I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------

I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------

Hi Elshaday,
In addition to what Uvaise indicated, you can also use a protocol based caching where the request and response headers will dictate if the value is cached and what the expiration TTL would be.  See https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=invoke-configuring-policy-datapower-api-gateway for a description of the invoke policy properties, and in particular, if using the protocol based caching, see the RFC specification at https://datatracker.ietf.org/doc/html/rfc7234.  Note that no caching will be attempted if your invoke request has an Authorization HTTP Request header.

Having said all of that, re-reading your question, I'd assume that your request to the OAuth endpoint requires an Authorization header, so the response from that endpoint will not be cached by the invoke policy.  The only workaround I can think of would be to use a separate API to do your OAuth endpoint request as a "side" call from your actual API, particularly since you are on SaaS using a basic plan and don't have access to GatewayScript or XSLT policies where another mechanism could be considered.  For example,

Some API -> Set Variable message.headers.myAuthorization to whatever you would want to provide to the OAuth endpoint and exclude the Authorization header if present -> Invoke to OAuth API  that specifies caching

OAuth API -> Set Variable message.headers.Authorization to the value in message.headers.myAuthorization -> Invoke to OAuth endpoint excluding the myAuthorization header and no caching

So your "Some API" will have your OAuth API response cached, and hopefully will not call the OAuth API except when the cache has expired.  Do you have the same Authorization header for all of your requests?  If not, then you should also specify a cache key in your invoke policy properties to provide additional information that uniquely identifies this OAuth request from another, ie a user/client id, so you'd now have multiple responses cached, one for each user/client id.

Best Regards,
Steve Linn

I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------

Thank you both for your responses.

The OAuth endpoint I am calling does not require an Authorization header; it only needs the client ID and secret in the body as x-www-form-urlencoded. However, the backend endpoint does require an Authorization header.

I've implemented the API as suggested, but the OAuth token response is not being cached. When I hit my API 20 times in under 15 minutes, I receive an "unauthorized" error due to a rate limit on how many times I can request an access token from the OAuth endpoint.

I'm not sure where to check the cached values in API Connect SaaS. I am still new to API Connect.

I've included my assembly code below. Perhaps you could help identify anything I might have missed.

Assembly Overview:

• Set Variable: Configures the headers and body for the OAuth request.
• Invoke (Token Request): Calls the OAuth endpoint to get the access token, with caching set (cache-key: cachedToken, cache-ttl: 86300).
• Map: Converts the response from the OAuth request from string to object.
• Set Variable: Extracts the access token from the response.
• Set Variable: Sets headers for the backend call, including the Authorization token.
• Invoke (Backend Request): Calls the backend endpoint.

Could you please advise why the OAuth token isn't being cached? 

Hi Elshaday,
In addition to what Uvaise indicated, you can also use a protocol based caching where the request and response headers will dictate if the value is cached and what the expiration TTL would be.  See https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=invoke-configuring-policy-datapower-api-gateway for a description of the invoke policy properties, and in particular, if using the protocol based caching, see the RFC specification at https://datatracker.ietf.org/doc/html/rfc7234.  Note that no caching will be attempted if your invoke request has an Authorization HTTP Request header.

Having said all of that, re-reading your question, I'd assume that your request to the OAuth endpoint requires an Authorization header, so the response from that endpoint will not be cached by the invoke policy.  The only workaround I can think of would be to use a separate API to do your OAuth endpoint request as a "side" call from your actual API, particularly since you are on SaaS using a basic plan and don't have access to GatewayScript or XSLT policies where another mechanism could be considered.  For example,

Some API -> Set Variable message.headers.myAuthorization to whatever you would want to provide to the OAuth endpoint and exclude the Authorization header if present -> Invoke to OAuth API  that specifies caching

OAuth API -> Set Variable message.headers.Authorization to the value in message.headers.myAuthorization -> Invoke to OAuth endpoint excluding the myAuthorization header and no caching

So your "Some API" will have your OAuth API response cached, and hopefully will not call the OAuth API except when the cache has expired.  Do you have the same Authorization header for all of your requests?  If not, then you should also specify a cache key in your invoke policy properties to provide additional information that uniquely identifies this OAuth request from another, ie a user/client id, so you'd now have multiple responses cached, one for each user/client id.

Best Regards,
Steve Linn

I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------

Thank you both for your responses.

The OAuth endpoint I am calling does not require an Authorization header; it only needs the client ID and secret in the body as x-www-form-urlencoded. However, the backend endpoint does require an Authorization header.

