I have configured OAuth client, scope in webMethods and associated socope with client.
I am able to successfully generate access & refresh tokens using built-in services in pub.Oauth package.
I was able to successfully test OAuth on a SOAP service (where a flow service was exposed as SOAP service in webMethods). I was able to execute SOAP Service using generated OAuth token.
However I am unable to test OAuth with a REST service (where a flow service is exposed as a REST resource in webMethods) when I use enable bearer token in PostMan to access the resource service (which is a flow service in IS actually) then I am getting following error in postman:
error_description=[ISS.0010.8046] Integration Server
rejected the request to access this resource.
The access token’s scope is insufficient to access the resource.
I have also tried
watt.server.url.alias.partialMatching=true
but this didn’t help.
May be I am not correctly adding rest service in scope that is associated with OAuth client. Can someone please guide me how can I add REST service correctly in scope?
Should I try to add folder or flow service in scope? or should I use url template option in scope instead?
Suppose the rest url that I am trying to hit via postman is following: http://localhost:5555/restv2/SomeTestService
then how can I add this url in scope? Should I specify url in template or do I need to add folder etc (in which RAD exists or flow service exists)?
and if have to add this in scope as URL Template … then how can I create URL template for this service ?
Could you please tell me, in which version you are trying to invoke RestApi with Oauth.
Also, can you share screenshot of Scope Management Page and share the package
am using webMethods 10.11.
Screenshots of scope and package is attached below.
Its not working for rest but working perfect for soap.
do I need to add something else in scope ?
or if I had to add URL template please guide how can I add url template for this rest.
please guide @Priya_Gupta
To invoke REST APIs, you have to create REST API descriptors.
Please follow the below steps:
Create Rest API descriptor using restv2 resource
Add the security definition into the security definition tab. (PFA for Adding Security Definition).
Apply the security to the operation (PFA to apply security scheme to the operation)
At step 3, once the security is applied on the operation, scope will get autogenerated in IS Admin UI (Security > OAuth > Scope Management). PFA for Scope Management.
Detailed Information about the URL template
Integration Server generates the URLs automatically while creating the REST API descriptor
based on the Swagger document, then Integration
Server adds a default URL template as _/. For example,
GET_RadNamesSpace/employee. You can also modify this template; however, when
Integration Server re-generates the RAD using the same Swagger document, then it overrides the template as the default URL template
REST Request : /rad/namespace_of_rad/URL template of resource
Thanks @Priya_Gupta, your contribution was very helpful and it solved my issue.
I have a question here. Do we always need to define a RAD for REST resource in order to enable OAuth on that REST resource?
For example, If I have exposed 3 different flow services as REST resource and I want to enable OAuth on all three of them (suppose each REST resource is for 1 specific client) then do I need to define three different RAD (one for each REST resource) to enable OAuth? Or can we do it without RAD as well? For example, can we specify “restv2” base path specific url in OAuth scope instead of RAD specific url in scope template?
This query might be lack of my knowledge about webMethods but I was curious to find out if RAD is necessary for enabling OAuth on REST resource?
Software AG recommends that you create REST API descriptors, if you want to expose existing services using REST and wanted to use security mechanism to invoke the Rest API.
I’ve also tried it with rest descriptor with adding security in both ways which are basic outh and oauth with respective scope.
The service is working fine with soap. It is generating token.
With this token i’ve tried to invoke restV2 test service with creating rest descriptor and adding security.
Error is same [306]2022-12-08 20:37:11 IST [ISS.0053.0002C] (tid=367) Access denied for user bearer on port 5555 → ‘restv2/patient/’ from 0:0:0:0:0:0:0:1.
restv2/patient service is running fine without token with basic auth.
Requesting you to provide solution to this if any.
I believe there a problem with your end point, in case of Rest-Descriptor, you dont have to add /restv2/ in endpoint url.
as per error log you provided :
Error is same [306]2022-12-08 20:37:11 IST [ISS.0053.0002C] (tid=367) Access denied for user bearer on port 5555 → ‘restv2/patient/’ from 0:0:0:0:0:0:0:1.
Try like this using Rest API descriptor as described above by priya.
REST Request : /rad/namespace_of_rad/URL template of resource
Actual Request : localhost:555/rad/test:RAD/emp/f1 (as per package structure in above Screenshot)
/rad/ is not the name of rad here … its like /restv2/your_endpoint || /rad/PackageName:RadName/
For Example If you have package named as RestPkg & and Rest Descriptor named as Rad1 inside the root folder. URL will be as following
For invoking service on external systems, its better and much easier to have swagger document(if provided for the service) imported in IS as Rest API Descriptors.
IS will generate connector services for all the APIs defined in swagger documents. These connectors services will have well defined signature for parameters, body and Authentication parameters. Invoking these connectors with appropriate inputs.
