Hello,

I would like to get your help regarding the correct implementation about this set-up:

Description:
1- Our APIC API gateway will act as proxy for some partner APIs : the company consumers must retrieve a native Oauth access token to get access to it (this part is OK)

2- Then the APIC API gateway must invoke as target-URL for the Partner API which is protected by an external (from APIc) partner Oauth provider. (this part is NOT OK)

Help needed :

How been able to retrieve an Oauth 2.0 Client access token for our API Gateway from the partner Oauth Provider using the ClientID/ClientSecret and token URL they provide to us ?

Is there any IBM supported lib or gateway script we could use to retrieve a client oauth 2.0 access token at runtime ?
We are looking for a simple lib or gateway script where we could just configure ClientID/ClientSecret & token URL of the remote Oauth Provider to be able to get an access token to be used when calling the target-URL.
We are also wondering if the refresh token or access token TTL could also be directly managed by such lib or gateway script.

We had think this use case is a standard one but we do not find any post or article dealing with such case, this make us in doubt....
If it is a "bad idea" please provide some insights : why ? How such a goal could be achieved form APIc API gateway ?


Solution we tried :

- Configure the partner Oauth provider as "APIc 3rd party provider": the communications is working but the internal consumers have to identify themselves to the partner Oauth provider and this is something we would like to avoid.

Thanks in advance for the time you will spend to understand our issue and try to help us.

NB: I'm sorry I am not fluent in english so I add a diagram to help to understand our need, in case my description is not clear enough

------------------------------
Icham B.
------------------------------

Hi Icham,

Here i just want to share my experience..

I understand your requirement, In this point I discuss about backend OAuth calling and target URL calling only because you already know how to call native OAuth for API security point.

If backend OAuth having credential values we can prepare one request with content-type header "application/x-www-form-urlencoded" using Gateway Script url-open function used to call the OAuth URL and then take that token pass it to Authorization header with value of "Bearer tokenvalue" to target URL.

If facing any difficult to prepare request follow this: https://community.ibm.com/community/user/integration/discussion/sending-post-request-with-content-type-applicationx-www-form-urlencoded-1

For refresh token: as per my point of view refresh token calling implementation is not possible, because we need to check every time current token status is not possible in runtime.
There is no possibility to store the token for a while at runtime.

------------------------------
kandula nagababu
------------------------------

Original Message:
Sent: Mon October 31, 2022 05:33 AM
From: Icham Berreghioua
Subject: Getting an Oauth 2.0 Client Access Token from external Oauth.20 provider to call a target-url

Hello,

I would like to get your help regarding the correct implementation about this set-up:

Description:
1- Our APIC API gateway will act as proxy for some partner APIs : the company consumers must retrieve a native Oauth access token to get access to it (this part is OK)

2- Then the APIC API gateway must invoke as target-URL for the Partner API which is protected by an external (from APIc) partner Oauth provider. (this part is NOT OK)

Help needed :

How been able to retrieve an Oauth 2.0 Client access token for our API Gateway from the partner Oauth Provider using the ClientID/ClientSecret and token URL they provide to us ?

Is there any IBM supported lib or gateway script we could use to retrieve a client oauth 2.0 access token at runtime ?
We are looking for a simple lib or gateway script where we could just configure ClientID/ClientSecret & token URL of the remote Oauth Provider to be able to get an access token to be used when calling the target-URL.
We are also wondering if the refresh token or access token TTL could also be directly managed by such lib or gateway script.

We had think this use case is a standard one but we do not find any post or article dealing with such case, this make us in doubt....
If it is a "bad idea" please provide some insights : why ? How such a goal could be achieved form APIc API gateway ?


Solution we tried :

- Configure the partner Oauth provider as "APIc 3rd party provider": the communications is working but the internal consumers have to identify themselves to the partner Oauth provider and this is something we would like to avoid.

Thanks in advance for the time you will spend to understand our issue and try to help us.

NB: I'm sorry I am not fluent in english so I add a diagram to help to understand our need, in case my description is not clear enough

------------------------------
Icham B.
------------------------------

Many Thanks Kandula,

Just to understand : each time a API request to the "Internal Proxy API" is received by the datapower (APIc API gateway), this one will request a new token ?
It means the response time to "external API" has always an extra fee response time of the oauth request ?

(I'm not developper, I am preparing sepcification to have a developper work on it)
Could it be possible to store the Token in a "document cache" with a expirity value of the token life time ?
Then if document cache is not empty use token in it
if empty then prepare one request with content-type header "application/x-www-form-urlencoded" and store token in the document cache

In the assembly it could then get the token from document cache to set Authorization header with value of "Bearer tokenvalue" to target URL.

To do so we will not manage the refresh token but avoid toget a token at each API request.

Thanks for your advices

------------------------------
Icham Berreghioua
------------------------------

Original Message:
Sent: Wed November 02, 2022 02:05 AM
From: kandula nagababu
Subject: Getting an Oauth 2.0 Client Access Token from external Oauth.20 provider to call a target-url

Hi Icham,

Here i just want to share my experience..

I understand your requirement, In this point I discuss about backend OAuth calling and target URL calling only because you already know how to call native OAuth for API security point.

If backend OAuth having credential values we can prepare one request with content-type header "application/x-www-form-urlencoded" using Gateway Script url-open function used to call the OAuth URL and then take that token pass it to Authorization header with value of "Bearer tokenvalue" to target URL.

If facing any difficult to prepare request follow this: https://community.ibm.com/community/user/integration/discussion/sending-post-request-with-content-type-applicationx-www-form-urlencoded-1

For refresh token: as per my point of view refresh token calling implementation is not possible, because we need to check every time current token status is not possible in runtime.
There is no possibility to store the token for a while at runtime.

------------------------------
kandula nagababu

Original Message:
Sent: Mon October 31, 2022 05:33 AM
From: Icham Berreghioua
Subject: Getting an Oauth 2.0 Client Access Token from external Oauth.20 provider to call a target-url

Hello,

I would like to get your help regarding the correct implementation about this set-up:

Description:
1- Our APIC API gateway will act as proxy for some partner APIs : the company consumers must retrieve a native Oauth access token to get access to it (this part is OK)

2- Then the APIC API gateway must invoke as target-URL for the Partner API which is protected by an external (from APIc) partner Oauth provider. (this part is NOT OK)

Help needed :

How been able to retrieve an Oauth 2.0 Client access token for our API Gateway from the partner Oauth Provider using the ClientID/ClientSecret and token URL they provide to us ?

Is there any IBM supported lib or gateway script we could use to retrieve a client oauth 2.0 access token at runtime ?
We are looking for a simple lib or gateway script where we could just configure ClientID/ClientSecret & token URL of the remote Oauth Provider to be able to get an access token to be used when calling the target-URL.
We are also wondering if the refresh token or access token TTL could also be directly managed by such lib or gateway script.

We had think this use case is a standard one but we do not find any post or article dealing with such case, this make us in doubt....
If it is a "bad idea" please provide some insights : why ? How such a goal could be achieved form APIc API gateway ?


Solution we tried :

- Configure the partner Oauth provider as "APIc 3rd party provider": the communications is working but the internal consumers have to identify themselves to the partner Oauth provider and this is something we would like to avoid.

Thanks in advance for the time you will spend to understand our issue and try to help us.

NB: I'm sorry I am not fluent in english so I add a diagram to help to understand our need, in case my description is not clear enough

------------------------------
Icham B.
------------------------------