Skip to main content
The numbering in the diagram below corresponds to the order of operations.
  • Security Manager in Apinizer requests OAuth2 type authentication information from API Client. If this authentication is correct, the flow continues.
  • Apinizer makes a request to Backend API.
  • Backend API responds to Apinizer.
  • Apinizer responds to API Client.
Scenario Diagram

Creating API Proxy

Scenario Diagram Access to the REST API named Swagger Petstore can be provided from https://petstore.swagger.io/. First, this address must be defined as an API Proxy. For this, click the API Proxies option under the Development menu.
Since no proxy definition has been made before on the opened page, the text No records found! appears.
Click the Create button in the top right corner and start creating a new proxy. Scenario Diagram In this section, it is necessary to select what type the API Proxy to be created is. Since the type of API to be used in this scenario will be Swagger 2.X, this type is selected. Click on the Enter URL expression to switch to the screen where the address of the API to be used will be entered. Senaryo Diyagramı Enter the address to be accessed in the URL section and click the Parse button. Scenario Diagram After the Parse operation is performed, settings for the API Proxy can be made:
  • The Usage field specifies who will use the created API Proxy. Options such as publisher, consumer, publisher and consumer are available here.
  • The Sharing Type field specifies the sharing type of the created API Proxy. Options such as external, internal, external and internal are available here.
  • One or both of the two API addresses under the Addresses tab can be selected. If both addresses are selected, Apinizer will perform the Load Balance operation itself.
  • Relative Path is the address where the created API Proxy will be opened for access.
  • The Category List field also allows categorization of the created API Proxy.
Scenario Diagram After these settings are made, the API Proxy is saved. After the save operation, click the Develop tab on the opened page. Scenario Diagram
Policies to be added with the All expression above these endpoints can be applied to all endpoints.
The created API Proxy is deployed. For this, click the Deploy button in the middle section above. Scenario Diagram

Creating Credentials

The information for the Credentials to be added will be username = apinizer, password = 123123aA. For this, go to the Identity Management menu. Here, click the Credentials menu under the Credential Management menu. Scenario Diagram Click the Create button in the top right corner on the opened screen. Scenario Diagram Here, the required fields are filled as previously specified and the created credential is saved by clicking the Save and Deploy button. Scenario Diagram The proxy that this credential element will provide access to must be selected. Hover over the created credential and click the Edit option from the menu on the side. Scenario Diagram Click the API Proxy ACL tab from the opened screen, and click the button in this tab. Scenario Diagram On the opened page, API Proxies in the project currently being worked on are listed. The proxy named Swagger Petstore is selected. Click the Add button to specify that the created Credential element will have access to this proxy. Scenario Diagram Click the Save and Deploy button in the top right corner and save the operation. Scenario Diagram

Adding Authentication Policy

The OAuth2 Authentication policy can now be added. Go to the page where API proxies are listed and select the proxy named Swagger Petstore from here. Then go to the Develop tab and click the Add Policy button. On the opened page, the OAuth2 Authentication policy is selected. Scenario Diagram The fields on this screen:
  • The Grant Type field specifies how user information of the token service to be used will be verified. If the Client Credentials expression is selected, (Identity/Role/Group) Service cannot be used.
  • The Show API Key field displays the API proxy key values belonging to the created proxy.
  • The Delete Previous Token field invalidates the previously found token.
  • With the Token Never Expires field, no time value is assigned to the created token and it can be used as desired. If this option is not selected, a menu appears immediately below as shown in the image below.
  • The Token Expires In field specifies how long the token will be valid. This specification can be adjusted with time expressions in the dropdown menu.
  • The Refresh Token Allowed field activates the renewal feature of the created token. If this option is selected, a field appears for setting how many times it can be renewed, and the image for this field is shown below.
  • Refresh Token Count specifies how many times the token can be renewed.
  • The Refresh Token Expires In field specifies the lifetime of the renewed token.
  • The Allow URL Parameters field allows information to be sent only in the message body when a request is sent for token generation. If this information is desired to be sent as “URL Parameter”, this option must be selected, but this situation will create a security risk and is not recommended.
With the Clear Authentication Information field, if there is any authentication information in the message going to the backend API, this information is deleted and not sent to the backend API. Activating this setting is always recommended unless there is a special situation.
  • With the Add Client Info to Header field, when authentication is successfully performed, it sends the authorized username to the backend API by placing it in the header. When this option is checked, an input field containing X-Authenticated-UserId appears immediately below. This field is the default name of the header information.
Scenario Diagram After making the settings to be used in this scenario, click the Save button in the top right corner. Scenario Diagram For the operation to be valid, the proxy must be Deployed.

Creating Token for Authentication

The Public Key information belonging to the relevant proxy is obtained from the Show API Key option in the OAuth2 Authentication policy. Scenario Diagram Then go to the Test Console menu under the Test menu. Scenario Diagram After coming to this screen, click the New button under the Collection tab and create a new Collection. Write OAuth2 in the Name field and click the Save button. Scenario Diagram If the expressions on this screen are examined one by one,
  • Select the method type from the Method field.
  • Write the address where the token will be received in the URL field.
  • Since the message content will be in the body section, select the body expression from the tab below.
  • Write the values required to obtain the token here and click the Send button.
Scenario Diagram The access_token information in the response has been created to use in the proxy where the OAuth2 Authentication policy is created. This token is copied. Switch back to the page where the API proxy is located. Scenario Diagram

Testing the API Proxy

Select the proxy named Swagger Petstore. Select the endpoint named “/pet/ under the Develop tab. Click the Test Endpoint expression to test this endpoint. Enter the desired petId value as “1” in the URL, and when the Send button is pressed, it is seen that the returned response is an error message. Scenario Diagram
It is seen that this error is related to the applied OAuth2 Authentication. Because no authentication information has been placed in the header in any way.
This time, place the Authorization header in the header and use the obtained token information here. When the Send button is clicked, a successful response is received. Scenario Diagram