API using OAuth 2.0

Rohit_Tomar · July 7, 2021, 8:38pm

Hello Folks,

I want to expose a API via SAG API gateway using oauth2.0 authorization using API gateway as authorisation server, so which approach will be best to for this scenario.
Should i configure two API for consumer one for getting token and second one for resource .

Kindly suggest me

Thank you

wayne.leishman.20059 · July 7, 2021, 9:24pm

Hi @Rohit_Tomar

Did you try searching the SAG Tech Community for: API gateway oauth

If you do, you will see a few “hot to” articles. One of them may meet your needs.

Regards
Wayne

DINESH_J · July 8, 2021, 11:34am

@Rohit_Tomar , Its all about the how you want to implement and who is going to own the responsibility of validating the token.

please check the existing article

As a provider keep the things simple . Register a client and provide the below details to the client to generate the tokens. if you do not want them to generate the token by them self then create on behalf of the client and just share the Generated Access token to invoke API)

Client_ID - Get it from the application which you created in API Gateway
Client_Screts - Get it from the application which you created in API Gateway
Authorization URL - /invoke/pub.apigateway.oauth2/authorize
getAccess token URL /invoke/pub.apigateway.oauth2/getAccessToken
refreshtoken URL - /invoke/pub.oauth/refreshAccessToken

Rohit_Tomar · July 8, 2021, 2:16pm

Hello Dinesh,

when we genrate the token we invoke the service of Api gateway Integration server(/invoke/pub.apigateway.oauth2/getAccessToken) that is in green zone so how the thrid party consumer can call this service directly.

DINESH_J · July 8, 2021, 2:29pm

@Rohit_Tomar let us know what exactly your are trying to implement ?

Regards,
Dinesh

Rohit_Tomar · July 8, 2021, 2:37pm

I developed a rest webservice to expose the data of SAP system for mobile application then i configured the API at API gateway, but authrorization should be 0Auth , so i gave my API endpoint to mobile app team now how they will get token to consume my API.

DINESH_J · July 9, 2021, 8:55am

Hi Rohit,

You can do it many way in a cleaner and simple one.

Register on behalf of your client with only required resource as scope and just share the token them to invoke resource API.
if you want your client to generate token then you need to expose your token service as API. Here both client and providers as individual responsibility . As a provider you need to store all the meta data information about your client your client just simply invoke your get token wrapper service. if your oAuth is refresh token enabled then as client responsibility to recheck if the token is active by invoking introspect URL and call the service with active token.

Since your API are beside your firewall only authorized client will be able to reach your network from the DMZ. Design your solution in a simple and secure way .

Regards,
Dinesh

system · October 7, 2021, 8:55am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.