API Connect

 View Only
Expand all | Collapse all

Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

  • 1.  Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

    Posted Tue February 20, 2024 10:42 AM

    Hi Team,

    I wanted to access platform REST APIs for IBM API Connect v10.0.5.3.

    Via CLI: apic login --> found to be failing and learned, that could be due to OIDC as default authorization mechanism instead of local user registry.

    Via Developer toolkit method -- > platform API token was tried to fetch via below command: where API key generated in API manager, id and secret recvd from API manager download toolkit option and returned 401 un authorized error
    curl -v -k -X POST -d '{"api_key": "****", "client_id": "client-id", "client_secret": "client-secret", "grant_type": "api_key"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://platform-api.{{region}}.apiconnect.automation.ibm.com/api/token

    Via REST API call-->  With referance to API Explorer (ibmcloud.com), client id and secret need to be created based on cli after  "apic login" (option1)

    Can you please help to get over this?

    I need to get access to platform APIs for some scripting purpose (API Explorer (ibmcloud.com)

    Best Regards,

    Riya



    ------------------------------
    Riya Fathima
    ------------------------------


  • 2.  RE: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

    Posted Wed February 21, 2024 01:15 AM

    If you're using oidc then try the "-sso" option to the cli. It will pop up a web browser and let you login. Oidc is inherently user interactive in a browser.

    if you want something more automatable then maybe look at adding a second user registry using lur and then authenticate using that for the cli/api calls?

    The api key/secret just lets you access the login api, you still need to authenticate with a username/password.



    ------------------------------
    Chris Dudley
    ------------------------------



  • 3.  RE: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

    Posted Wed February 21, 2024 09:38 AM

    Hi Chris,

    Thank you for your response. I am able to login to API manager successfully using "-sso" although not able to list any APIs or details. this is throwing no flags error. can I have some examples to fetch list of APIs, or products , API yamls etc?



    ------------------------------
    Riya Fathima
    ------------------------------



  • 4.  RE: Accessing platform REST APIs for IBM API Connect v10, when system has OIDC enabled

    Posted Wed February 21, 2024 09:42 AM

    Hi,

    My feedback on each topic:

    Via CLI: apic login - as Chris said use -sso in your login command.

    Via Developer toolkit method - generate apikey via API Manager (add /apikeys to homepage URL in API Manager), download your credentials (also from API Manager and use the "toolkit" values for the client id and client secret) and this will generate a bearer_token for you to use with the Provider-API etc. with the curl command you posted (use toolkit "endpoint" from credentials).

    Via REST API call-->  I'm not sure how this works with OIDC (I don't have an OIDC to test with) but again use the same client id and client secret as above, use your username / password for API Manager, use the correct "realm" that relates to your OIDC and you can generate the bearer token with this call:

    curl -v -k -X POST -d '{"username": "USERNAME", "password": "PASSWORD", "realm": "provider/OIDC-VALUE", "client_id": "CLIENT-ID", "client_secret": "CLIENT-SECRET", "grant_type": "password"}' -H 'Content-Type: application/json' -H 'Accept: application/json' https://YOUR-ENDPOINT/api/token

    These should work for you. If they don't please share your commands and errors.



    ------------------------------
    Nick Cawood
    API Connect Consultant
    IBM Hybrid Cloud Integration Expert Labs
    IBM UK Ltd

    https://www.linkedin.com/in/nickcawood/
    ------------------------------