A group of people in black jackets and hats.

How To: Validate Your OAuth Implementation

Is my Layer7 OAuth Toolkit (OTK) installation working?

Valid question. Now that you’ve installed OTK on your API Gateway, and have access to OTK-specific policies and assertions in Policy Manager, it’s time to see OAuth in action. The quickest way to do this is through the pre-configured OAuth test clients and OAuth Manager.
You can access the OAuth test clients if you’ve done two things: 

  • You installed the optional testdata database script that corresponds to your database type.  
  • You selected the “Internal, Server Tools†solution kit as part of your OTK solution kit installation. 

OAuth test clients let you easily verify OAuth authorization flows for the common grant types. The accompanying video shows how to run through different steps of the OAuth flow then call the API endpoint with a valid access token. Token details and notes are displayed on the way to help you understand what just happened.

In fact, the OAuth test clients are an excellent way to learn how the different OAuth grant types work.    

The video gives us our first look at OAuth Manager, a component installed with the test clients. Using OAuth Manager. You can view all known clients on a Gateway, then disable or revoke their access tokens. 

Fine control over token behaviour is available through OTK policy customization. We are shown policy assertions that set token expiration time, tag a token as single-use only, and issue JWT OAuth tokens with signed and encrypted payload options.

The OAuth Test Clients are recommended for use on non-production systems only.

Access test clients at: https://<Gateway_host>:8443/oauth/v2/client 

Access the OAuth Manager at:  https://<Gateway_host>:8443/oauth/v2/client/bcp

blog written by Simon Crum