Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

If you're using oidc then try the "-sso" option to the cli. It will pop up a web browser and let you login. Oidc is inherently user interactive in a browser.

if you want something more automatable then maybe look at adding a second user registry using lur and then authenticate using that for the cli/api calls?

The api key/secret just lets you access the login api, you still need to authenticate with a username/password.

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

Hi,

My feedback on each topic:

Via CLI: apic login - as Chris said use -sso in your login command.

Via Developer toolkit method - generate apikey via API Manager (add /apikeys to homepage URL in API Manager), download your credentials (also from API Manager and use the "toolkit" values for the client id and client secret) and this will generate a bearer_token for you to use with the Provider-API etc. with the curl command you posted (use toolkit "endpoint" from credentials).

Via REST API call-->  I'm not sure how this works with OIDC (I don't have an OIDC to test with) but again use the same client id and client secret as above, use your username / password for API Manager, use the correct "realm" that relates to your OIDC and you can generate the bearer token with this call:

curl -v -k -X POST -d '{"username": "USERNAME", "password": "PASSWORD", "realm": "provider/OIDC-VALUE", "client_id": "CLIENT-ID", "client_secret": "CLIENT-SECRET", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://YOUR-ENDPOINT/api/token

These should work for you. If they don't please share your commands and errors.

------------------------------
Nick Cawood
API Connect Consultant
IBM Hybrid Cloud Integration Expert Labs
IBM UK Ltd

https://www.linkedin.com/in/nickcawood/

Original Message:
Sent: Tue February 20, 2024 10:41 AM
From: Riya Fathima
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

------------------------------
Riya Fathima
------------------------------

Hi Nick,

I am reusing this thread since I encountered the same issue as described above. I have signed up for the APIc SaaS version 30-day free trial and wanted to explore some of the Platform ReST APIs. The SaaS version uses OIDC as the registry as shown below.

I have been unsuccessful generating a Bearer token the "username/password" way (response says Invalid user registry type, even though the registry exists) but was successful generating it the "API Key" way. Client ID and Client Secret used in both cases was the same, that was retrieved from the API Manager UI. Kindly share your valuable inputs if the respective behaviours are as expected or if I am missing something in the "username/password" way.

Username/Password way:

API Key way:

Thanks,

Vijay M J

Original Message:
Sent: Wed February 21, 2024 09:41 AM
From: Nick Cawood
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi,

My feedback on each topic:

Via CLI: apic login - as Chris said use -sso in your login command.

Via Developer toolkit method - generate apikey via API Manager (add /apikeys to homepage URL in API Manager), download your credentials (also from API Manager and use the "toolkit" values for the client id and client secret) and this will generate a bearer_token for you to use with the Provider-API etc. with the curl command you posted (use toolkit "endpoint" from credentials).

Via REST API call-->  I'm not sure how this works with OIDC (I don't have an OIDC to test with) but again use the same client id and client secret as above, use your username / password for API Manager, use the correct "realm" that relates to your OIDC and you can generate the bearer token with this call:

curl -v -k -X POST -d '{"username": "USERNAME", "password": "PASSWORD", "realm": "provider/OIDC-VALUE", "client_id": "CLIENT-ID", "client_secret": "CLIENT-SECRET", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://YOUR-ENDPOINT/api/token

These should work for you. If they don't please share your commands and errors.

------------------------------
Nick Cawood
API Connect Consultant
IBM Hybrid Cloud Integration Expert Labs
IBM UK Ltd

https://www.linkedin.com/in/nickcawood/

Original Message:
Sent: Tue February 20, 2024 10:41 AM
From: Riya Fathima
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

------------------------------
Riya Fathima
------------------------------

Does this help?

https://community.ibm.com/community/user/integration/blogs/ivo-salkovic/2022/06/08/api-connect

Hi Nick,

I am reusing this thread since I encountered the same issue as described above. I have signed up for the APIc SaaS version 30-day free trial and wanted to explore some of the Platform ReST APIs. The SaaS version uses OIDC as the registry as shown below.

I have been unsuccessful generating a Bearer token the "username/password" way (response says Invalid user registry type, even though the registry exists) but was successful generating it the "API Key" way. Client ID and Client Secret used in both cases was the same, that was retrieved from the API Manager UI. Kindly share your valuable inputs if the respective behaviours are as expected or if I am missing something in the "username/password" way.

Username/Password way:

API Key way:

Thanks,

Vijay M J

Original Message:
Sent: Wed February 21, 2024 09:41 AM
From: Nick Cawood
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi,

My feedback on each topic:

Via CLI: apic login - as Chris said use -sso in your login command.

Via Developer toolkit method - generate apikey via API Manager (add /apikeys to homepage URL in API Manager), download your credentials (also from API Manager and use the "toolkit" values for the client id and client secret) and this will generate a bearer_token for you to use with the Provider-API etc. with the curl command you posted (use toolkit "endpoint" from credentials).

Via REST API call-->  I'm not sure how this works with OIDC (I don't have an OIDC to test with) but again use the same client id and client secret as above, use your username / password for API Manager, use the correct "realm" that relates to your OIDC and you can generate the bearer token with this call:

curl -v -k -X POST -d '{"username": "USERNAME", "password": "PASSWORD", "realm": "provider/OIDC-VALUE", "client_id": "CLIENT-ID", "client_secret": "CLIENT-SECRET", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://YOUR-ENDPOINT/api/token

These should work for you. If they don't please share your commands and errors.

