API Academy

Sponsored by Layer7

A building under construction with the sun shining.

How to Use Policy to Retrieve a Portal API OAuth Token

By Geoff DuckPosted on

An API Gateway can be a fast, easy way to manage entities in an API Portal.  The Portal API (PAPI) provides entry-points to perform tasks such as onboard users, manage APIs that are protected by the gateway runtime, manage and update API versions and documentation, and administer API Management items such as application definitions, organizations, API plans and account plans.

Since the gateway is so good at being rapidly configured to work with API requests and responses, you can compose policies that help manage your API Portal configuration rapidly and effectively.

I will demonstrate how to set up an API endpoint that will be the start of building an API on the gateway that will help perform activities that can help build and manage your portal configuration.  The first thing we need to do in order to work with the portal API is to set some configuration variables that we can use to hit our PAPI. 

Using Layer7 as an example, I start by creating a new Web API in the Gateway Policy Manager. In the policy, I create several variables that hold:
-The PAPI endpoint
-The PAPI client ID
-The PAPI client secret
-The PAPI OAuth token endpoint

The next logical step to hit the PAPI is for the gateway to act as an OAuth client by reaching out to the token endpoint with a request leveraging the Client Credential OAuth grant type and retrieve an OAuth token.

I do this by assembling the OAuth token request using the client credential grant type by setting a context variable of type Message, and building the body of the message as:

Content-type: 

application/x-www-form-urlencoded

Body: 

grant_type=client_credentials&client_id=${clientCredential}&client_secret=${clientSecret}

(Where the client id is stored in the clientCredential variable, and the secret is stored in the clientSecret variable)

I then use a Route via HTTPS assertion to route a request to the PAPI OAuth Token endpoint, and set the request body to be the message type variable I set up earlier.

The request will hit the Token endpoint, and we can then extract the OAuth token from the response body using an Evaluate Regular Expression assertion, where the regular expression is:

([0-9a-z]*-[0-9a-z]*-[0-9a-z]*-[0-9a-z]*-[0-9a-z]*)

I can store the results of the regex in another variable which we can then use in the Authorization header when we call the PAPI to do some portal management.

The resulting policy looks like this, where I return the OAuth token in a simple JSON message response. 

This simple policy is the start of using the gateway to orchestrate PAPI calls, and in the end, I turned it into a policy fragment that I can use in other further-built policies to get the token then make PAPI calls to my heart’s content.

In the next blog post I will continue to build upon this infrastructure policy to publish a new API to the Portal using the PAPI and leverage the gateway do perform the orchestration.