I've implemented the API as suggested, but the OAuth token response is not being cached. When I hit my API 20 times in under 15 minutes, I receive an "unauthorized" error due to a rate limit on how many times I can request an access token from the OAuth endpoint.

I'm not sure where to check the cached values in API Connect SaaS. I am still new to API Connect.

I've included my assembly code below. Perhaps you could help identify anything I might have missed.

Assembly Overview:

• Set Variable: Configures the headers and body for the OAuth request.
• Invoke (Token Request): Calls the OAuth endpoint to get the access token, with caching set (cache-key: cachedToken, cache-ttl: 86300).
• Map: Converts the response from the OAuth request from string to object.
• Set Variable: Extracts the access token from the response.
• Set Variable: Sets headers for the backend call, including the Authorization token.
• Invoke (Backend Request): Calls the backend endpoint.

Could you please advise why the OAuth token isn't being cached? 

Hi Elshaday,
In addition to what Uvaise indicated, you can also use a protocol based caching where the request and response headers will dictate if the value is cached and what the expiration TTL would be.  See https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=invoke-configuring-policy-datapower-api-gateway for a description of the invoke policy properties, and in particular, if using the protocol based caching, see the RFC specification at https://datatracker.ietf.org/doc/html/rfc7234.  Note that no caching will be attempted if your invoke request has an Authorization HTTP Request header.

Having said all of that, re-reading your question, I'd assume that your request to the OAuth endpoint requires an Authorization header, so the response from that endpoint will not be cached by the invoke policy.  The only workaround I can think of would be to use a separate API to do your OAuth endpoint request as a "side" call from your actual API, particularly since you are on SaaS using a basic plan and don't have access to GatewayScript or XSLT policies where another mechanism could be considered.  For example,

Some API -> Set Variable message.headers.myAuthorization to whatever you would want to provide to the OAuth endpoint and exclude the Authorization header if present -> Invoke to OAuth API  that specifies caching

OAuth API -> Set Variable message.headers.Authorization to the value in message.headers.myAuthorization -> Invoke to OAuth endpoint excluding the myAuthorization header and no caching

So your "Some API" will have your OAuth API response cached, and hopefully will not call the OAuth API except when the cache has expired.  Do you have the same Authorization header for all of your requests?  If not, then you should also specify a cache key in your invoke policy properties to provide additional information that uniquely identifies this OAuth request from another, ie a user/client id, so you'd now have multiple responses cached, one for each user/client id.

Best Regards,
Steve Linn

I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------

Hi @Elshaday Teshome

Where did you set  cache-key: cachedToken, cache-ttl: 86300?

Could you please guide me to config it? I am very appreciate that!

Thank you both for your responses.

The OAuth endpoint I am calling does not require an Authorization header; it only needs the client ID and secret in the body as x-www-form-urlencoded. However, the backend endpoint does require an Authorization header.

I've implemented the API as suggested, but the OAuth token response is not being cached. When I hit my API 20 times in under 15 minutes, I receive an "unauthorized" error due to a rate limit on how many times I can request an access token from the OAuth endpoint.

I'm not sure where to check the cached values in API Connect SaaS. I am still new to API Connect.

I've included my assembly code below. Perhaps you could help identify anything I might have missed.

Assembly Overview:

• Set Variable: Configures the headers and body for the OAuth request.
• Invoke (Token Request): Calls the OAuth endpoint to get the access token, with caching set (cache-key: cachedToken, cache-ttl: 86300).
• Map: Converts the response from the OAuth request from string to object.
• Set Variable: Extracts the access token from the response.
• Set Variable: Sets headers for the backend call, including the Authorization token.
• Invoke (Backend Request): Calls the backend endpoint.

Could you please advise why the OAuth token isn't being cached? 

Hi Elshaday,
In addition to what Uvaise indicated, you can also use a protocol based caching where the request and response headers will dictate if the value is cached and what the expiration TTL would be.  See https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=invoke-configuring-policy-datapower-api-gateway for a description of the invoke policy properties, and in particular, if using the protocol based caching, see the RFC specification at https://datatracker.ietf.org/doc/html/rfc7234.  Note that no caching will be attempted if your invoke request has an Authorization HTTP Request header.

