How to Use Policy to Retrieve a Portal API OAuth Token

qtq80-CsLP4E

An API Gateway can be a fast, easy way to manage entities in an API Portal.  The Portal API (PAPI) provides entry-points to perform tasks such as onboard users, manage APIs that are protected by the gateway runtime, manage and update API versions and documentation, and administer API Management items such as application definitions, organizations, API plans and account plans.

Since the gateway is so good at being rapidly configured to work with API requests and responses, you can compose policies that help manage your API Portal configuration rapidly and effectively.

I will demonstrate how to set up an API endpoint that will be the start of building an API on the gateway that will help perform activities that can help build and manage your portal configuration.  The first thing we need to do in order to work with the portal API is to set some configuration variables that we can use to hit our PAPI. 

Using Layer7 as an example, I start by creating a new Web API in the Gateway Policy Manager. In the policy, I create several variables that hold:
-The PAPI endpoint
-The PAPI client ID
-The PAPI client secret
-The PAPI OAuth token endpoint

The next logical step to hit the PAPI is for the gateway to act as an OAuth client by reaching out to the token endpoint with a request leveraging the Client Credential OAuth grant type and retrieve an OAuth token.

I do this by assembling the OAuth token request using the client credential grant type by setting a context variable of type Message, and building the body of the message as:

Content-type: 

application/x-www-form-urlencoded

Body: 

grant_type=client_credentials&client_id=${clientCredential}&client_secret=${clientSecret}

(Where the client id is stored in the clientCredential variable, and the secret is stored in the clientSecret variable)

I then use a Route via HTTPS assertion to route a request to the PAPI OAuth Token endpoint, and set the request body to be the message type variable I set up earlier.

The request will hit the Token endpoint, and we can then extract the OAuth token from the response body using an Evaluate Regular Expression assertion, where the regular expression is:

([0-9a-z]*-[0-9a-z]*-[0-9a-z]*-[0-9a-z]*-[0-9a-z]*)

I can store the results of the regex in another variable which we can then use in the Authorization header when we call the PAPI to do some portal management.

The resulting policy looks like this, where I return the OAuth token in a simple JSON message response. 

This simple policy is the start of using the gateway to orchestrate PAPI calls, and in the end, I turned it into a policy fragment that I can use in other further-built policies to get the token then make PAPI calls to my heart’s content.

In the next blog post I will continue to build upon this infrastructure policy to publish a new API to the Portal using the PAPI and leverage the gateway do perform the orchestration.

Geoff Duck

Geoff Duck

Geoff has a long background in development and customer work. With contributions to the original Eclipse project, Geoff has been immersed in development and APIs since 2001. Part of the original Layer 7 team, Geoff has been working as a pre-sales architect since 2012 helping customers succeed with their API security and API management implementations. Hailing from Kelowna British Columbia Canada, Geoff enjoys outdoor mountain sports including downhill mountain biking, snowboarding and banked slalom racing, skateboarding and trail running.

Share With Your Network

Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on facebook
Facebook
Share on email
Email
Share on print
Print

More From The API Academy

Scroll to top