DataPower

DataPower

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Datapower integration with Backend APIs with OAUTH 1.0

  • 1.  Datapower integration with Backend APIs with OAUTH 1.0

    Posted Fri November 22, 2024 02:57 PM

    How Do I implement datapower to backend API with OAUTH 1.0. Backend ? My application is trying to integrate the mastercard endpoint with OAUTH 1.0. I have the private key and consumer key. How can i generate the AUthorization OAUTH header and send it to backend? 

    Authorization: OAuth
    oauth_body_hash="94cOcstEzvTvyBcNV94PCbo1b5IA35XgPf5dWR4OamU=",
    oauth_nonce="32lqGrI0f0nQEW85",
    oauth_signature="MhfaStcHU0vlIoeaBLuP14(...)qqd99lI56XuCk8RM5dDA%3D%3D",
    oauth_consumer_key="aXqayIybNdwMnzGIZMAkQYSq(...)139a87746d5b00000000000000",
    oauth_signature_method="RSA-SHA256",
    oauth_timestamp="1558370962",
    oauth_version="1.0"

    Mastercard Developers

    Mastercard remove preview
    Mastercard Developers
    View this on Mastercard >



    ------------------------------
    solomon reddy
    ------------------------------


  • 2.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Fri November 22, 2024 09:13 PM

    It is difficult to guide you because there are many ways, but what are you working with on your side?  API (API Connect), MPGW, or other service?

    Do you prefer doing this by config, xslt or gatewayscript?



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 3.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Fri November 22, 2024 11:00 PM

    Using DataPower MPGW and xslt. Is it achievable ? 



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 4.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Sat November 23, 2024 10:53 AM

    Have you tried concatenating together the elements of the header value into a string and then just using the 'set-http-request-header' function such that the name is "Authorization" and the value is the value of the string?



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 5.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Sat November 23, 2024 10:59 AM

    I can try but how do I get the dynamic values for below ? do I need to use dp function? 

    oauth_nonce="32lqGrI0f0nQEW85",
    oauth_signature="MhfaStcHU0vlIoeaBLuP14(...)qqd99lI56XuCk8RM5dDA%3D%3D",
    oauth_body_hash="94cOcstEzvTvyBcNV94PCbo1b5IA35XgPf5dWR4OamU=",


    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 6.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Sat November 23, 2024 08:09 PM

    It can still be complicated based upon the expected OAuth protocol.

    Take a look at these documents on setting up OAuth client profiles. 

    https://www.ibm.com/docs/en/datapower-gateway/10.6.0?topic=profiles-profile-only-authorization-server-endpoints

    This is likely the way you want to go.



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 7.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Sat November 23, 2024 09:31 PM

    Thanks for the reply. The link you provided is when DataPower acts as server. in my scenario DataPower acts as client and Mastercard is backend. DataPower should send Oauth Authorization Header to Mastercard. 



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 8.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 08:07 AM

    Hello Joseph, can you please help me? This is an urgent requirement. The link you provided is when DataPower acts as server. in my scenario DataPower acts as client and Mastercard is backend. DataPower should send Oauth Authorization Header to Mastercard. 



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 9.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 12:39 PM

    So, based upon what little information about this I have, I'm believing you can implement an AAA policy to generate what you need, but you may also have to route through a WTS service to get it as well.   Take a look at this, and you can see why we really cannot fully answer your question:

    https://www.ibm.com/docs/en/datapower-gateway/10.6.x?topic=processing-oauth-protocol-support

    I'm hoping someone who has actually done this with MasterCard would provide suggestions, but, maybe you are the first!



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 10.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 05:27 PM

    Hello Joseph, I believe AAA policy is between client and DataPower but not DataPower and Backend. Please correct me if I am wrong. Is it possible in DataPower to integrate with DataPower and backend with Oauth1.0 ? 



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 11.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 06:03 PM

    Well, generally speaking, yes.  But, again, you really haven't explained the full end to end.

    What I'm gathering is you want to use DataPower to work OAuth to MasterCard on behalf of .... whom?

    That is, generally speaking, when OAuth is at play, something or someone (DataPower?) is acting on behalf of another (DataPower's client?) for access to the owner's resource (Mastercard account?). What, then, is DataPower doing for the user?  

    Keep in mind:   DataPower as a proxy for the user is not the same as participating in some kind of transaction between the client and two other parties, once of which is MasterCard.

    What is the design of the service where DataPower has to negotiate OAuth on behalf of the client?



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 12.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 06:14 PM

    Requirement is below

    application client --> Datapower--> Mastercard. This is proxy service. Application client sending the OAuTH header to Datapower and Datapower is passing it Mastercard but we are getting invalid signature error. Maybe it's because of Datapower proxy. So we decided to create the Oauth authorization header in Datapower and send it to Mastercard. Client will just send the JSON payload, Datapower should append the Oauth authorization header using the private cert and consumer key and send it to backend Mastercard. 



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 13.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 06:26 PM

    So, before you began this, the client is otherwise sending everything needed, but the OAuth signature is being rejected?

    The proxy, in general, should be transparent to MasterCard.  

    When you were getting the invalid signature error, was your MPGW policy doing any processing of the message itself?



