doubt about "Securing APIs using 3rd party OAuth 2 provider in API Gateway"

Greeting! We refer to the article as below:
https://techcommunity.softwareag.com/web/guest/pwi...0provider%20in%20API%20Gateway

Doubt:
1, regarding Remote introspection, the gateway user, client id and client secret should be provided but not sure which value should be put. the gateway user should be added in the okta? client id and client secret is the ones that we can find in the okta application with type web?

2, we have published the api and the gateway endpoint is “http://.gateway.webmethodscloud.com/gateway/testokta/1.0”
we tried to access the service through “http://.gateway.webmethodscloud.com/gateway/testokta/1.0/booking”, however, we got the error message as below:
“Exception”: “API Gateway encountered an error. Error Message: Unauthorized application request. Request Details: Service - testokta, Operation - /booking, Invocation Time:5:33:04 AM, Date:May 26, 2020, Client IP - 167.220.242.61, User - Default and Application:sys:defaultApplication”
However can we resolve the error?

Thank you in advance.
Regards,
Lyle

Hi Lyle,

First of all if you are using API Gateway 10.3 or above, please follow this article :
http://techcommunity.softwareag.com/pwiki/-/wiki/Main/Securing%20APIs%20using%20OAuth%202%20in%20API%20Gateway

  1. Remote introspection details

Gateway User : a valid API Gateway user. You could use the same username use for signing into API Gateway.
Client ID , Client Secret : These details are from Okta > Applications screen for your client

  1. API Access
    Request to follow all the steps in the above mentioned article, importantly creating an Oauth Scope for your api (Step 5).

thanks,
Ramesh

Hi Lyle,

In addition to the details on my above response, we have an OKTA specific article for API Gateway 10.3 and above.
http://techcommunity.softwareag.com/pwiki/-/wiki/Main/Securing%20APIs%20using%203rd%20party%20OAuth%202%20provider%20in%20API%20Gateway

thanks,
Ramesh.

Thanks Ramesh. My doubt is that if I just use the single page application, what should I input for client secret in the remote introspection section? because SPA just has the client id, not client_secret.

Now I use postman to get the access token and use the okta intropection endpoint to verify that the access token is valid.
But If I put the access token in the header with key “Authectication” and value "Bearer ", then send the get request according to the article you mentioned, I always get the error message as below:
“Exception”: “API Gateway encountered an error. Error Message: Token specified is invalid or has expired… Request Details: Service - testokta, Operation - /booking, Invocation Time:7:20:09 AM, Date:May 28, 2020, Client IP - 167.220.233.62, User - Default and Application:sys:defaultApplication”.

Any idea about this?

Thanks & Regards,
Lyle

Hi Lyle,

Remote introspection configuration is not specific to a particular application / client. It is an auth server level configuration.
Typically a special purpose, confidential client is created for this purpose and its credentials are configured in this page.

thanks,
Ramesh.