when the Send button is pressed, the response returned is an error message.
It seems that this error is also related to the OAuth2 Authentication policy that has been applied.
Because no authentication information is placed in the header.
This time, the Authorization header is placed in the header and the Bearer expression is added to the beginning of the obtained token and its usage is realized.
The Response received when clicking the Send button is the expression in the rectangle below on the image.