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 14.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Mon November 25, 2024 07:02 PM

    MPGW is a pass through service. Client is sending everything but Mastercard is rejecting it with invalid signature. But client initiate the call directly to Mastercard it works fine but via DP it is failing. So we decided let DP create the Oauth signature and send it to Mastercard.



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 15.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Tue November 26, 2024 02:25 PM

    I would look more closely at what DataPower might have been doing to the data when not involved in trying to negotiate for the client.   You might need to know how the signature is verified by MasterCard to understand why it isn't trusted when flowing through DataPower.

    Was the MPG strictly a pass-through?   If so, it shouldn't modify the data at all.  You could consider changing to use a TCP Proxy to see if the signature still fails (though, you won't see that in DataPower, but only on the client side).

    After migrating to attempting to have DataPower handle the OAuth exchange, what is the client doing now and how is your system handling that part?

    Is MasterCard the authorization server as well as the resource server relative to the client?  Or, is there some other entity the client is logging into so as to pass the access token over to MasterCard to, say, charge something to the client's CC?



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 16.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Tue November 26, 2024 02:46 PM

    Hello Joseph,

    I found a documentation on how to integrate with Mastercard apis using mulesoft? Can we do the similar approach in DataPower. Is it possible to do steps (b)OAuth_Signature and (c) generate signature using XSLT in the below documentation 

    https://medium.com/another-integration-blog/how-to-connect-with-mastercard-apis-with-oauth-1-0-for-authentication-via-mulesoft-eb98d464f091



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 17.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Tue November 26, 2024 03:42 PM

    Yes, it looks pretty straightforward (if I'm understanding it correctly), and I'm thinking GatewayScript is a far easier and more intuitive path to this:

    Step (b) appears to build JSON from a variety of values.  In the last part, it appears they are signing the URL to MasterCard, so use GatewayScript's crypto module for that.  To convert the signature to hex, see the GatewayScript buffer module, where you can convert binary to hex.  You can also use the crypto module to create the nonce.

    In step (c), they're using a JWT library for creating a signature on the URL to MasterCard, so check out GatewayScript's JWT module.



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 18.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Tue November 26, 2024 04:36 PM
    Edited by solomon reddy Tue November 26, 2024 04:38 PM

    I’ll try it out and see. Thanks Joseph. 



  • 19.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Wed November 27, 2024 10:52 AM
    Edited by solomon reddy Wed November 27, 2024 11:12 AM

    will provide an update soon.



  • 20.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Thu November 28, 2024 04:08 AM

    For one of my clients I used the following Javascript code from Github (https://github.com/Mastercard/oauth1-signer-nodejs/blob/main/src/OAuth.js) as a basis and wrote a custom Gatewayscript that imports this custom MC module.



    ------------------------------
    Pierce Shah
    ------------------------------

    Original Message


  • 21.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Thu November 28, 2024 07:53 AM

    It shows page not found. Can you please provide the gateway script you used? 



    ------------------------------
    solomon reddy
    ------------------------------

    Original Message


  • 22.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Thu November 28, 2024 08:11 AM

    The file is named OAuth.js

    https://github.com/Mastercard/oauth1-signer-nodejs/blob/main/src/OAuth.js



    ------------------------------
    Pierce Shah
    ------------------------------

    Original Message


  • 23.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Thu November 28, 2024 04:49 PM
    Edited by solomon reddy Fri November 29, 2024 08:47 AM

    I’ll try this and will update 



  • 24.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Thu December 05, 2024 11:11 AM
    Edited by solomon reddy Fri December 06, 2024 11:18 AM

    how to sign the string using private key in xslt ? 



  • 25.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Fri December 06, 2024 02:29 PM

    Can you not use GatwayScript's Crypto module for that?

    For XSLT, however, look up dp:sign.

    Or, you could just use sign action if you can get the string into an input context for the action.



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Joseph Morgan
    Dallas TX
    ------------------------------

    Original Message


  • 26.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Fri December 06, 2024 02:40 PM
    Edited by solomon reddy Fri December 06, 2024 02:41 PM

    Let me try gateway script. 



  • 27.  RE: Datapower integration with Backend APIs with OAUTH 1.0

    Posted Sat December 07, 2024 10:20 AM

    Solomon,

    I got an email on this thread contining quite a bit of XSLT code where you described it failing on dp:sign(...).

    Here is the code snippet:

     <!-- Step 3: Sign base string using RSA-SHA256 -->
<xsl:variable name="signature">
      <xsl:value-of select="dp:sign($privateKey, $baseString, 'SHA256')" />
</xsl:variable>

    You're using the dp:sign() incorrectly.  Please see the docs for dp:sign() here.

    I didn't dig through all the code to see exactly what your variable values are, but you'll need to first hash the $baseString value:

    <xsl:variable name="baseStringHash" select="dp:hash('http://www.w3.org/2001/04/xmlenc#sha256', $baseString)"/>

    And then change the signing to something more like:

     <!-- Step 3: Sign base string using RSA-SHA256 -->
 <xsl:variable name="signature">
      <xsl:value-of select="dp:sign('http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', $baseStringHash, $privateKey)" />
</xsl:variable>

    Because the $privateKey value comes into the code sample as a parameter, I don't know if you have that formatted correctly, but it must follow the files for the key definition described in the documentation.



    ------------------------------
    Joseph Morgan
    CEO - Independent
    Dallas TX
    ------------------------------

    Original Message


Related Content