API Economy / API Management

Expand all | Collapse all

API Connect 2018 OAuth config error

  • 1.  API Connect 2018 OAuth config error

    Posted 10-11-2018 08:50 AM
    Hi team
    we are following the next tutorial https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/tutorial_apionprem_oauth_passgrant.html
    but when go to "Test OAuth Security" section, specifically on point "9. Obtain an OAuth token. In this case, cURL is used to obtain the token using the following command."
    we receive the errorb629286.png error message

    Did any have the same issue?
    Ideas to test if OAuth was well configured?

    ------------------------------
    Carlos Quiroga Quiroga Technical Solutions Architect
    Technical Solutions Architect
    IBM
    Bogota
    (571) 390-1318
    ------------------------------


  • 2.  RE: API Connect 2018 OAuth config error

    Posted 10-12-2018 08:29 AM
    Yes.  I'm having the same issue on 2018.3.7.   Hopefully someone has resolved and can provide the resolution.  A similar setup on V5 works.

    ------------------------------
    Bryon Kataoka
    CTO
    Petaluma CA
    707-773-1198
    ------------------------------



  • 3.  RE: API Connect 2018 OAuth config error

    Posted 10-12-2018 08:56 AM
    While not having this same issue, I offer this advice, make sure you have at least 2 DataPower API Gateway containers running (scale the xxx-dynamic-gateway-service to 2 if not 3) and make sure all APIs including the OAuth providers have been published to your runtime.

    ------------------------------
    Devin Richards

    ------------------------------



  • 4.  RE: API Connect 2018 OAuth config error

    Posted 10-12-2018 10:28 AM
    Hi - Thanks for the response  A couple of questions.

    1. How do you ensure the backing API for OAuth Native is published?  I thought APIC was handling that for us and I never see a reference to the OAuth Native backing API.
    2. Are you saying we must have multiple gateways running?  Is that mentioned somewhere in the Knowledge Center?


    ------------------------------
    Bryon Kataoka
    CTO
    Petaluma CA
    707-773-1198
    ------------------------------



  • 5.  RE: API Connect 2018 OAuth config error

    Posted 10-12-2018 01:56 PM
    The native OAuth should get pushed, but not sure in v5 we had to add our custom providers to plans to get them to work.

    As for the DataPowers I missed the fact that you are using the "old" DataPower Gateway v5 
    with that you should directly connect to the XML Manager interface and upload the config
    with the "new" DataPower API Gateway there is an auto-peering that if configured requires more than 1 DataPower before it starts, but not really applicable in your case with a VM DataPower and not the docker image.

    Since all of the runtime is on the DataPower and that APIC servers are not really involved, you could go to the CMC and delete the existing DataPower Gateway v5  service, and go onto the DataPower management UI and make sure the Application Domain was deleted and then add it back in, as once it is back in the APIs should get pushed out to it.

    Side note I have had good luck with minikube based on JoelGauci/apicv2018 when using the --vm-driver=none option for playing with APIC locally

    ------------------------------
    Devin Richards

    ------------------------------



  • 6.  RE: API Connect 2018 OAuth config error

    Posted 10-12-2018 02:08 PM
    One thing that is odd to me the Firewall requirements
    https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

    for #7 they only list port 3000 which is for the "new" DataPower API Gateway the "old" DataPower Gateway v5 uses the XML Manager on port 5550

    here is the v5 reference
    https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

    maybe check your firewall rules to open more ports?




    ------------------------------
    Devin Richards

    ------------------------------



  • 7.  RE: API Connect 2018 OAuth config error

    Posted 10-17-2018 11:59 AM
    Edited by Devin Richards 10-17-2018 12:00 PM
    I played around a bit with this on my setup in minikube and using the DataPower API Gateway so it is not exactly like you have setup but very close, and I did get an issue similar to yours.

    The problem is that when you are trying to get the token from the OAuth provider the URL you are using is not correct, by default the Developer Portal and test tool are putting in the BasePath of the API you are working on into the URL for the OAuth provider and it is not supposed to. (Needs a PMR!)

    in your example you are trying to curl
    curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/ibm-oauth-test/oauth2/token

    however looking at the tutorial the BasePath for the OAuth provider MainProviderOA is empty thus the token endpoint should be:
    curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/oauth2/token

    try that and see if it helps

    ------------------------------
    Devin Richards

    ------------------------------



  • 8.  RE: API Connect 2018 OAuth config error

    Posted 10-17-2018 06:44 PM
    Hi - we are about to open a PMR but I will give this a shot and then open the PMR.

    ------------------------------
    Bryon Kataoka
    CTO
    Petaluma CA
    707-773-1198
    ------------------------------



  • 9.  RE: API Connect 2018 OAuth config error

    Posted 10-18-2018 10:19 AM
    FYI I opened TS001498237 for the "Try it" button having the wrong OAuth endpoint


    ------------------------------
    Devin Richards

    ------------------------------



  • 10.  RE: API Connect 2018 OAuth config error

    Posted 10-23-2018 04:03 AM
    Coming back to your issue with receiving a 404 when deploying the OAuth Provider. I had the same issue. There is a small bug that prevents deploying the OAuth Provider with an API when the API has been deployed without OAuth Security Definition before. If you increase the version number of your API and re-publish, the OAuth Provider should be deployed as well.
    This bug will be resolved in the upcoming LTS release.

    ------------------------------
    Sebastian Sutter
    ------------------------------