------------------------------
Nick Cawood
API Connect Consultant
IBM Hybrid Cloud Integration Expert Labs
IBM UK Ltd

https://www.linkedin.com/in/nickcawood/

Original Message:
Sent: Tue February 20, 2024 10:41 AM
From: Riya Fathima
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

------------------------------
Riya Fathima
------------------------------

Thanks for sharing the link. Went through it and it guides how to log on to Management Server from the CLI with the "--sso" option when using an OIDC registry. Did not really provide much information around the issue with generating a Bearer token through the API using the "username/password".

Does this help?

https://community.ibm.com/community/user/integration/blogs/ivo-salkovic/2022/06/08/api-connect

Hi Nick,

I am reusing this thread since I encountered the same issue as described above. I have signed up for the APIc SaaS version 30-day free trial and wanted to explore some of the Platform ReST APIs. The SaaS version uses OIDC as the registry as shown below.

I have been unsuccessful generating a Bearer token the "username/password" way (response says Invalid user registry type, even though the registry exists) but was successful generating it the "API Key" way. Client ID and Client Secret used in both cases was the same, that was retrieved from the API Manager UI. Kindly share your valuable inputs if the respective behaviours are as expected or if I am missing something in the "username/password" way.

Username/Password way:

API Key way:

Thanks,

Vijay M J

Original Message:
Sent: Wed February 21, 2024 09:41 AM
From: Nick Cawood
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi,

My feedback on each topic:

Via CLI: apic login - as Chris said use -sso in your login command.

Via Developer toolkit method - generate apikey via API Manager (add /apikeys to homepage URL in API Manager), download your credentials (also from API Manager and use the "toolkit" values for the client id and client secret) and this will generate a bearer_token for you to use with the Provider-API etc. with the curl command you posted (use toolkit "endpoint" from credentials).

Via REST API call-->  I'm not sure how this works with OIDC (I don't have an OIDC to test with) but again use the same client id and client secret as above, use your username / password for API Manager, use the correct "realm" that relates to your OIDC and you can generate the bearer token with this call:

curl -v -k -X POST -d '{"username": "USERNAME", "password": "PASSWORD", "realm": "provider/OIDC-VALUE", "client_id": "CLIENT-ID", "client_secret": "CLIENT-SECRET", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://YOUR-ENDPOINT/api/token

These should work for you. If they don't please share your commands and errors.

------------------------------
Nick Cawood
API Connect Consultant
IBM Hybrid Cloud Integration Expert Labs
IBM UK Ltd

https://www.linkedin.com/in/nickcawood/

Original Message:
Sent: Tue February 20, 2024 10:41 AM
From: Riya Fathima
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

------------------------------
Riya Fathima
------------------------------

You can't use username password with OIDC. That's technically impossible as OIDC always requires a browser based interactive session for the user to authenticate and the authentication is between you and the external OIDC server not with APIC itself, the OIDC server then tells APIC that you are authenticated but APIC should never receive your password directly.

-sso is the means to use the API /CLI with OIDC.

Thanks for sharing the link. Went through it and it guides how to log on to Management Server from the CLI with the "--sso" option when using an OIDC registry. Did not really provide much information around the issue with generating a Bearer token through the API using the "username/password".

Does this help?

https://community.ibm.com/community/user/integration/blogs/ivo-salkovic/2022/06/08/api-connect

Hi Nick,

I am reusing this thread since I encountered the same issue as described above. I have signed up for the APIc SaaS version 30-day free trial and wanted to explore some of the Platform ReST APIs. The SaaS version uses OIDC as the registry as shown below.

I have been unsuccessful generating a Bearer token the "username/password" way (response says Invalid user registry type, even though the registry exists) but was successful generating it the "API Key" way. Client ID and Client Secret used in both cases was the same, that was retrieved from the API Manager UI. Kindly share your valuable inputs if the respective behaviours are as expected or if I am missing something in the "username/password" way.

Username/Password way:

API Key way:

Thanks,

Vijay M J

Original Message:
Sent: Wed February 21, 2024 09:41 AM
From: Nick Cawood
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi,

My feedback on each topic:

Via CLI: apic login - as Chris said use -sso in your login command.

Via Developer toolkit method - generate apikey via API Manager (add /apikeys to homepage URL in API Manager), download your credentials (also from API Manager and use the "toolkit" values for the client id and client secret) and this will generate a bearer_token for you to use with the Provider-API etc. with the curl command you posted (use toolkit "endpoint" from credentials).

Via REST API call-->  I'm not sure how this works with OIDC (I don't have an OIDC to test with) but again use the same client id and client secret as above, use your username / password for API Manager, use the correct "realm" that relates to your OIDC and you can generate the bearer token with this call:

curl -v -k -X POST -d '{"username": "USERNAME", "password": "PASSWORD", "realm": "provider/OIDC-VALUE", "client_id": "CLIENT-ID", "client_secret": "CLIENT-SECRET", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://YOUR-ENDPOINT/api/token

These should work for you. If they don't please share your commands and errors.

------------------------------
Nick Cawood
API Connect Consultant
IBM Hybrid Cloud Integration Expert Labs
IBM UK Ltd

https://www.linkedin.com/in/nickcawood/

Original Message:
Sent: Tue February 20, 2024 10:41 AM
From: Riya Fathima
Subject: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

Hi Team,

I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

Can you please help to get over this?

I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

Best Regards,

Riya

------------------------------
Riya Fathima
------------------------------