How To: Validate Your OAuth Implementation

Is my Layer7 OAuth Toolkit (OTK) installation working?

Valid question. Now that you’ve installed OTK on your API Gateway, and have access to OTK-specific policies and assertions in Policy Manager, it’s time to see OAuth in action. The quickest way to do this is through the pre-configured OAuth test clients and OAuth Manager.
You can access the OAuth test clients if you’ve done two things: 

  • You installed the optional testdata database script that corresponds to your database type.  
  • You selected the “Internal, Server Tools” solution kit as part of your OTK solution kit installation. 

OAuth test clients let you easily verify OAuth authorization flows for the common grant types. The accompanying video shows how to run through different steps of the OAuth flow then call the API endpoint with a valid access token. Token details and notes are displayed on the way to help you understand what just happened.

In fact, the OAuth test clients are an excellent way to learn how the different OAuth grant types work.    

The video gives us our first look at OAuth Manager, a component installed with the test clients. Using OAuth Manager. You can view all known clients on a Gateway, then disable or revoke their access tokens. 

Fine control over token behaviour is available through OTK policy customization. We are shown policy assertions that set token expiration time, tag a token as single-use only, and issue JWT OAuth tokens with signed and encrypted payload options.

The OAuth Test Clients are recommended for use on non-production systems only.

Access test clients at: https://<Gateway_host>:8443/oauth/v2/client 

Access the OAuth Manager at:  https://<Gateway_host>:8443/oauth/v2/client/bcp

blog written by Simon Crum

Aric Day

Aric Day

Aric is based in Minneapolis, MN and has been managing Enterprise API programs for more than 10 years as both an operations sysadmin and an api security consultant designing api integration standards. He currently serves Layer7 North American core accounts within the central and western regions. In previous roles he has worked as an automation and api security consultant with both Accenture and Best Buy. Aric has an engineering degree from the University of Minnesota. He is active as a youth hockey coach in winter and enjoys getting outdoors during the brief MN summer months.

Share With Your Network

Share on twitter
Share on linkedin
Share on facebook
Share on email
Share on print