Hi,
I follow the Advanced API Protection cookbook.
To enable OAuth-EAS it is recommended to make following configuration changes to the WebSEAL:
[oauth]
oauth-auth = none
[oauth-eas]
eas-enabled = true
and attach an API Protection policy.
So i did so. But I get ISAM OAuth Response 400 Bad Request when I try to perform a test Request.
> POST /api/nf/balance HTTP/1.1
> Host: api-gateway.authsaz.com:444
> User-Agent: insomnia/2021.2.2
> Authorization: bearer XNXg3gRizGoK1jC9y3nx
> Content-Type: application/json
> Accept: */*
> Content-Length: 21
| {"account": "101010"}
If there is missing data, then a 400 response is generated and no further processing takes place. If all of the data is available, then the EAS constructs a Request Security Token (RST) and sends it to the authorization server, which is part of the Advanced Access Control Module.So the request is considered to be incorrect and no further processing should take place.
But
1. In the log I see that the desision proccess takes place and the desision ends up with "allow":
trace.pdweb.oauth:6 /build/isam/src/i4w/pdwebrte/azn/oauth-eas/amw_oauth_eas.cpp:366: Exit azn_svc_decision_access_allowed_ext (0x0)
2. If I turn on oauth again (oauth-auth = https) then the request ends up with 200 and expected result. So the Rquest shoul be fine indeed.
Why do I get 400 Bad Request?
------------------------------
Best Regards
Ivan Yartsev
------------------------------