Implementing OAuth 2.0 with Oracle API Gateway 11.1.2.3.0 with 2 or More Nodes [ARTICLE]

Version 10

    Using OAuth 2.0 to authenticate and authorize partners to call APIs in Oracle API Gateway works well in a dev environment with a single node Gateway. That's not the case when it runs in a UAT environment with two Gateway nodes on different machines. This article by Marcelo Franca offers a solution.


    Introduction

     

    I recently participated in a project with Oracle API Gateway (OAG), using OAuth2.0 to authenticate and authorize partners to call  APIs. The flow is simple: the partner calls  OAG through the POST method with client ID and secret ID, and then returns the access token with scopes. This works well while in the development environment with a single node Gateway. However, when it runs in a User Acceptance testing (UAT) environment with two  Gateway nodes not on the same machine, and the client reaches node 2,  OAG can’t find the OAuth client_id and the authorization is denied.

     

    By default, OAG  installs and uses the Cassandra database to store tokens, and access code and client for authorization. When it's needed to distribute through two nodes or more, a shared structure is necessary to store that information. This article describes how to create the new shared structure using the Oracle Database.

     

    Tested Environment Requirements

     

    OAG-11.1.2.3.0

    • oagpolicystudio
    • apigateway server

     

    Plugin Firefox

    • HTTP Requester

    Oracle Database Express Edition 11g Release 2

     

     

    Setup Environment

     

    1 - Run scripts of path:

     

    OAG_HOME/apigateway/system/conf/sql/Oracle

     

    • kps.sql
    • oauth-client.sql
    • oauth-server.sql

     

    2 – Change parameter policystudio to show hidden files

     

    Edit the file OAG_HOME/oagpolicystudio/policystudio.ini and include the following line at the end of file:

     

    -Dshow.internal.kps.collection=true

     

    3 – Create database connection

     

    Initiate the Policy Studio tool to connect in Gateway 1. Go to the  “Database connections” tab and create the new database connection with the name “OAuth KPS Database.”

    tela1.jpg

     

    URL : jdbc:oracle:thin:@myenvironment:1521:xe. Click Test Connection; you should to see Test Connection OK.

     

    4 – Change Data Sources OAuth

     

    4.1 - Go to Key Property Stores > OAuth. In the Data Sources tab, click Add:

    tela2.jpg

     

    4.2 - Select the Database option. Enter the name OAuth KPS Connection” and in the Database connection field, choose the value created in Step 3, “OAuth KPS Database”.  Click OK.

    tela3.jpg

    4.3 - Go to the Properties tab. In the Default Data Source” field, select the item created earlier: “OAuth KPS Connection”. Click Save.

    tela4.jpg

     

    5 – Change Data Sources API Server

     

    Repeat steps 4.1, 4.2 and 4.3 for “API Server,” as shown below:

    tela5.jpg

     

    6 – Alter OAuth Stores

     

    Go to option Libraries > OAuth2 Stores > Access Token Stores > OAuth Access Token Store. Click Edit “Access Token Store“ and select “Store in a database,“ choosing “OAuth KPS Database”.

    tela6.jpg

     

    7 - Repeat Step 6 for the items below:

    • Libraries > OAuth2 Stores > Authorization Code Stores > Authz Code Store
    • Libraries > OAuth2 Stores > Client Access Token Stores > OAuth Client Access Token Store

     

    8 – Test Configurations, Open Firefox and go to http requester plugin

     

    8.1 - Server 1 get token.

     

    Call service https://server1:port/api/oauth/token

     

    grant_type=client_credentials&client_id=SamplePublicApp&client_secret=3b001542-e348-443b-9ca2-2f38bd3f3e84&format=xml

    tela7.jpg

    tela8.jpg

     

    8.2 - Server 2 with token info.

     

    Call service https://server2:port/api/oauth/tokeninfo with token recovered at item 8.1.

     

    access_token=Ux1PtRGmySxZ1nf1mUD2oJNqxbQ4E7ETTzKUfiHwxhwo49wutLRwMS

    tela9.jpg

    tela10.jpg

     

    Conclusion

     

    Now we can use Oracle API Gateway with two or more nodes, sharing the same Database repository.

     

    References

     

    https://www.pinterest.com/pin/create/extension/