Having said all of that, re-reading your question, I'd assume that your request to the OAuth endpoint requires an Authorization header, so the response from that endpoint will not be cached by the invoke policy.  The only workaround I can think of would be to use a separate API to do your OAuth endpoint request as a "side" call from your actual API, particularly since you are on SaaS using a basic plan and don't have access to GatewayScript or XSLT policies where another mechanism could be considered.  For example,

Some API -> Set Variable message.headers.myAuthorization to whatever you would want to provide to the OAuth endpoint and exclude the Authorization header if present -> Invoke to OAuth API  that specifies caching

OAuth API -> Set Variable message.headers.Authorization to the value in message.headers.myAuthorization -> Invoke to OAuth endpoint excluding the myAuthorization header and no caching

So your "Some API" will have your OAuth API response cached, and hopefully will not call the OAuth API except when the cache has expired.  Do you have the same Authorization header for all of your requests?  If not, then you should also specify a cache key in your invoke policy properties to provide additional information that uniquely identifies this OAuth request from another, ie a user/client id, so you'd now have multiple responses cached, one for each user/client id.

Best Regards,
Steve Linn

I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------

Hi Nguyen Thao.

Can I show you my approach?

Here is source of invoke:

- invoke:  version: 2.3.0  title: invoke for cached token  backend-type: json  header-control:    type: blocklist    values: []  parameter-control:    type: allowlist    values: []  http-version: HTTP/1.1  timeout: 60  verb: POST  chunked-uploads: true  persistent-connection: true  cache-response: time-to-live  cache-putpost-response: true  cache-ttl: 86300  stop-on-error: []  websocket-upgrade: false  target-url: $(targetUrl)  cache-key: cachedKey  decode-request-params: false  output: cachedResponse

The chachedResponse variable contains response of invoke, and you can reach and use it by context.get('cachedResponse') ;

Best Regards,

Sergey

Hi @Elshaday Teshome

Where did you set  cache-key: cachedToken, cache-ttl: 86300?

Could you please guide me to config it? I am very appreciate that!

Thank you both for your responses.

The OAuth endpoint I am calling does not require an Authorization header; it only needs the client ID and secret in the body as x-www-form-urlencoded. However, the backend endpoint does require an Authorization header.

I've implemented the API as suggested, but the OAuth token response is not being cached. When I hit my API 20 times in under 15 minutes, I receive an "unauthorized" error due to a rate limit on how many times I can request an access token from the OAuth endpoint.

I'm not sure where to check the cached values in API Connect SaaS. I am still new to API Connect.

I've included my assembly code below. Perhaps you could help identify anything I might have missed.

Assembly Overview:

• Set Variable: Configures the headers and body for the OAuth request.
• Invoke (Token Request): Calls the OAuth endpoint to get the access token, with caching set (cache-key: cachedToken, cache-ttl: 86300).
• Map: Converts the response from the OAuth request from string to object.
• Set Variable: Extracts the access token from the response.
• Set Variable: Sets headers for the backend call, including the Authorization token.
• Invoke (Backend Request): Calls the backend endpoint.

Could you please advise why the OAuth token isn't being cached? 

Hi Elshaday,
In addition to what Uvaise indicated, you can also use a protocol based caching where the request and response headers will dictate if the value is cached and what the expiration TTL would be.  See https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=invoke-configuring-policy-datapower-api-gateway for a description of the invoke policy properties, and in particular, if using the protocol based caching, see the RFC specification at https://datatracker.ietf.org/doc/html/rfc7234.  Note that no caching will be attempted if your invoke request has an Authorization HTTP Request header.

Having said all of that, re-reading your question, I'd assume that your request to the OAuth endpoint requires an Authorization header, so the response from that endpoint will not be cached by the invoke policy.  The only workaround I can think of would be to use a separate API to do your OAuth endpoint request as a "side" call from your actual API, particularly since you are on SaaS using a basic plan and don't have access to GatewayScript or XSLT policies where another mechanism could be considered.  For example,

Some API -> Set Variable message.headers.myAuthorization to whatever you would want to provide to the OAuth endpoint and exclude the Authorization header if present -> Invoke to OAuth API  that specifies caching

OAuth API -> Set Variable message.headers.Authorization to the value in message.headers.myAuthorization -> Invoke to OAuth endpoint excluding the myAuthorization header and no caching

So your "Some API" will have your OAuth API response cached, and hopefully will not call the OAuth API except when the cache has expired.  Do you have the same Authorization header for all of your requests?  If not, then you should also specify a cache key in your invoke policy properties to provide additional information that uniquely identifies this OAuth request from another, ie a user/client id, so you'd now have multiple responses cached, one for each user/client id.

Best Regards,
Steve Linn

I need to cache an access token from oauth endpoint and use the access token to make a call to a backend endpoint. How do I pass the cached access token to the next invoke policy? I am using API Connect saas and the basic plan.

------------------------------
Elshaday Teshome
------------------------------